Day 5: Introduction to Wireshark
π§ What is Wireshark?
Wireshark is a powerful network protocol analyzer that allows you to capture and interactively browse the traffic running on a computer network. Think of it as your x-ray vision into network packets.
π‘ Why Use Wireshark?
- Packet analysis: Dig deep into data packets.
- Network traffic analysis: See whatβs really happening on your network.
- Capture and display packets: Visualize the flow of information.
- Packet filtering: Focus on the packets that matter.
βοΈ Installing Wireshark
-
π§ Ubuntu/Debian Based Systems
Run the following command to install Wireshark:
Terminal window sudo apt-get install wireshark -
πͺ π Windows/Mac OS
Download the installer from the Wireshark website and follow the instructions to install.
π₯οΈ Basic Commands
Here are some basic commands to get you started with Wireshark:
| Command | Description |
|---|---|
wireshark | Start Wireshark |
wireshark -k | Start Wireshark and immediately start capturing packets |
wireshark -r <file> | Open a capture file for analysis |
wireshark -f <filter> | Start Wireshark and immediately start capturing packets with a specified filter |
π₯ Wireshark vs TShark
Wireshark
- Type: GUI-based
- Use: Interactive packet analysis with a graphical interface.
- Features: Detailed visual inspection of network traffic, user-friendly for finding and analyzing packets, great for learning and hands-on troubleshooting.
TShark
- Type: CLI-based
- Use: Command-line packet analysis and automation.
- Features: Efficient for scripting and automation tasks, useful for remote analysis or when a GUI isnβt available, ideal for batch processing and integrating with other tools.
π Advanced Commands
Here are some advanced commands you can use with Wireshark:
| Command | Description |
|---|---|
tshark -i <interface> | Capture packets on the specified interface |
tshark -D | List available capture interfaces |
tshark -r <file> | Analyze a capture file |
tshark -V | Display packet details in verbose mode |
tshark -R <filter> | Apply a filter to the packets |
tshark -z <statistics> | Generate statistics on captured packets |
π·οΈ Wireshark Profiles
Wireshark profiles allow you to customize and save different settings for various analysis tasks, making it easier to switch contexts without reconfiguring the tool each time.
This was you can make custom profiles which help in solving with specificity.
Key Features:
- Custom Preferences: Save unique preferences for display settings, protocol decoding, and more for each profile.
- Display Settings: Customize and retain specific column layouts, color schemes, and font sizes.
- Capture and Display Filters: Define and save specific filters to focus on relevant traffic.
- Easy Switching: Quickly switch between profiles using the profile selector in the Wireshark interface.
A few profiles that can be used directly are linked in additional resources.
π― Challenges
Here are two beginner level Wireshark challenges and one which is a combination of both.
Use PicoCTF to familiarize with Wireshark.
Challenge 1: FindAndOpen
Objective: Find the flag hidden in the trace file
Hint: - Line 48 has the password - Use dcode.fr to decode only the dataChallenge 2: Packets Primer
Objective: Use Wireshark to find the flag
Hint: - Did you know you can follow in wireshark?Challenge 3: Wireshark doo dooo do dooβ¦
Objective: Use Wireshark to find the hidden flag
Hint: - Follow and decode the cipher, as simple as thatπ Additional Resources
For more information, check out these resources:
- Official Wireshark Wiki
- Wireshark bi0s Wiki
- Wireshark User Guide
- Wireshark tutorial
- Wireshark Profiles