In this mini course, we presented the popular packet analyzer Wireshark covering its GUI interface, navigation, packet analysis & dissection, data extraction & export, operators, traffic analysis and finishing with scenarios inspired from cyber security CTF challenges.

Table of Contents:

  • Section One: Wireshark Basics
  • Section Two: Packet Analysis: this includes analyzing packets with different network protocols such as http, https, dns, dhcp, icmp..etc.
  • Section Three: Exploit Analysis
  • Section Four: Analyzing a Hacked Website
  • Section Five: RCE Detection

OSCP Study Notes

Traffic Analysis Study Notes

Course Access

Course is free and can be accessed from this link.

Some concepts that are discussed in this mini course

Packet Capturing Packet capture refers to capturing network packets transmitted over a network, and packet replay refers to sending packets back out over the network. You can capture packets using a protocol analyzer, which is sometimes called sniffing or using a sniffer.

Traffic Analysis Traffic Analysis is a method of intercepting, recording/monitoring, and analyzing network data and communication patterns to detect and respond to system health issues, network anomalies, and threats. The network is a rich data source, so traffic analysis is useful for security and operational matters. The operational issues cover system availability checks and measuring performance, and the security issues cover anomaly and suspicious activity detection on the network.

What is Wireshark?

Wireshark is an open-source, cross-platform network packet analyser tool capable of sniffing and investigating live traffic and inspecting packet captures (PCAP). It is commonly used as one of the best packet analysis tools.


Comparison Operators in Wireshark
[1]

eq OR == 
ne OR !=
gt OR
lt OR
ge OR =
le OR =
[2]
"contains" : Search a value inside packets. It is case-sensitive and provides similar functionality to the "Find" option by focusing on a specific field.

Example: List all HTTP packets where packets’ “server” field contains the “Apache” keyword.
 

http.server contains "Apache"