What is WireShark
Wireshark is a sniffer tool that you can sniff the network in real time or analysis captured traffic.
General Terms
`.PCAP` : stands for packet capture. The common file extension for captured traffic.
`Packet` : A unit of data which contains source and destination addresses and ports, MAC address, TTL (Time to Live) Protocol (HTTP, SSH, TCP, UDP etc.), payload. It encapsulates all layers of OSI (Open Systems Interconnection) model.
OSI Model
OSI is a standart that describes networking and telecommunications systems as seven layers. Let’s take a look all the layers from top to bottom.
* Layer 7 — Application
Application layer is the closest to the end user. It takes data and forwards incoming data from the server to the user. Telnet, FTP, HTTP, POP3, SMTP are examples of communications of rely on layer 7.
* Layer 6 — Presentation
Presentation layer prepares data for the `application` layer. In this layer, data could be encrypted or decrypted for secure transmission; which means, is data sent to the application layer or network layer.
* Layer 5 — Session
A session will be required for two or more devices to communicate with each other. This is exactly what the session layer does.
* Layer 4 — Transport
Transport layer decides how to transfer data and check how much data to send, where it goes, etc. The most known protocols are TCP and UDP. TCP and UDP port numbers work at layer 4, while IP addresses work at layer 3 (Network Layer.)
* Layer 3 — Network
This layer responsible for packet forwarding and routing through different routers.
* Layer 2 — Data Link
The data link layer provides data transfer between two directly connected nodes. It handles error connection from the physical layer. There are sublayers such as MAC (Media Access Control) and LLC (Logical Link Control)
* Layer 1 — Physical
At the bottom of OSI model, physical layer represents the electrical and physical representation of the system. There can be the cable type, radio frequency link, etc.
WireShark PCAP Analysis
After capturing the network traffic, results can be seen at wireshark. First, take an example from here (https://www.cs.tufts.edu/comp/116/set3.pcap). After that, open up the pcap file by wireshark.
As seen in the below. I try to explain wireshark’s pains.
We can see that 3-way-handshake between 192.168.1.3 and 130.64.23.35 IP addresses. First the SYN (Synchronize) packet was sent. Second, SYN + ACK (Acknowledge) packet was sent by source. Finally, handshake was completed by the first sender’s final ACK packet.
To view a TCP stream content, rigth click on the packet whatever you want (follow->follow tcp stream). By following mentioned path you can see the content of the packet.
Filtering Packets
Here is a few filtering commands;
IP ip.addr = 192.168.1.3
Destionation IP ip.dest = 192.168.1.3
Source IP ip.src = 192.168.1.3
IP Range ip.addr >= 192.168.1.1 and ip.addr >= 192.168.1.100
Multiple IP ip.addr = 192.168.1.3 and ip.addr = 192.168.1.6
Protocol DNS, TCP, HTTP, SSH, FTP, Telnet, ARP, ICMP
URL http.host = “hostname”
Hostname ip.host = hostname