- We can get already available captures using Tools -> Sample captures
- To see the OSI Layers, goto Statistics -> Protocol hierarchy
- Here, we see the protocols and based on the protocols we can tell the layers
- If any error is there in any protocol, we can find out
- Frame (Physical), then Ethernet (Datalink), then Internet Protocol (Network), then TCP (Transport), then SSL (session) and HTTP (application layer)
- Wireshark Filters
- Capture -> Filters
- These will filter only those specific packets
- BPF Filters
- Capture -> Capture Options
- Next to "Capture Filters" , we will have "Compile Selected BPFs"
- BPFs stand for "Berkeley Packet Filte Syntax"
- It is the expression that is used for filtering
- Expressions
- We need a qualifier and an ID
- For eg: wlan.address ==b4:52:7e:62:6c:4d . Here, the first part is the qualifier and the second part is the ID
- Operators can be && or || or just !
- && means AND
- || means OR
- ! means not equal to
- Qualifiers can either be:
- TYPE which would be like HOSTNET or PORT. These identify what the ID refer to.
- DIR which would be direction which tells whether the transfer is going to or from the ID. This can be either the source SRC or destination DST
- PROTO which is the protocol. This could be either HTTP, TCP, UDP, FTP. This is a particular protocol specifically that the ID is also repeating again
- A cheat sheet that tells all the different expressions that we can use. They also display operators as well as logic
packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
- For eg,
ip.src == 10.73.31.59 && tcp.port == 80
- Here, ip qualifier tells it's type is IP address
- src tells about the direction and it's Source
- 10.73.31.59 tells us that it is the ID. So, we know that we are looking for a source that equals this IP address
- && tells us that we also include the next expression while filtering
- TCP is the type and the port tells us the port ID 80
- Expressions Examples
- ip addresses
- ip.src == 96.17.148.161 means we are looking for source Ip address as given
- ip.src_host == 96.17.148.161 gives the same o/p as above and means we are looking for source hosts that have the IP address given
- ip.addr == 96.17.148.161 means we are looking for IP address given that not only includes sources but also includes destinations
- ip.dst == 96.17.148.161 or ip.dst_host == 96.17.148.161 means we are looking for destination ip address as given
- For IPv6 addresses, we need to use ipv6.addr == ...
- We can also packet capture using DNS host names, you can type ip.host == nameofthehost.
- Now try ip.addr == 192.168.1.0/24 and this will show anything on that network within that range.
- We can also filter by qualifier protocols using ip or http or udp directly. If we want to search by more than one protocol at a time, we can use &&. For eg, udp && http . Ot we can use udp || http
- ip.dst != 10.73.31.59 gives ip address not equal to given one
- We can also use the "expression" box next to the filter box to get the options possible directly and we can choose from that if we dont remember the syntax
- We can also use the "save" button next to the filter box to make a bookmark of the filter and use it instead of having to type it out again
- Instad of using the "save" option, we can also save the command as a permanent filter using Edit -> New Filter. Thusm, we can directly type the newfiltername in the filter box whenever we want to use that filter
- We can also filter by the packet sizes using frame.len <= 128 and we will get packets less than or equal to 128
- TCP Streams and Objects
- If we visit many sites and don't know which packet is for what in the list, then right-click on the desired packet and click "Follow TCP Stream"
- Decode As:
- If we right click on desired packet and select "Decode As", we can convert it to any desired format.
- For eg, TCP on the transport layer can be decoded to any user-specified protocol from the options
- Name Resolutions:
- Capture -> Options
- Name Resolutions doesnt always work and needs network to be online and correctly configured
- Resolve MAC address means Wireshark will resolve the layer-2 or layer-2 mac address
- Resolve network address means wireshark will try to resolve IP address into a understandable DNS name
- Resolve Transport Layer Name means that wireshark will try to convert a port number into whatever that port stands for. For eg, port 80 means HTTP
- Graphs
- Flow Graphs:
- Statistics -> Flow Graph
- We can choose whether we want all packets or displayed packets (ie. the packets that are shown after using a filter)
- Then , we get a graph
- We will see different time stamps and comments about each and every single packet in the middle under the green area with analysis of source and destination
- This can help to visualize each and every packet flow during the packet capture. Also, we can find from which and to which ip address a specific packet has benn sent and also see the details using the comment