Wireshark

TCP Options
• MTU: Layer 3 Maximum Transmission Unit of an interface
• MSS: Layer 4 Maximum Segment Size of end to end flow, from client to
server and vice versa
• TCP Fin: Gracefully shutdown
• TCP Reset: Abrupt shutdown, possibly because port is not opened, notice
time-to-live value to know if end host or intermediate host is replying
• TCP Windows Size: Maximum amount of bytes that sender can receive
before sending ACK. This is usually multiplied by scaling windows to get
calculated windows size
• TCP Timestamps: the timestamp assigned by sender and sent back by
receiver, used to identify round trip time of packets
• TCP Duplicate ACK: Missing packet will be requested by sending duplicate
ACK up to received sequence number until the missing sequenced packet
received. This can be a long time depending on distance between client
and server
• TCP Selective ACK
• TCP NOP (No Operation): Padding for TCP Options that is less than 4 bits

Capture Filter

[not] primitive [and|or [not] primitive …]

Primitive can be
• [src|dst] host <host>
• ether [src|dst] host <host>
• gateway host <host>
• [src|dst] net <net> [{mask <mask>}|{len <len>}]
• [tcp|udp] [src|dst] port <port>
• less|greater <length>
• ip|ether proto <protocol>
• ether|ip broadcast|multicast
• <exp> relop <exp>
Examples
• host 10.1.1.1
• net 10.0.0.0 mask 255.255.255.0
• net 10.0.0.0/24
• port 8080
• tcp port 23 and host 10.0.0.1: capture telnet to and from 10.0.0.1
• tcp port 23 and not src host 10.0.0.1: capture telnet not from 10.0.0.1
• host http://www.example.com and not (port 80 or port 25)
host http://www.example.com and not port 80 and not port 25

Display FIlter
Logical Operation
• And: &&, and
• Or: ||, or
 • XOR: xor, ^^: exclusive alternation – Only one of the two conditions
should match not both
• NOT: not, !
• Equal: ==, eq
• Substring: [n] […]: filter a specific word or text

Display Filter Comparison Operators

C-
English like Description Example
eq == Equal ip.src==10.0.0.5

ne != Not equal ip.src!=10.0.0.5

gt > Greater than frame.len > 10

lt < Less than frame.len < 128

ge >= Greater than or equal to frame.len ge 0x100

le <= Less than or equal to frame.len <= 0x20

Protocol, field or slice contains a value,

contains case sensitive sip.To contains "a1762"

Protocol or text field matches a Perl-

compatible regular expression, not case http.host matches
matches ~ sensitive "acme\.(org|com|net)"

bitwise_and & Bitwise AND is non-zero tcp.flags & 0x02

Slice and Membership Operators
• Slice: [<a>:<b>], [<a>-<b>],[<a>:<b>,<c>-<d>,<e>:<f>]
• Membership: in {<value, separated by space>}

Display Filter Functions

Function Description
upper Converts a string field to uppercase.
lower Converts a string field to lowercase.
len Returns the byte length of a string or bytes field.
count Returns the number of field occurrences in a frame.
string Converts a non-string field to a string.
Examples
• By protocol: http, arp, icmp, telnet, ssh, ftp, dns
• Frame:
• wlan.fc.type_subtype = 0x08: beacon filter
• eth.dst == ff:ff:ff:ff:ff:ff: broadcast frame
• (eth.dst[0] & 1): multicast filter
• eth.addr == 00:00:00:00:00:01: ethernet frame
• IP Address:
• ip.addr eq 10.1.1.1 and ip.addr == 10.1.1.2
• ip.dest == 10.1.1.1 and ip.src == 10.1.1.2
• ip.addr >= 10.1.1.1 and ip.addr <= 10.1.1.100: range of IP
• ip.addr == 10.1.1.0/24: filter subnet
• ip.addr in {10.1.1.1 .. 10.1.1.5 192.168.1.1..192.168.1.10}
• When exclude, do not use !=, e.g: !(ip.addr eq
10.1.1.1) instead of ip.addr != 10.1.1.1. The reason is !=
matches packet with source or destination is not equal to
10.1.1.1, and only one condition is needed to match, so if
source not equal, destination can still be equal and vice versa
• ip.hostname == <hostname>
• count(ip.addr) > 2, packet normally has 2 address (source +
destination), but icmp error or tunnel may have more
• string(ip.dst) matches “^172.(1[6-9]|2[0-9]|3[0-1])..{1,3}.255”:
To match IP addresses ending in 255 in a block of subnets
(172.16 to 172.31)
• frame contains google
• http.host matches “\.(org|com|net)”
• tcp.port in {80 443 8000..8080}
• Port:
• tcp.port == 25
• tcp.dstport == 25
• tcp.port in {80 443 4434} is equivalent to tcp.port == 80
|| tcp.port == 443 || tcp.port == 4434
• tcp.port in {80 4430..4434} is NOT equivalent to tcp.port == 80
|| (tcp.port >= 4430 && tcp.port <= 4434). This is because the
comparison operators check against any field so traffic with
source 52984 and destination of 443 is matched (52984 >=
4430 and 443 <= 4434)
• TCP Flags:TCP SYN: tcp.flags eq 0x0002
• tcp.flags.syn == 1
• tcp.flags.syn == 1 and tcp.flags.ack == 0
• TCP Reset flag: tcp.flags.reset == 1
• HTTP
• http.host == “hostname”: filter by url
• http.request && ip.addr == 10.1.1.1
• http.request || http.response
• View URL from HTTP Request: http.request
• View Domain name from SSL: ssl.handshake.type == 1
• http.request.method in {“HEAD” “GET”}
• http.request.urk == “http://wordpress.com&#8221;
• http.host matches “wordpress\.(com|net|ort)”
• lower(http.server) contains “apache”
• len(http.request.uri) > 100, length in bytes
•
• DNS
• dns.qry.name contains wordpress
or dns.qry.name contains blog
 • SNMP
• Search smtp traffic: smtp contains “From: “, smtp contains
“Subject:”
• Time
• frame.time >= “June 02, 2019 18:04:00”: filter by time stamp
• frame.time_delta in {20 .. 20.5}
Some Tasks
• Change coloring rules: View > Coloring Rules
• Export packets: File > Export Specified Packets | …..
• Export Image/File from http: Select corresponding packet, in detail pane,
expand Media Type or JPG Format or Portable Network Graphics, right
click > Export Selected Packet Bytes

Automatic Remote Traffic Filtering

• Wireshark looks for the following environment to exclude capturing
packets of a remote session such as SSH, an exported X11 window, a
terminal server, …
• SSH_CONNECTION (ssh): <remote IP> <remote port> <local
IP> <local port>: not (tcp
port srcport and addr_family host srchost and tcp
port dstport and addr_family host dsthost)
• SSH_CLIENT (ssh): <remote IP> <remote port> <local port>:
not (tcp port srcport and addr_family host srchost and tcp
port dstport)
• REMOTEHOST (tcsh, others?): <remote name>:
not addr_family host host
• DISPLAY (x11): [remote name]:<display num>:
not addr_family host host
• SESSIONNAME (terminal server): <remote name>
• CLIENTNAME: not tcp port 3389
• On Windows it asks the operating system if it’s running in a
Remote Desktop Services environment.
Decrypting TLS
•For Firefox and Chrome, an environment variable named SSLKEYLOGFILE
can be set so that the browser will store session key used for encryption
and decryption
• Capture traffic using protocol analyzer like wireshark
• Use session key above to decrypt traffic
On Windows:
• Control Panel > System > Advanced System Settings > Advanced Tab –
Click Environtment Variables
• Create New Variable: SSLKEYLOGFILE
• Value: Path to File to Store Session Key, this file is used by
browsers
• Open Wireshark and listen for traffic
• On Browser, access the website such as: wireshark.org
 • can check on wireshark to see if it captures required data by
search in filter: frame contain wireshark (name of website
above)
• On wireshark, Click Edit > Preferences, on the left, expand Protocol and
find TLS, Under (Pre)-Master-Secret Log filename, select the file specify as
SSLKEYLOGFILE Above
• Right after this, TLS packets have been decrypted. Search for TLS
negotiation and below it find HTTP packet with DATA
On Linux:
Procedure is the same, except for setting environment variable:
•
• declare -x SSLKEYLOGFILE=”<path to file>”
• export SSLKEYLOGFILE=”<path to file>”
Decrypt IPSec Traffic
• Configue the ESP encryption with null in the transform set.
• crypto ipsec transform-set TS esp-null esp-sha512-hmac
• Copy the pre-shared key configured in phase 1 ISAKMP.
• crypto isakmp key cisco address 10.1.1.1
• On Wireshark, select ESP packet, right click – Protocol Preferences, select
• Attempt to detect/decode NULL encrypted ESP payloads
• Check sequence numbers of ESP frames
• Attempt to detect/decode encrypted ESP payloads
• Expand Encapsulating Security Payload Header, copy ESP SPI, e.g:
0xdc1f1e1d
• Go back to Protocol Preferences of that packet – ESP SAs, click + to add,
then fill in details of that packet
• Protocol: IPv4
• Src IP: source of that ESP packet
• Dest IP: Destination of that ESP packet
• SPI: SPI copied above
• Encryption: Null (esp-null configured above)
• Authentication: SHA512-hmac-512-256 (esp-sha512-hmac
configured above)
• Authentication key: cisco (configured above)
• Click OK, and IPSec packet should be shown in clear text
Geolocation
• Create account on maxmind.com to download geolocation data file
• To Use database, go to preferences under edit (windows/linux) or
Wireshark (MAC)
• Go to Name resolution > MaxMind database directories and
point to folder containing unzip database files
• Source GeoIP and Destination GeoIP are now available under
IP header
• To see map of endpoints, go to Statistics > Endpoints, then in the bottom
of statistics windows, select map > open in browser
Network Troubleshooting
• Some columns that can be used for analysis:
• bytes in flight under TCP Header – SYN/ACK Analysis
• Calculate Slow HTTP: search for either
• time since request in HTTP header
 • http.time > $amountofseconds in display filter
• Capture slow TCP: search for TCP Delta calculated by Wireshark which is
different from TCP Timestamp
• Time since first frame in this TCP stream under timestamp
section of tcp header
• TCP.time_delta: Time since previous frame in this TCP stream
under timestamp section of tcp header
• Other timer analysis
• tcp.analysis.initial_rtt>1
• dns.time >1
• TCP Analysis: tcp.analysis.flags
• TCP Retransmissions
• TCP out of orders
• Duplicate Acks
• Zero Windows
• Remove all stuff that is not interesting: !(arp or stp or cdp or lldp
or eth.addr==ff:ff:ff:ff:ff:ff)
• ip.geoip.country_iso==”2 characters country code”
• TCP Sync with no options: (tcp.flags==0x002) && (tcp.hdr_len==20)
• TCPTrace
• Graph: Statistic Menu – TCP Stream Graph: shows sequence number over
time, acknowledge over time and more

Happy Learning…

Follow me for more updates: https://www.linkedin.com/in/rakesh-sa-b2b664167

Thanks

Rakesh