We covered a complete introduction to Wireshark, the packet analysis tool. We went over the main sections, capturing traffic, packet dissection and analysis, extracting protocol statistics about the captured traffic in addition to dissecting and explaining packet details and navigation. This was part of TryHackMe Wireshark The Basics & TryHackMe Packet Operations which are part of TryHackMe SOC Level 1.
Wireshark is an open-source, cross-platform network packet analyser tool capable of sniffing and investigating live traffic and inspecting packet captures (PCAP). It is commonly used as one of the best packet analysis tools. In this room, we will look at the basics of Wireshark and use it to perform fundamental packet analysis.
Wireshark is one of the most potent traffic analyser tools available in the wild. There are multiple purposes for its use:
- Detecting and troubleshooting network problems, such as network load failure points and congestion.
- Detecting security anomalies, such as rogue hosts, abnormal port usage, and suspicious traffic.
- Investigating and learning protocol details, such as response codes and payload data.
Packet dissection is also known as protocol dissection, which investigates packet details by decoding available protocols and fields. Wireshark supports a long list of protocols for dissection, and you can also write your dissection scripts. You can find more details on dissection here.
Wireshark has a powerful filter engine that helps analysts to narrow down the traffic and focus on the event of interest. Wireshark has two types of filtering approaches: capture and display filters. Capture filters are used for “capturing” only the packets valid for the used filter. Display filters are used for “viewing” the packets valid for the used filter.
Filters are specific queries designed for protocols available in Wireshark’s official protocol reference. While the filters are only the option to investigate the event of interest, there are two different ways to filter traffic and remove the noise from the capture file. The first one uses queries, and the second uses the right-click menu. Wireshark provides a powerful GUI, and there is a golden rule for analysts who don’t want to write queries for basic tasks: “If you can click on it, you can filter and copy it”.
This statistics provides multiple statistics options ready to investigate to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and some protocol-specific details like DHCP, DNS and HTTP/2. For a security analyst, it is crucial to know how to utilise the statical information. This section provides a quick summary of the processed pcap, which will help analysts create a hypothesis for an investigation. You can use the “Statistics” menu to view all available options.
What is the total number of packets?
What is the SHA256 hash value of the capture file?
What is the arrival date of the packet? (Answer format: Month/Day/Year)
What is the TTL value?
What is the TCP payload size?
What is the e-tag value?
Go to packet 12 and read the comments. What is the answer?
There is a “.txt” file inside the capture file. Find the file and read it; what is the alien’s name?
Look at the expert info section. What is the number of warnings?
What is the number of displayed packets?
Go to packet number 33790 and follow the stream. What is the total number of artists?
What is the name of the second artist?
What is the number of IPv4 conversations?
How many bytes (k) were transferred from the “Micro-St” MAC address?
What is the number of IP addresses linked with “Kansas City”?
Which IP address is linked with “Blicnet” AS Organisation?
What is the most used IPv4 destination address?
What is the max service request-response time of the DNS packets?
What is the number of HTTP Requests accomplished by “rad[.]msn[.]com?
What is the number of packets with a “TTL value less than 10”?
What is the number of packets which uses “TCP port 4444”?
What is the number of “HTTP GET” requests sent to port “80”?
What is the number of “type A DNS Queries”?
Find all Microsoft IIS servers. What is the number of packets that have “version 7.5”?
What is the total number of packets that use ports 3333, 4444 or 9999?
What is the number of packets with “even TTL numbers”?
Change the profile to “Checksum Control”. What is the number of “Bad TCP Checksum” packets?
Use the existing filtering button to filter the traffic. What is the number of displayed packets?