{"id":322,"date":"2022-08-21T21:30:23","date_gmt":"2022-08-21T21:30:23","guid":{"rendered":"https:\/\/cyberlorenzo.tech\/?p=322"},"modified":"2022-08-21T21:31:19","modified_gmt":"2022-08-21T21:31:19","slug":"basic-wireshark-filters-and-techniques","status":"publish","type":"post","link":"https:\/\/cyberlorenzo.tech\/?p=322","title":{"rendered":"Basic Wireshark Filters and Techniques"},"content":{"rendered":"\n

Let’s talk Wireshark. We all pretty much know what Wireshark is and it’s functionality but how well can you navigate around in your PCAPs? Do you truly understand what’s happening over your network? Or does it just look like a bunch of gibberish to you? Hopefully I can help you gain a better understanding of the functionality Wireshark has to offer.<\/p><\/blockquote>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Filtering – <\/h2>\n\n\n\n
We can filter through various different protocols by typing into the filter pane. In this picture we've filtered out just the TCP packets and their replies from the server. This same thing can be done by typing in TCP,UDP, HTTP, RIP, and so on.<\/pre>\n\n\n\n
Important note<\/strong> : normally most of this traffic would be encrypted but since it was sent over HTTP it is visible in clear text. <\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Common Flags  – <\/h2>\n\n\n\n
Common flags you'll see in the lifecycle of a TCP session are SYN, SYN\/ACK and ACK . This occurs when the client or server are trying to communicate. They are basically saying \"Hey I'm John, are you there Ron?\", then Ron responds \"Hey John, its Ron I'm here\"  then the connection is established (ACK). \n\nOnce a TCP session is over you will see a \"FIN\" flag which represents the ending of the session which is followed by an ACK. <\/pre>\n\n\n\n
TCP dropdown > Flags drop down <\/kbd><\/code> |  Navigating here will display the flag that is being sent within the frame selected.  \n\n<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/pre>\n\n\n\n
Great filtering techniques – <\/h2>\n\n\n\n
<\/p>\n\n\n\n
In regards to capturing solely your TCP three way handshake :  <\/mark>tcp.flags.syn==1<\/mark><\/code> <\/code><\/mark> is a very useful filter because it will only show you SYN and SYN\/ACK packets. From there you can start deciphering what came from where by looking at the source addresses and destination addresses.\n\nIf you're just wanting to monitor how many call outs and call-ins you're getting you can also add onto that filer : tcp.flags.ack=0<\/mark> <\/code>  | You will now only see SYN flags from both the client and server.\n\n<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Monitoring RTT time – <\/h2>\n\n\n\n
RTT is round trip time. This is the time that it takes to receive each frame from start to finish. Monitoring the RTT time of our frames is crucial to diagnosing network latency issues. This could be caused by a number of issues but the most common one is firewall rules. The more firewall rules in place,  the more likely it is for the network to slow down due to all of the extra checks and balances.<\/pre>\n\n\n\n
<\/p>\n\n\n\n
 The simplest way that I’ve found to monitor this in Wireshark is by  changing our view settings to the following : <\/p>\n\n\n\n
view > Time Display Format > Since Previous captured packet<\/mark><\/code><\/p>\n\n\n\n
view > Time Display Format > milliseconds<\/mark><\/code><\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Let’s talk Wireshark. We all pretty much know what Wireshark is and it’s functionality but how well can you navigate around in your PCAPs? Do you truly understand what’s happening over your network? Or does it just look like a bunch of gibberish to you? Hopefully I can help you gain a better understanding of […]<\/p>\n","protected":false},"author":1,"featured_media":323,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[18],"tags":[],"class_list":["post-322","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wireshark-analysis"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=\/wp\/v2\/posts\/322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=322"}],"version-history":[{"count":2,"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=\/wp\/v2\/posts\/322\/revisions"}],"predecessor-version":[{"id":328,"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=\/wp\/v2\/posts\/322\/revisions\/328"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=\/wp\/v2\/media\/323"}],"wp:attachment":[{"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberlorenzo.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}