wireshark is a traffic analyzer it could be used as:-
- Detecting and solving network problems
2. Detecting security anomalies
3. Investigating and learning protocols details.
NOTE: wireshark is not an IDS, and not modify the packets, it just reads them, and the analysist who will discover the anomalies and this depends on the analysist knowledge and investigation skills.
Packet details pane:
It represents the OSI layers → depending on the protocols of the packets.
- Frame Layer → Physical layer details.
2. Source [MAC] Layer → source and destination MAC addresses and Data Link layer details.
3. Source [IP] Layer → source and destination IP addresses and Network layer details.
4. Protocol Layer → TCP/UDP protocols details, source and destination ports and Transport Layer details.
5. Protocol Error Layer → shows specific segments from TCP that needed to be reassembled.
6. Application Protocols Layer → protocols details and Application layer details.
7. Application Data Layer → show the application-specific data.
We can customize packets color.
There’re two types of packet coloring:-
- Temporary → by changing conversation filter.
- Permanent → by changing coloursing packet list.
Capture Files details:
to view file details click on pcap icon or statistics → capture file properties.
to go to specific packet => Go → Go to packet.
to search for specific string, hex, regex or display filter in packet list, packet details, and packet bytes panes.
we have to know where to search..
to find a packet => Edit → find packet.
it highlight the packets temporary.
we can export specific packets to a separate file.
to change time format=> View → Time Display Format.
to view the potential anomalies=> Analyze → Expert information.
there’re two types:
- Capture filter → filter the packets that need to be captured.
- Display filter → filter the packets that will viewed in packet list pane.
Apply as a filter:
filter a single entity of the packet.
filter the packet and associated packets.
highlight the packets.
Prepare as a filter:
put the query the filter box without executing the filter.
Apply as a column:
add a column in the packet list pane.
Displaying the whole stream of the packets.
Packets originating from server are highlighted with blue.
Packets originating from client are highlighted with red.