Wireshark tool – part 001.

By | 04/03/2019

The official website comes with this intro:
Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.
Wikipedia comes with a large definition:
Wireshark is a free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.[4].
Today I install this tool and I will show you how this can be a friend your network.
First of all, you need to know the topology of your network and also know what’s going through it in terms of IP packets.
If you do not have advanced knowledge about network topology, this tool will not fill these gaps.
A short tutorial on the advantages of computer networking knowledge can be read here.
Let’s start with some examples:
Investigation Of Rogue DHCP Server with Wireshark capture packages:
1. use this commands ipconfig /release and ipconfig /renew;
2. use the filter bootp.option.dhcp==2;
The result DHCP Offer for one workstation on router will be a your Default Gateway to IPv4 Address;
Check SYN/ACK from your server:
1. use the filter: tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.flags.syn == 1 and tcp.flags.ack == 1;
2. the difference between the two filters will highlight packages with ACK and see the number of SYNs with the number of SYN/ACKs;
3. see the response time for this packages to see the response in the backend (this is a complex issue, see next example);
Analysing the DHCP ACK packets:
1. use the filter: dhcp;
2. go to IP Address Lease Time -> IP Address Lease Time: and see the expiration time of the lease (this is taken away from the DHCP Client and this value will be in hours);
Check access to unencrypted traffic
1. use this filters: http.user_agent and for the URI http.request.uri;
2. try to see data using the filter from right click Follow – TCP Stream;
Here are just a few indications about the IP packet flow in network networks.
Obviously, depending on the problems that have arisen, they can be concluded using this tool.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.