Network Forensics

TCPDUMP
What is TCPDUMP?

Software that allows to see inside the traffic activity

that occurs on a network

Software that deciphers the bits

Software that displays the output in human readable

format

www.cybexer.com 2
TCPDUMP
Tcpdump installation

Get latest version from www.tcpdump.org

• ./configure && make && make install

Or use what you already have ;)

NOTE! libpcap library must installed before installing

tcpdump

www.cybexer.com 3
TCPDUMP

Happy tcpdumping

www.cybexer.com 4
TCPDUMP
Verify version of tcpdump on your system
• tcpdump --version

Display basic help

• tcpdump --help

www.cybexer.com 5
TCPDUMP
Capture traffic on lowest numbered network interface
• tcpdump

Display all network interfaces and its order

• tcpdump -D

www.cybexer.com 6
TCPDUMP
Based on '-D' interface output, you can use interface
number. In this example we will capture traffic on
'loopback' interface (order number 2)
• tcpdump -i 2

www.cybexer.com 7
TCPDUMP
Capture traffic on 'eth0' network interface
• tcpdump -i eth0

Capture traffic on all network interfaces

• tcpdump -i any

www.cybexer.com 8
TCPDUMP
Do not translate IP/ports to names
• tcpdump -n

Name resolution for IP address may cause latency

during traffic captures. On systems with high traffic use
'-n' option

www.cybexer.com 9
TCPDUMP
Generate more verbose output
• tcpdump -v

Note! -vv and -vvv options add even more verbosity

www.cybexer.com 10
TCPDUMP
Capture all traffic to and from specified host
• tcpdump host <hostname/ip>

www.cybexer.com 11
TCPDUMP
Capture all traffic to specified host
• tcpdump dst host 192.168.114.33

www.cybexer.com 12
TCPDUMP
Capture all traffic from specified host
• tcpdump src host 192.168.114.33

www.cybexer.com 13
TCPDUMP
Capture all traffic to and from whole network
• tcpdump net 192.168.113.0/24

Note! "net" can be also 199.83.128 or 192.168

You can use 'dst' or 'src' before 'net' option to narrow
capture
• tcpdump src net 192.168.114

www.cybexer.com 14
TCPDUMP
Tcpdump allows to specify protocol name for capturing
packets
• tcpdump tcp

Note! Tcpdump allowed protocol list is: tcp, udp, ip,

icmp, sctp, ip6 etc.

www.cybexer.com 15
TCPDUMP
To capture IPv6 traffic, use 'ip6' protocol
• tcpdump ip6

www.cybexer.com 16
TCPDUMP
Capture only UDP packets
• tcpdump udp

www.cybexer.com 17
TCPDUMP
Capture all packets on specified port. This will capture
all protocols on port 53
• tcpdump port 53

www.cybexer.com 18
TCPDUMP
Capture all packets except specified port
• tcpdump not port 53

www.cybexer.com 19
TCPDUMP
Capture only packets to specified destination port
• tcpdump dst port 80

Note! Use 'src' to set source port

www.cybexer.com 20
TCPDUMP
By default, tcpdump prints timestamp for each
captured packet. To turn off displaying timestamps, use
'-t' option
• tcpdump -t

www.cybexer.com 21
TCPDUMP
Print UNIX timestamp for each captured packet
• tcpdump -tt

To convert UNIX timestamp to human-readable format

use 'date' command
• date -d @1610104369.688961

www.cybexer.com 22
TCPDUMP
Print time difference in microseconds between current
and previous packets
• tcpdump -ttt

www.cybexer.com 23
TCPDUMP
Print full data and time for each captured packet
• tcpdump -tttt

www.cybexer.com 24
TCPDUMP
Print time difference between first captured packet and
each packet
• tcpdump -ttttt

www.cybexer.com 25
TCPDUMP
Print captured packets in ASCII format
• tcpdump -A

This option is suitable for plain-text traffic. Binary or

encrypted traffic will display garbage.

www.cybexer.com 26
TCPDUMP
Print captured packets in HEX format
• tcpdump -x

www.cybexer.com 27
TCPDUMP
Print captured packets in ASCII and HEX format
• tcpdump -X

www.cybexer.com 28
TCPDUMP
Capture specified number of packets. This example will
capture 3 packets (based on matching filter) and then
stop tcpdump
• tcpdump -c 3

www.cybexer.com 29
TCPDUMP
Sometimes it's important to save captured packets for
later analysis or sharing with other security team
members. Saving captured packets to the file is done
with '-w' option followed by filename, where packets
will be saved
• tcpdump -w capture_01.pcap

Note! To stop capture, press Ctrl+C

www.cybexer.com 30
TCPDUMP
Reading saved network traffic from the file is used with
'-r' option followed by file name
• tcpdump -r capture_01.pcap

www.cybexer.com 31
TCPDUMP
By default, tcpdump is not showing ethernet header
information.
To print ethernet header details (MAC addresses) use '-
e' option
• tcpdump -e

www.cybexer.com 32
TCPDUMP

Advanced commands

www.cybexer.com 33
TCPDUMP
Display traffic for specified port ranges
• tcpdump portrange 81-83

Note! Use src or dst to be more specific

• tcpdump src portrange 442-444

www.cybexer.com 34
TCPDUMP
To display traffic based on its direction, use '-Q' option
followed by 'in' or 'out'
• tcpdump -Q in

Note! 'inout' option will capture all incoming and

outgoing traffic

www.cybexer.com 35
TCPDUMP
Being able to do these various things individually is
powerful, but the real magic of tcpdump comes from
the ability to combine options in creative ways in order
to isolate exactly what you’re looking for
logical AND - && or and
logical OR - || or or
EXCEPT - not or !

www.cybexer.com 36
TCPDUMP
Display traffic only to specified host and port
• tcpdump dst host 192.168.114.33 and dst port 22

• tcpdump dst host 192.168.114.33 && dst port 22

www.cybexer.com 37
TCPDUMP
Display traffic only to specified host and port
• tcpdump host 192.168.114.33 or host
192.168.113.33

• tcpdump host 192.168.114.33 || host

192.168.113.33

www.cybexer.com 38
TCPDUMP
Display traffic only to specified host and excluding port
22 (ssh)
• tcpdump host 192.168.114.33 and not port ssh

• tcpdump host 192.168.114.33 and ! port ssh

www.cybexer.com 39
TCPDUMP
It is important to pay attention when combining
different filters.
For example, we want to capture all traffic except TCP
and UDP. This example is not correct 'tcpdump not tcp
or udp', because it will capture UDP traffic.
To make correct filter for capturing all traffic except TCP
and UDP, we have to use brackets
• tcpdump 'not (tcp or udp)'
Complex filters with brackets must be singlequoted

www.cybexer.com 40
TCPDUMP
Another example of grouping capture filters.
Capture traffic from hosts 192.168.114.33 or
192.168.113.33, except TCP for port 443
• tcpdump '(host 192.168.114.33 or host
192.168.113.33) and not (tcp and dst port 443)'

www.cybexer.com 41
TCPDUMP
Let's capture FTP packets from 192.168.114.33 to
192.168.113.109
• tcpdump 'src host 192.168.114.33 and dst host
192.168.113.109 and port ftp'

www.cybexer.com 42
TCPDUMP
Grep command can be used along with tcpdump to
search the network traffic
• tcpdump -n -A | grep -e 'GET'

www.cybexer.com 43
TCPDUMP
Read traffic based on filter in file
• tcpdump -F <filter_file>

www.cybexer.com 44
TCPDUMP
Advanced usage

Use brackets
• tcpdump -i eth0 '( filter and (filter or filter))'

www.cybexer.com 45
TCPDUMP
Advanced usage

Capture icmp traffic to specified MAC address

• tcpdump -i eth0 '(icmp and (ether dst host
00:0C:29:93:A0:52 or ether dst host
00:0C:29:93:A0:53))'

www.cybexer.com 46
TCPDUMP
Advanced usage

Use operators and or

• tcpdump 'port 80 or port 443'

Note! || and && can be also used

www.cybexer.com 47
TCPDUMP
Advanced usage

Combine filters
• tcpdump '(port 80 or port 443) and host
192.168.1.1'
VS
• tcpdump '(dst port 80 or dst port 443) and dst host
192.168.1.1'

www.cybexer.com 48
TCPDUMP
Advanced usage

Capture http traffic

• tcpdump -i en0 -n dst or src host <target> and port
80

www.cybexer.com 49
TCPDUMP
Advanced usage

Task 1 - tcpx_04.pcap

1. What is SHA1 hash of the packet capture?

2. What is the capture duration in seconds?
3. How many packets were captured?
4. What time capture started/ended?

www.cybexer.com 50
TCPDUMP
Advanced usage

Task 1 - tcpx_04.pcap

Use capinfos to get information about capture file

• capinfos tcpx_04.pcap

www.cybexer.com 51
TCPDUMP
Advanced usage

• Extracting SOME data from traffic captures

www.cybexer.com 52
TCPDUMP
Advanced usage

TCPXTRACT'ing data
• tcpxtract -f <capture.file> -o </output/folder/>

Note! Output folder must be created before extraction.

www.cybexer.com 53
TCPDUMP
Advanced usage

FOREMOST'ing data
• foremost -i <capture.file> -o </output/folder/>

www.cybexer.com 54
TCPDUMP
Advanced usage

URLSNARF'ing data
• urlsnarf -n -p <capture.file>

www.cybexer.com 55
TCPDUMP
Advanced usage

HTTPRY'ing data
• httpry -r <capture.file>

www.cybexer.com 56
TSHARK
TSHARK

What is TSHARK?

CLI network traffic capturer and analyzer

www.cybexer.com 58
TSHARK
Basic usage

Read all live traffic on specified interface

• tshark -n -i <interface>

www.cybexer.com 59
TSHARK
Basic usage

Read live traffic on specified interface with filter

• tshark -n -i <interface> -Y "http.host == ping.eu"

www.cybexer.com 60
TSHARK
Basic usage

Read live traffic on specified interface with filters

• tshark -i <interface> -n -Y http.request

www.cybexer.com 61
TSHARK
Basic usage

Read live traffic on specified interface with filters with

fields
• tshark -i <interface> -n -Y http.request -T fields -e
http.host
Note! try adding "-e http.user_agent"

www.cybexer.com 62
TSHARK
Basic usage

HTTP filters

http.authorization http.host
http.referer http.request.method
http.request.uri http.response.code
http.user_agent

www.cybexer.com 63
TSHARK
Basic usage

Read live traffic on specified interface with filters

• tshark -i <interface> -n -Y "dns.qry.type == A and
dns.flags.response == 0"

www.cybexer.com 64
TSHARK
Basic usage

Read live traffic on specified interface with filters

• tshark -i wlan0 -n -T fields -e frame.time -e ip.src -e
ip.dst -e dns.qry.name

www.cybexer.com 65
TSHARK
Basic usage

Save live traffic to the file

• tshark -n -w <filename>

www.cybexer.com 66
TSHARK
Basic usage

Read content of the network capture

• tshark -n -r <capture.file>

www.cybexer.com 67
TSHARK
Basic usage

Read network capture with filters

• tshark -n -r <capture.file> http.host==ping.eu

www.cybexer.com 68
TSHARK
Basic usage

Read specific frame

• tshark -n -r <capture.file> frame.number==18

Note! -x ASCII/HEX output. -V full frame output

www.cybexer.com 69
TSHARK
Basic usage

What packets will be displayed?

• tshark -n -r <capture.file> -T fields -E separator=';' -
e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport
'(tcp.flags.syn==1 and tcp.flags.ack==0)'

www.cybexer.com 70
TSHARK
Basic usage

Find basic auth

• tshark -nr <capture.file> -T fields -e frame.number -
e ip.src -e ip.dst -e http.authbasic -Y
"http.authbasic"

www.cybexer.com 71
TSHARK
Basic usage

More to come

www.cybexer.com 72
TSHARK
Basic usage - statistics

Display IP statistics from capture file

• tshark -n -r <capture.file> -qz conv,ip

www.cybexer.com 73
TSHARK
Basic usage - statistics

Display protocol statistics from capture file

• tshark -n -r <capture.file> -qz conv,xxx

Note! xxx = tcp or udp

www.cybexer.com 74
TSHARK
Basic usage - statistics

Display protocol statistics from capture file

• tshark -n -r <capture.file> -qz conv,tcp,filter

Note! filter = "http" or "tcp.port == 80"

www.cybexer.com 75
TSHARK
Basic usage - statistics

Display all collected IPs

• tshark -n -r <capture.file> -qz ip_hosts,tree

www.cybexer.com 76
TSHARK
Basic usage - statistics

Display protocol statistics

• tshark -n -r <capture.file> -qz ptype,tree

www.cybexer.com 77
TSHARK
Basic usage - statistics

Display HTTP statistics

• tshark -n -r <capture.file> -qz http,stat,

www.cybexer.com 78
TSHARK
Basic usage - statistics

Display HTTP packet distribution

• tshark -n -r <capture.file> -qz http,tree

www.cybexer.com 79
TSHARK
Basic usage - statistics

Display HTTP requests by server

• tshark -n -r <capture.file> -qz http_req,tree

www.cybexer.com 80
TSHARK
Basic usage - statistics

Display HTTP requests and responses

• tshark -n -r <capture.file> -qz http_srv,tree

www.cybexer.com 81
TSHARK
Basic usage - statistics

Display Protocol Hierarchy Statistics

• tshark -n -r <capture.file> -qz io,phs

www.cybexer.com 82
Wireshark
Wireshark
What is Wireshark?

• Most popular network analysis tool

• 500000 downloads per month
• Works on most platforms (Linux, MS, Mac etc.)
• And it's free!

www.cybexer.com 84
Wireshark
What can Wireshark do?

• Find top talkers on the network

• See communications in "clear text"
• Detect various network misconfigurations
• Identify network reconnaissance processes
• etc.

www.cybexer.com 85
Wireshark
Wireshark has 4 phases of packet analysis

• capture
• decode
• display
• analyze

www.cybexer.com 86
Wireshark
Some issues
• XKeyboard extension not present on the X server
Install wireshark-gtk package
• apt-get install wireshark-gtk

www.cybexer.com 87
Wireshark
Run 'wireshark' from terminal

Type in 'wireshark' in
search form

'Start menu' -> '09 - Sniffing & Spoofing' -> Wireshark

www.cybexer.com 88
Wireshark

www.cybexer.com 89
Wireshark
Capture network traffic by double-clicking proper
interface on 'welcome screen'

www.cybexer.com 90
Wireshark
Or select required interface from 'Capture' menu, then
'Options' and click 'Start'

www.cybexer.com 91
Wireshark
Main working window

www.cybexer.com 92
Wireshark
Packet list - list of captured packets, each line is a single
packet. Shows time, source, destination, protocol,
length of packet and additional information about the
packet
Columns can be adjusted later in Preferences

www.cybexer.com 93
Wireshark
Packet details - shows detailed view of selected packet
from 'packet list'

www.cybexer.com 94
Wireshark
Packet bytes - displays selected packet in hexadecimal
and binary view

www.cybexer.com 95
Wireshark
Layout of main window can be changed in Preferences
menu

www.cybexer.com 96
Wireshark
By default, 'Time' column shows time from beginning
of packet capture, which not suitable for off-line
network captures
To change time format right click on 'Time' column and
select 'Edit Column'

www.cybexer.com 97
Wireshark
Change 'Time' format from drop-down menu to
required value

www.cybexer.com 98
Wireshark
Select 'UTC date, as YYYY-MM-DD, and time' and click
'OK', to save and apply new time format

www.cybexer.com 99
Wireshark
New 'Time' format is applied

www.cybexer.com 100
Wireshark
Configuring columns in 'Packet list' view
Navigate to Edit->Preferences->Columns and
click '+' button

www.cybexer.com 101
Wireshark
Set new column's 'Title' to 'Dest Port'
Set new column's 'Type' to 'Dest Port (unresolved)'
Drag new column 'Dest Port' after 'Destination' and
click 'OK' to save and apply changes

www.cybexer.com 102
Wireshark
'Displayed' check box allows to disable/enable columns
in 'Packet list'

www.cybexer.com 103
Wireshark
'Packet list' view should now have new
column 'Dest Port' set

www.cybexer.com 104
Wireshark
Overview of OSI (Open System Interconnection) layers

www.cybexer.com 105
Wireshark
OSI Layer mnemonics

www.cybexer.com 106
Wireshark
Application Layer (Layer 7)

Retrieve a web page

Fetch or send our email
Upload files to an FTP server

www.cybexer.com 107
Wireshark
Presentation Layer (Layer 6)

Presentation layer is responsible for proper data

formatting, compression and encryption

www.cybexer.com 108
Wireshark
Session Layer (Layer 5)

Session layer is responsible for setting up, maintaining

and tearing down the sessions

www.cybexer.com 109
Wireshark
Transport Layer (Layer 4)

Transports the data using connectionless or

connection-oriented protocols

Most common transport layer protocols - TCP and UDP

Transport layer adds port numbers

www.cybexer.com 110
Wireshark
Network Layer (Layer 3)

Main role - provide addressing and routing traffic

www.cybexer.com 111
Wireshark
Data Link Layer (Layer 2)

Data Link Layer uses MAC addresses of destination

machine
Frame header contains the source and destination MAC
addresses

www.cybexer.com 112
Wireshark
Physical Layer (Layer 1)

Copper cables
Fiber cables
Wireless

www.cybexer.com 113
Wireshark - capture filters
Capture filters: Applied prior to capture to only display
a certain type of traffic

Capture filters identical to 'tcpdump' filters, but they

are different from Wireshark's display filters

www.cybexer.com 114
Wireshark - capture filters
By default Wireshark will capture all traffic on selected
network interface. To capture only needed traffic it is
advised to set capture filters.
In main Wireshark window, navigate to 'Capture' menu
and select 'Options...'

www.cybexer.com 115
Wireshark - capture filters
At the bottom of 'Capture Options' screen you will see
place for capture filters

www.cybexer.com 116
Wireshark - capture filters
Wireshark has smart capture filter parser, which will
highlight input field red if capture filter syntax is
incorrect

And if filter syntax is correct, it will be green

www.cybexer.com 117
Wireshark - capture filters

Capture traffic only to and from IPv4 host 10.3.1.1

• host 10.3.1.1

Capture traffic only to and from IPv6 host

2406:da00:ff00::6b16:f02d
• host 2406:da00:ff00::6b16:f02d

www.cybexer.com 118
Wireshark - capture filters
Capture all traffic except traffic to and from 10.3.1.1
• not host 10.3.1.1

Capture traffic from 10.3.1.1

• src host 10.3.1.1

Capture traffic to 10.3.1.1

• dst host 10.3.1.1

www.cybexer.com 119
Wireshark - capture filters
Capture traffic to and from 10.3.1.1 and any host it is
communicating with and traffic to and from 10.3.1.2
and any host it is communicating with
• host 10.3.1.1 or host 10.3.1.2

www.cybexer.com 120
Wireshark - capture filters
Capture traffic to/from any host on network 10.3.0.0
• net 10.3.0.0/16

Same result as previous filter

• net 10.3.0.0 mask 255.255.0.0

Capture traffic to and from any host on network

2406:da00:ff00:0000 (IPv6)
• ip6 net 2406:da00:ff00::/64

www.cybexer.com 121
Wireshark - capture filters
Capture all traffic except traffic to an IP address starting
with 10.3
• not dst net 10.3.0.0/16

Capture traffic to any IP address starting with 10.3

• dst net 10.3.0.0/16

Capture traffic from any IP address starting with 10.3

• src net 10.3.0.0/16

www.cybexer.com 122
Wireshark - capture filters
Capture based on MAC addresses

Capture traffic to or from 00:08:15:00:08:15

• ether host 00:08:15:00:08:15
Capture traffic from 02:0A:42:23:41:AC
• ether src 02:0A:42:23:41:AC
Capture traffic to 02:0A:42:23:41:AC
• ether dst 02:0A:42:23:41:AC
Capture traffic to or from any MAC address except for traffic
to or from 00:08:15:00:08:15
• not ether host 00:08:15:00:08:15

www.cybexer.com 123
Wireshark - capture filters
Capture based on ports
Capture UDP/TCP traffic to or from port 53 (typically
DNS traffic)
• port 53
Capture all UDP/TCP traffic except traffic to or from
port 53
• not port 53
Capture UDP/TCP traffic to or from port 80 (typically
HTTP traffic)
• port 80

www.cybexer.com 124
Wireshark - capture filters
Capture based on ports
Capture UDP traffic to or from port 67 (typically DHCP
traffic)
• udp port 67
Capture TCP traffic to or from port 21 (typically the
FTP command channel)
• tcp port 21
Capture UDP/TCP traffic to or from ports from 1 through 80
• portrange 1-80
Capture TCP traffic to or from ports from 1 through 80
• tcp portrange 1-80

www.cybexer.com 125
Wireshark - capture filters
Combining ports
Capture all UDP/TCP traffic to or from port 20 or port
21 (typically FTP data and command ports)
• port 20 or port 21
Capture UDP/TCP traffic to or from port 80 that is being
sent to or from 10.3.1.1
• host 10.3.1.1 and port 80
Capture UDP/TCP traffic to or from 10.3.1.1 except
traffic to or from port 80
• host 10.3.1.1 and not port 80

www.cybexer.com 126
Wireshark - capture filters
Combining ports
Capture all UDP traffic from port 68 to port 67 (typically
traffic sent from a DHCP client to a DHCP server)
• udp src port 68 and udp dst port 67

Capture all UDP traffic from port 67 to port 68 (typically

traffic sent from a DHCP server to a DHCP client)
• udp src port 67 and udp dst port 68

www.cybexer.com 127
Wireshark - capture filters
ICMP traffic
Capture all ICMP packets
• icmp
Capture all ICMP Type 8 (Echo Request) packets
• icmp[0]=8
Capture all ICMP Type 8 (Echo Request) packets or
ICMP Type 0 (Echo Reply) packets
• icmp[0]=8 or icmp[0]=0

www.cybexer.com 128
Wireshark - capture filters
Capture filter expressions can be strung together using
logical operators

• and (&&)
• or (||)
• not (!)

www.cybexer.com 129
Wireshark - capture filters
Let's build a capture filter which will capture only traffic
to and from private networks

Known private network ranges are:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

www.cybexer.com 130
Wireshark - capture filters
Capture filter where source is private network
• src net (10.0.0.0/8 or 172.16.0.0/12 or
192.168.0.0/16)

Capture filter where destination is private network

• dst net (10.0.0.0/8 or 172.16.0.0/12 or
192.168.0.0/16)

www.cybexer.com 131
Wireshark - capture filters
Now combine capture filter for private network sources
and destinations
src net (10.0.0.0/8 or 172.16.0.0/12 or
192.168.0.0/16) and dst net (10.0.0.0/8 or
172.16.0.0/12 or 192.168.0.0/16)

www.cybexer.com 132
Wireshark - capture filters
Now Wireshark will only capture traffic which is either
to or from any private network address

Pinging or accessing non-private IP address or

hostname will not be captured

www.cybexer.com 133
Wireshark - display filters
Display filters: Used during an active capture or on a
pre-captured packet. Display filters are entered in main
Wireshark's windows field 'Apply a display filter'

www.cybexer.com 134
Wireshark - display filters
Wireshark has smart display filter parser, which will
highlight input field red if display filter syntax is
incorrect

And if filter syntax is correct, it will be green

www.cybexer.com 135
Wireshark - display filters
Display only IPv4 traffic to and from specified network range or single
IP address
• ip.addr == 192.168.0.0/16
• ip.addr == 172.28.28.1

Dispaly IPv4 traffic only where destination is specified network range

or IP address
• ip.dst == 172.16.0.0/12
• ip.dst == 10.20.30.1

Dispaly IPv4 traffic originated only from specified network or ip

address
• ip.src == 10.0.0.0/8
• ip.src == 192.168.13.13

www.cybexer.com 136
Wireshark - display filters
Display only IPv6 traffic to and from specified IP address or network
range
• ipv6.addr == 2604:a880:800:c1::2ae:d001
• ipv6.addr == 2604:a880:800:c1::2ae:d000/64

Dispaly IPv6 traffic only where destination is specified IP address or

network range
• ipv6.dst == 2604:a880:800:c1::2ae:d001
• ipv6.dst == 2604:a880:800:c1::2ae:d000/64

Dispaly IPv6 traffic originated only from specified network

• ipv6.src == 2604:a880:800:c1::2ae:d001
• ipv6.src == 2604:a880:800:c1::2ae:d001/64

www.cybexer.com 137
Wireshark - display filters
You can filter traffic by MAC address
Dispaly packets where specified MAC address either source
or destination
• eth.addr == 64:76:ba:a1:25:46

Display packets where specified MAC address is source

• eth.src == 64:76:ba:a1:25:46

Display packets where specified MAC address is destination

• eth.dst == 64:76:ba:a1:25:46

www.cybexer.com 138
Wireshark - display filters
Show traffic whose source or destination port is a specific
port
• tcp.port == 25

Show traffic originating from port 80

• tcp.srcport == 80

Show the traffic that is sent to the service listening on port

80
• tcp.dstport == 80

www.cybexer.com 139
Wireshark - display filters
For the application protocols of HTTP, DNS, SSH, FTP, SMTP, RDP,
SNMP, RTSP, GQUIC, CDP, LLMNR, SSDP there are filters that are
called like the protocols themselves, but are written in small
letters
To display packets with HTTP traffic
• http

Display ARP traffic

• arp

Display only DNS traffic

• dns

www.cybexer.com 140
Wireshark - display filters
Remember that when deciding which protocol the
transmitted data belongs to, the program considers the
used port number. If a non-standard port is used, the
program will not be able to find the necessary data. For
example, if you connect to SSH on port 1234, the ssh
filter will not find SSH traffic

www.cybexer.com 141
Wireshark - display filters
In main Wireshark window navigate to 'Edit' and
'Preferences'

www.cybexer.com 142
Wireshark - display filters
Open 'Protocols' option and find 'SSH'

As you can see, only ports 22 and 29418 will be treated as

SSH protocol. If you have any custom ports, you can add
them to protocols.

www.cybexer.com 143
Wireshark - display filters
Filters can have different values, for example, it can be
a string, a hexadecimal format or a number. For that
purposes Wireshark allows to use operators
Equals
• == or eq

Not equal
• != or ne

www.cybexer.com 144
Wireshark - display filters
Greater than
• > or gt

Less than
• < or lt

Greater than or equal

• >= or ge

Less than or equal

• <= or lt

www.cybexer.com 145
Wireshark - display filters
Logical operators allow you to create detailed filters using
several conditions at once. It is recommended to use
brackets additionally, because otherwise you may not get
the result you expect.

Logical OR, it is enough that only one condition is true; if

both are true, then this also fine. For example, the
tcp.port==80 or tcp.port==8080 filter will show TCP packets
that are related (are the source or destination) to port 80 or
8080
• || or

www.cybexer.com 146
Wireshark - display filters
Logical AND, data is output if they match to both parts
of the filter. For example, the ip.src==192.168.1.1 and
tcp filter will show only packets that originate from
192.168.1.1 and which are associated with the TCP
protocol. Only data matching both conditions will be
displayed

• && and

www.cybexer.com 147
Wireshark - display filters
Boolean is NOT used when we want to exclude some
packages. That is, all packets will be shown, except
those that satisfy the condition following the NOT. For
example, the filter !dns will show all packets except
DNS

• ! not (negate)

www.cybexer.com 148
Wireshark - display filters
Combining all together:
Show HTTP or DNS traffic
• http or dns

Show all traffic except ARP, ICMP and DNS

• !(arp or icmp or dns)

Show all traffic from and to 10.2.3.4 and port 80

• ip.addr==10.2.3.4 && port==80

Show traffic with source IP address 192.168.0.105 and UDP port 53 or TCP
port 80
• ip.src==192.168.0.105 and (udp.port==53 or tcp.port==80)

www.cybexer.com 149
Wireshark - display filters
Limit search to private networks:

• (ip.dst == 10.0.0.0/8 || ip.dst== 172.16.0.0/12 ||

ip.dst == 192.168.0.0/16) && (ip.src == 10.0.0.0/8 ||
ip.src == 172.16.0.0/12 || ip.src == 192.168.0.0/16)

www.cybexer.com 150
Wireshark - display filters
Filter HTTP properly

• open task07.pcapng
• filter by "tcp.port==80"
• check 20th packet

www.cybexer.com 151
Wireshark - display filters
HTTP filters:

• http.request.method == "POST"

• http.request.method matches "(GET|POST)"

• http.request.uri contains "/profile_images/"

www.cybexer.com 152
Wireshark - display filters
HTTP filters:

• http.request.uri matches "\.(?i)(exe|zip|7z)"

• http.response.code > 399

• http.user_agent contains "Firefox"

•

www.cybexer.com 153
Wireshark - display filters
Task

• open task08.pcapng
• frame contains sombrero

• frame matches "(?i)(sombrero|football)"

www.cybexer.com 154
Wireshark - display filters
FTP filters:

• (ftp.request.command == "USER") or
(ftp.request.command == "PASS")

• ftp.response.code==230

www.cybexer.com 155
Wireshark - display filters
DNS filters:

• dns.count.answers > 2

• dns.qry.type == 252

www.cybexer.com 156
Wireshark - display filters
DNS filters:

• (dns.qry.type == 252) && (dns.flags.rcode == 0)

• dns.flags.rcode == 5

www.cybexer.com 157
Wireshark - display filters
More filters (use 1.pcap):

• frame matches "MZ" && frame matches "(?i)this

program"

• icmp && data.data matches "(?i)SSH-"

www.cybexer.com 158
Wireshark - display filters
More filters (use smtp.pcap):

• smtp matches "(?i)(Content-Transfer-Encoding:

base64|attachment)"

Convert output to binary file (in linux terminal)

• base64 -d dump_file > smtp01.doc

www.cybexer.com 159
Wireshark - display filters
More filters:

• (dns.flags.response == 0) and (dns.qry.type ==

0x0001)
• (dns.flags.response == 1) && (dns.resp.type ==
0x0001)

www.cybexer.com 160
Wireshark - display filters
More filters:

• tcp.port==6666 || tcp.port==6667 || tcp.port==6668

|| tcp.port==6669

• http.request.method =="GET" && http matches

"\.(?i)(exe|zip|jar|tar)"

www.cybexer.com 161
Wireshark - display filters
More filters:

Find open ports

• tcp.flags.syn==1
• Statistics -> Conversation
• Limit to display filter
• Sort by Packets

www.cybexer.com 162
Wireshark - display filters
More filters (use 1.pcap file):

• http.request.method == POST
• http.request.method == 50:4f:53:54
• http.request.method == "\x50\x4f\x53\x54"

• http.request.method == GET
• http.request.method == 47:45:54
• http.request.method == "\x47\x45\x54“

• http.request.method matches
"(\x47\x45\x54|\x50\x4f\x53\x54)"

www.cybexer.com 163
Wireshark - display filters
Hex:

• 50 4B 03 04
• FF D8 FF
• 47 49 46 38
• 4D 53 43 46
• ...

www.cybexer.com 164
Wireshark - display filters
GeoIP mapping for public IP addresses
• mkdir /opt/geoip && cd /opt/geoip
• wget http://files.csirt.crp/GeoLite2-
City_20230228.tar.gz
• wget http://files.csirt.crp/GeoLite2-
ASN_20230228.tar.gz

www.cybexer.com 165
Wireshark - display filters
Extract all archives

• for i in *.gz ; do tar -zxf $i ; done

• for i in */*.mmdb ; do cp $i . ; done

www.cybexer.com 166
Wireshark - display filters
Enable GeoIP in Wireshark preferences

Edit->Preferences->Name Resolution

Edit “MaxMind database directories”

Add “/opt/geoip” as a new path for GeoIP database

location

www.cybexer.com 167
Wireshark - display filters

Analyze task01.pcapng and draw a network map

(download link will be provided during training)

www.cybexer.com 168
Wireshark - display filters
Result of analysis

www.cybexer.com 169
Wireshark - display filters

Analyze data.pcap.gz and find out what happened

(download link will be provided during training)

www.cybexer.com 170
Wireshark - display filters
Target file - 1.pcap

1. What is MX host for www.packet-level.net

2. What is the password for FTP user discover?
3. What was the filename for failed FTP transfer
(status 450)?
4. What was the google’s search query initiated from
192.168.0.105?

www.cybexer.com 171
Wireshark - display filters
Target file - 1.pcap

5. What IP address replied http 500 error?

6. What Open Office version was downloaded from
http://mirrors.isc.org?
7. How many FTP passwords were used for brute
forcing FTP on 67.161.39.46?
8. On what date Kerberos ticket will expire?

www.cybexer.com 172
Wireshark - display filters
Target file - 1.pcap

9. What image was uploaded from 192.168.0.142?

10. What image was uploaded from 192.168.0.142?
11. Strange DNS stream identified. What’s inside that
stream?
12. What is the hidden message from POP3 email?

www.cybexer.com 173