Main Window |
Wireshark's main window packs a lot of information about captured network activity. At first glance, it might be overwhelming but buttons, fields, and output information are well organized and allow customization for fine-tuning and a better overall experience.
The default Wireshark main window includes:
Menu: For starting actions.
Main Toolbar: For accessing frequently used items from the menu.
Filter Toolbar: For adding display filters to focus on packets you are interested in.
Packet List Pane: Displays summary of each captured packet.
Packet Details Pane: Displays details about the packet selected in Packet List Pane.
Packet Bytes Pane: Displays data for a selected packet (from Packet List Pane) while highlighting the field selected in Packet Details Pane.
Status Bar: Displays detailed information about the current program state and the captured data.
View steps
Panes |
The image above is taken from an ICMP tunneling simulation where a malicious actor was trying to exfiltrate data via an ICMP tunnel.
Packet List Pane: Each Packet is represented with a line in Packet List Pane. Information from packets is arranged in columns. Higher protocol levels might overwrite information from lower levels, hence you will typically see information from the highest possible level for packets in Packet List Pane.
Packet Details Pane: Once a packet is selected from the Packet List Pane, Packet Details Pane will show protocols and protocol fields for that packet in a tree that can be expanded or collapsed.
Packet Bytes Pane: In this pane, each line will show data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes of the selected packet data. Non-printable bytes are represented as dots ("."). Clicking on the fields in the Packet Details Pane will highlight respective sections in the Packet Bytes Pane.
|
By default, Wireshark shows a vast amount of useful information, arranged into columns in the Packet List Pane. Nevertheless, in some cases, you might want to modify columns to suit your needs the best. Fortunately, Wireshark allows you to add, remove, hide, unhide, and re-order columns as well as create custom columns with custom fields to suit your requirements. All of this can be achieved from the Wireshark Preferences window.
A custom column with tls.handshake.extensions_server_name as "Fields" value was created and positioned before the Length column in the example below.
This allows the person analyzing the capture file to quickly spot server names for the connections made over TLS. The comparison images below are from an analysis of a capture file containing communications of malware that operates over HTTPS. A security analyst has a higher chance of noticing the suspicious connection just by scrolling through the traffic file with the addition of this custom column.
Without Custom Column
Display Filters |
Display filters are used for general filtering while viewing the network traffic. It allows you to reduce the clutter and focus on the parts relevant to your task. Wireshark offers a broad variety of display filters that can be found on their display filter reference page. In fact, this wide variety of filter selections is one of Wireshark's strongest features.
Some basic filters and filter chaining options are provided as examples below.
You can filter for specific protocols by typing their names into the display filter toolbar.
You can search for frames that contain the value you are interested in with the usage of frame contains "<value>" display filter.
You can display packets that match several display filters at the same time with the usage of and or && logical operators between them.
You can display packets that match any of the provided filters with the usage of or or || logical operators between them.
You can view network traffic coming from or destined for specific IP addresses with the usage of ip.src==<ip address> or ip.dst==<ip address> filters.
Investigate the information above and answer the questions below.
Wireshark Capture |
Wireshark allows you to capture, analyze and save packets flowing through interfaces like Ethernet, WiFi, Bluetooth, USB, etc. Apart from local interfaces, you have options to capture packets from Cisco devices remotely, remote hosts via SSH, etc.
Wireshark offers a great deal of flexibility when it comes to capturing packets to accommodate your requirements and constraints with capture filters and options.
Capture Options |
Wireshark's capture options can be accessed via Capture Menu -> Options and contains Input, Output and Options tabs.
Input tab allows you to manage local and remote interfaces, add capture filters to interfaces, etc.
Output tab allows you to specify the location you want to save to in advance, create new files automatically (start writing to a new file once the criteria are reached), use ring buffer (start writing over previous files once the criteria are reached), etc.
Options tab allows you to adjust display options, name resolution options, and stop the capture process after the specified criteria is reached.
|
Depending on the type of work you are doing, or the task you have at hand, you might not require the whole traffic from the interface. For example, you might be interested in communications with one host only, or a specific protocol, etc.
Wireshark offers capture filters that filter the traffic during the capture process and save only the traffic that meets the criteria. It is similar to display filters (also covered in this module), but while display filters are used to show or hide packets during the analysis process, capture filters are used to record or discard the packets completely during the capture process.
You can observe differences between capture files with and without capture filters from the same remote server in the images below.
Without capture filters
With capture filters
GUI and CLI |
Wireshark's graphic user interface is featureful and easy to navigate, but you are not limited to GUI. You might need to capture, merge, analyze the network traffic in a CLI environment and Wireshark is able to do this as well.
Quite often the actions that you perform with the Wireshark's GUI, can also be performed with CLI tools that come with Wireshark installation (depending on installation, you might need to install some tools separately).
You can observe how some of the actions can be performed via GUI and CLI below.
Merging two or more capture files into one:
Wireshark GUI
CLI tool - "mergecap"
Filtering the capture file with display filters:
Wireshark GUI
CLI tool - "tshark"
Investigating Protocol Hierarchy:
Wireshark GUI
CLI Tool - "tshark"
With Custom Column
Capture and Display Filters
There are two types of filters in Wireshark: capture filters and display filters. Сapture filters are used to reduce the size of packet capture, while display filters are used to filter the captured packets.
In the previous step, before starting the remote capture. you set the capture filter to not host 192.168.6.1 which cannot be modified during the capture. The display filter has different syntax and can be changed on the fly.
You can use display filters to leave out packets you don't want to see in the Wireshark window. Display filters do not affect the .pcap file but allow you to see only certain packets during your analysis. You can see the display filter in Wireshark's window above the packets list.
DisplayFilter
For example, you can tell Wireshark to display or exclude packets with certain source and destination IPs.
ip.src==74.125.5.4 and ip.dst==192.168.0.1
ip.src!=74.125.5.4
You can also filter based on protocol.
udp or icmp
Or, filter packets based on content by using the contains filter. This filter will display packets that contain the 3-byte sequence 0x81, 0x60, 0x03 anywhere in the UDP header or payload.
<host or protocol> contains <expression>
udp contains 81:60:03
Finally, you can combine filters using boolean expressions like and/or.
tcp.port==80 or udp