Part 1: Wireshark User Interface<\/strong><\/p>\n\n\n\n Part 2 : PCAP 1 Challenge<\/strong> <\/p>\n\n\n\n Part 3: PCAP 2 Challenge<\/strong><\/p>\n\n\n\n Part 4: Additional Wireshark Filters<\/strong><\/p>\n\n\n\n Part 5: Recommended Free Wireshark Resources!<\/strong><\/p>\n<\/div>\n\n\n\n <\/p>\n\n\n\n Part 1: Wireshark User Interface<\/em><\/strong><\/p>\n\n\n\n Before we dive into the course review, let’s first explore Wireshark user interface.<\/p>\n\n\n\n 1. Main menu \u2013 It\u2019s divided into several sections, each containing a set of related options common below.<\/p>\n\n\n\n 2. Main toolbar – allows easy access to frequently used menu. Common functions such as to start , stop , save as or open capture file (pcap).<\/p>\n\n\n\n 3. Filter toolbar – lets you quickly edit and apply display filters to quickly and easily focus on specific packets within a large capture.<\/p>\n\n\n\n 4. Packet list pane – Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the \u201cPacket Details\u201d and \u201cPacket Bytes\u201d panes.<\/p>\n\n\n\n 5. Packet details pane – displays detailed information about a selected packet.<\/p>\n\n\n\n 6. Packet bytes pane – displays the raw data of a selected packet in a hexadecimal format<\/p>\n\n\n\n 7. Status bar – displays various types of information such as number of packets captured<\/p>\n<\/div>\n\n\n\n References : Wireshark.org<\/p>\n\n\n\n <\/p>\n\n\n\n Part 2 : PCAP 1 Challenge<\/em> <\/strong><\/p>\n\n\n\n \ud83d\udd11Key to answering these questions is using the correct filter. Being familiar with filters is essential for locating or tracing the needed information.<\/p>\n\n\n\n 1.Which protocol was used over port 3942?<\/p>\n\n\n\n Ports are numerical identifiers used in network communications. Each port is associated with a specific service or application running on a device. \u00a0To determine which protocol was used over port 3942 using Wireshark, you can use a display filter. At the packet details pane we can see details of the protocol.<\/p>\n\n\n\n 2.What is the IP address of the host that was pinged twice?<\/p>\n\n\n\n The Internet Control Message Protocol (ICMP) sends error messages and network information between devices in an IP network. One type of ICMP is the Echo request\/reply (ping), which tests if a network host is reachable and measures roundtrip time. <\/p>\n\n\n\n To view only ICMP traffic, type “ICMP” in the display filter box and press Enter. This will show only ICMP packets.<\/p>\n\n\n\n 3. How many DNS query response packets were captured?<\/p>\n\n\n\n This refers to the Domain Name System protocol. We can see the total at the status bar.<\/p>\n\n\n\n DNS Query: <\/em>When a client sends a DNS query to resolve a domain name, the response flag is 0.<\/p>\n\n\n\n DNS Response<\/em>: When the DNS server replies to the query with the requested information (or an error), the response flag is set to 1.<\/p>\n\n\n\n 4.What is the IP address of the host which sent the most number of bytes?<\/p>\n\n\n\n Endpoint statistics can be used to identify the most active hosts on the network. To do this, go to the “Statistics” then select “Endpoints”. This will display a summary of the most active hosts, including their IP addresses, packet count, and byte count.<\/p>\n\n\n\n <\/p>\n\n\n\n Part 3: PCAP 2 Challenge<\/em><\/strong><\/p>\n\n\n\n \ud83d\udd13This activity is more interesting as we trace, analyze, and assemble packets to capture passwords sent over the wire. Protocols like HTTP and FTP are insecure because they transmit data and authentication credentials in plain text without encryption.<\/p>\n\n\n\n 1.What is the WebAdmin password?<\/p>\n\n\n\n It\u2019s a filter that displays all TCP packets that contain a certain term , in this example we are looking for WebAdmin.<\/p>\n<\/div>\n\n\n\n The “Follow HTTP \/ TCP Stream” feature lets you view and analyze the entire conversation between two endpoints over a TCP connection in a clear, readable format.<\/p>\n\n\n\n 2.What is the version number of the attacker\u2019s FTP server?<\/p>\n\n\n\n Search for \u201cftp\u201d on the filter toolbar to view the FTP conversation.To make it more readable, use the “Follow TCP Stream” feature.<\/p>\n\n\n\n 3.Which port was used to gain access to the victim Windows host?<\/p>\n\n\n\n A series of ACK (acknowledgment) packets confirm a connection established at port 8081, then it indicates that port 8081 was used for the connection to the victim Windows host.<\/p>\n\n\n\n 4.What is the name of a confidential file on the Windows host?<\/p>\n\n\n\n To find a confidential file’s name on a Windows host, analyze the traffic or logs. The TCP stream will show the file with “confidential” in its name.<\/p>\n\n\n\n 5. What is the name of the log file that was created at 4:51 AM on the Windows host?<\/p>\n\n\n\n Search for tcp contains “04:51” on filter toolbar then to analyze further, use the “Follow TCP Stream” feature.<\/p>\n\n\n\n <\/p>\n\n\n\n Part 4: Additional Wireshark Filters<\/em><\/strong><\/p>\n\n\n\n 1. ip.addr == x.x.x.x<\/strong><\/p>\n\n\n\n Filters packets to show only those where the IP address is either the source or destination address.<\/strong><\/p>\n\n\n\n 2. ip.src == x.x.x.x<\/strong><\/p>\n\n\n\n Filters packets to show only those where the source IP address is x.x.x.x.<\/strong><\/p>\n\n\n\n 3. ip.dst == x.x.x.x<\/strong><\/p>\n\n\n\n Filters packets to show only those where the destination IP address is x.x.x.x.<\/strong><\/p>\n\n\n\n 4. ip.src == xxxx && ip.dst == xxxx<\/strong><\/p>\n\n\n\n Filters packets where the source IP address is xxxx and the destination IP address is xxxx.<\/strong><\/p>\n\n\n\n 5. tcp.port == xxx<\/strong><\/p>\n\n\n\n Filters packets to show only those where the TCP port number is xxx, either source or destination.<\/strong><\/p>\n\n\n\n 6. tcp.flags.reset == 1<\/strong><\/p>\n\n\n\n Filters packets to show only those where the TCP RST (reset) flag is set to 1. <\/strong><\/p>\n\n\n\n This indicates that the connection was reset.<\/strong><\/p>\n\n\n\n 7. tcp contains xxx<\/strong><\/p>\n\n\n\n Filters packets to show only those where the TCP payload contains the specified string <\/strong><\/p>\n\n\n\n or pattern xxx.<\/strong><\/p>\n\n\n\n 8. !(arp or icmp or dns)<\/strong><\/p>\n\n\n\n Filters packets to exclude ARP, ICMP, and DNS protocols.<\/strong><\/p>\n\n\n\n 9. udp contains xx:xx:xx<\/strong><\/p>\n\n\n\n Filters packets to show only those where the UDP payload contains the specified byte <\/strong><\/p>\n\n\n\n sequence xx:xx:xx.<\/strong><\/p>\n\n\n\n 10. dns.flags.rcode != 0<\/strong><\/p>\n\n\n\n Filters DNS packets where the response code is not equal to 0. In DNS, a response code of 0<\/strong><\/p>\n\n\n\n indicates no error (success).<\/strong><\/p>\n<\/div>\n<\/div>\n\n\n\n <\/p>\n\n\n\n Part 5: Recommended Free Wireshark Resources!<\/em><\/strong><\/p>\n\n\n\n David Bombal : <\/strong>Wireshark Ethical Hacking course<\/strong><\/a><\/p>\n\n\n\n\n
![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/07\/Wireshark-1024x705.png\")
<\/figure>\n<\/div>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-2.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-3.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-4.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-5.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-6.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-7.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-8.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-9.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-10.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-11.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-12.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-13.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-14.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/08\/image-15.png\")
<\/figure>\n\n\n\n