Network sniffer, inspect network traffic. The secret to using network sniffers such as wireshark is using capture and display filters to remove all information that you are not interested in.
❗ Note to confirm: Capture all traffic with DD-WRT – a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems.
Start Wireshark
Kali Linux
sudo wiresharkMac OS X
sudo chgrp admin /dev/bpf*
sudo chmod g+rw /dev/bpf*
sudo chown <your username>:admin /dev/bpf*
ls -l /dev/bpf*Promiscuous Mode
Network interface will send all packets to CPU for processing and not discard packets that are not addressed to this interface.
- Click on Capture -> Options
- Select Enable promiscuous mode on all interfaces
Capture Filters
Capture traffic matching the filters. Other traffic is discarded. Once the traffic is captured, we can select the traffic we want Wireshark to display to us using display filters.
Syntax
For predefined capture filters, click on Capture -> Capture filters.
[not] primitive [and|or [not] primitive ...]| Description | Capture Filter |
| No broadcast and no multicast | not broadcast and not multicast |
| No ARP | not arp |
| IPv4 only | ip |
| TCP only | tcp |
| UDP only | udp |
| HTTP TCP port 80 | tcp port http |
| Capture traffic from or to host | host x.x.x.x |
| Capture traffic on address range | net x.x.x.0/24 |
| Capture traffic from host | src host x.x.x.x |
| Capture traffic to host | dst host x.x.x.x |
| Capture traffic from port 80 | port 80 |
Display Filters
For predefined display filters, click on Analyze -> Display filters.
| Description | Display Filter |
| Match source | ip.src == x.x.x.x |
| Match destination | ip.dst == x.x.x.x |
| Match either | ip.addr == x.x.x.x |
| HTTP contains “GET” | http2 http2.headers.method == “GET” http2.headers.path == “/pub/css/styles.css” http2.headers.set_cookie http2.data.data && http2 contains username |
| Match port | tcp.port == 80 |
Search within the Info column
Click on Edit > Find Packet.
Select "Packet details"
Uncheck "Case sensitive"
Select "String"
Type the string to search and click SearchDetect ARP Cache Poisoning Attacks
2 MAC addresses should not claim to have the same IP address in the Info column.
arp.duplicate-address-frameFollowing TCP Streams
All packets after 10 are a bit difficult to comprehend, because they contain only fragmentary information. Most modern sniffers, Wireshark included, know how to reassemble a specific session, and display it in various formats.
In order to view a particular TCP stream and reassemble the session, we right-click a packet of interest, then select “Follow TCP Stream” from the context menu. The TCP Stream will open a new window.
HTTP/2 Decryption and Analysis in Wireshark
Traffic analysis and decryption
Chrome: Store SSL Keys / Developer tools
Curl: Store Keys / automation
URL="https://127.0.0.1:4433/"
SSLKEYLOGFILE=~/SSL_KEYS.txt curl -kia $URL
SSLKEYLOGFILE can be used with Wireshark to decrypt and view HTTP2 with SSL
Curl can be scripted to automate interaction with HTTP2 enabled web interfaces
# Storing SSL keys via Chrome (on windows)
# Chrome allows better interaction with HTTP2 enabled sites and also can be used to store SSL keys
# Keys can then be used with Wireshark
path_to_chrome/chrome -incognito --ssl-key-log-file="SSL_KEYS.txt" --new-window $URL
1- Start Wireshark and start capture
2- Open Chrome with ssl-key command
3- Look at SSL_KEYS.txt. Should contain keys.
4- Log into forms, generate some traffic.
5- In Wireshark, Edit/Preferences/Protocols/SSL, under Pre-master secret log file, choose SSL_KEYS.txt
Note: The Follow TCP Stream will still show encrypted traffic
6- Type display filter "http2"
Other userful filters:
http2
http2.headers.method == "GET"
http2.headers.path == "/pub/css/styles.css"
http2.headers.set_cookie
http2.data.data && http2 contains username
#---
# Store SSL keys with Firefox or Chrome, set env variable SSLKEYLOGFILE
export SSLKEYLOGFILE=/root/Downloads/sslkeylog.log
# Open Wireshark and start capture
# Start Firefox, it will log your TLS keys to this file (SSLKEYLOGFILE)
Suspicious Traffic
Attack types that can come from the network:
Malware, DOS/DDOS, Man-in-the-middle (MITM), Scanning, Brute-Force, Application
Normal Traffic:
- Known IP address
- Standard port numbers: Be sure of the applications that run over the network,
and verify that these are the only port numbers that you see.
- Normal TCP patterns, e.g. 3-way handshake
- Variable bandwidth
- Small amount of broadcasts
- Standard DNS query
Suspicious Traffic:
- Unknown IP address
- Unusual port numbers
- Unusual TCP patterns:
- E.g. Large amount of SYN packets that go to a single host or come from multiple sources
- E.g. Unusual flag combinations like RESET, FIN, URG and so on
- Fixed bandwidth (or normal for videos... check what it is)
- Huge amount of broadcasts, e.g. thousands of broadcasts per second
- Massive amount of DNS queries
NOTE on root user
Wireshark should never be run as root, create a separate user
It’s very unsecure running Wireshark as admin user as every possible Wireshark exploit will be running with the administrator account being able to compromise the whole system.
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges
# Wireshark has implemented Privilege Separation which means that the Wireshark GUI
# (or the tshark CLI) can run as a normal user while the dumpcap capture utility
# runs as root. This can be achieved by installing dumpcap setuid root. The
# advantage of this solution is that while dumpcap is run as root the vast majority
# of Wireshark's code is run as a normal user (where it can do much less damage).
# In a terminal
sudo usermod -a -G wireshark wireshark
# Setting network privileges for dumpcap if your kernel and file system
# support file capabilities
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
# Setting network privileges for dumpcap if your kernel and file
# system don't support file capabilities
chown root /usr/bin/dumpcap
chmod u+s /usr/bin/dumpcap
# Limiting capture permission to only one group
1. Create user "wireshark" in group "wireshark".
adduser --home /wireshark wireshark
chgrp wireshark /usr/bin/dumpcap
chmod o-rx /usr/bin/dumpcap
# Ensure Wireshark works only from root and from a user in the "wireshark" group
Log as wireshark user