Wireshark: Packet Operations

HackingSkills
3 min readJun 2, 2023

Continuing with wireshark features:-

Statistics: provides multiple statistics options to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and specific protocols.

Resolved Addresses:-

It helps analysts identify IP addresses and DNS names.

Statistics → Resolved Addresses

Protocol Hierarchy

This option breaks down all available protocols from the capture file and helps to view the protocols in a tree view based on packet counters and percentages.

Statistics → Protocol Hierarchy

Conversations

represents traffic between two specific endpoints. This option provides the list of the conversations in five base formats; ethernet, IPv4, IPv6, TCP and UDP. Thus analysts can identify all conversations and contact endpoints for the event of interest.

Statistic → Conversations

Endpoints

Provides unique information for a single information field (Ethernet, IPv4, IPv6, TCP and UDP ). Thus analysts can identify the unique endpoints in the capture file and use it for the event of interest.

Statistics → Endpoints

Wireshark provides MAC addresses, IP and port name resolution options as well. However, these options are not enabled by default. If you want to enable them Edit → Preferences → Name Resolution

IPv4 and IPv6

The analysts can identify and list all events linked to specific IP versions in a single window and use it for the event of interest.

Statistics → IPvX Statistics

DNS

This option breaks down all DNS packets from the capture file and helps analysts view the findings in a tree view based on packet counters and percentages of the DNS protocol.

Statistics → DNS

HTTP

This option breaks down all HTTP packets from the capture file and helps analysts view the findings in a tree view based on packet counters and percentages of the HTTP protocol.

Statistics → HTTP

Packet Filtering:-

it has two types capture filters which filters the scope, direction, protocols and ports and display filters.

Display Filter:-

IP Filter:-

TCP/UDP Filters:-

HTTP/DNS Filters:-

Advanced Filters:-

Commands or queries used

To get the packet sent in Kanas City:

ip.geoip.dst_summary contains “Kansas City”

To get the packets from host “rad.msn.com”:

http.host == “rad.msn.com”

To get the packets which have type A DNS Queries:

dns.resp.type == 1

To get the packets with even TTL numbers:

string(ip.ttl) matches “[2468]$”

The room link:

TryHackMe | Wireshark: Packet Operations

Created on 2nd June 2023

--

--