dokucama

User Tools

Site Tools

Trace: wireshark
network_stuff:wireshark

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:wireshark [2022/06/10 12:42] jotasandokunetwork_stuff:wireshark [2025/07/10 21:21] (current) jotasandoku
Line 1: Line 1:
 **__WIRESHARK NOTES__**\\ **__WIRESHARK NOTES__**\\
-[[https://softbackbone.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcp_notes]]\\ +[[https://panda314159.net/doku.php?id=network_stuff:tcpdump:tcpnotes|tcp_notes]] + [[https://www.stationx.net/wireshark-cheat-sheet/|Cheatsheet]] 
-  ssh root@router tcpdump -i eth0 -U -s0 -w - 'not port 22' | wireshark -k -i - # To pull live traces from home router:+ 
 +This is to caprutue and show in wireshark live traffic. Running on a linux based router like openwrt: 
 +  tcpdump -i eth0 -U -s0 -w - 'not port 22' | /Applications/Eve\ Wireshark.app/Contents/MacOS/Wireshark -k -i - # To pull live traces from home openwrt router
   tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K    tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K 
  
-Before jumping to the pcap, have a look at these linux commands: \\+Before jumping to the pcap, have a look at these linux commands in the linux box: 
 +\\
   ss -s   ss -s
   netstat -s   netstat -s
Line 14: Line 17:
   Edit -> Preferences -> Appearance -> Confirm Unsaved Capture Files  # to remove the 'unsaved packets' popup.   Edit -> Preferences -> Appearance -> Confirm Unsaved Capture Files  # to remove the 'unsaved packets' popup.
   Edit -> Preferences -> Advanced > gui.packet_list_show_minimap false  # to disable minimap   Edit -> Preferences -> Advanced > gui.packet_list_show_minimap false  # to disable minimap
-  Ctrl-Shift-A   # To save and select profile with all the needed colums +  Add these columns ( Edit > Preferences and select User Interface > Columns )
-  Ctrl-Alt-1   # To show absolute time stamps: +
-  Edit -> Preferences -> Name Resolution -> Resolve MAC addresses)  # disable MAC address resolution +
-  tcp.analysis.acks_frame If we want to check for timing in the tcp flow, do this in an already selected stream +
-  Preference>Layout>Put Bytes pane on the right +
- +
-Add these columns ( Edit > Preferences and select User Interface > Columns )+
   - TCP-Len (this is not the default packet length, custom column)   - TCP-Len (this is not the default packet length, custom column)
   - Delta time (the time between captured packets)   - Delta time (the time between captured packets)
Line 26: Line 23:
   - **rwnd** (aka receive window aka 'calculated window size' TRAVELS in the packet) <-- custom column, added as above.   - **rwnd** (aka receive window aka 'calculated window size' TRAVELS in the packet) <-- custom column, added as above.
     - See [[https://panda314159.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcpnotes]]     - See [[https://panda314159.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcpnotes]]
 +  Ctrl-Alt-1   # To show absolute time stamps:
 +  Edit -> Preferences -> Name Resolution -> Resolve MAC addresses)  # disable MAC address resolution
 +  Preference>Layout>Put Bytes pane on the right
 +  Ctrl-Shift-A (Shift+comm+A) # To save and select profile with all the needed colums
 +
  
 Then you can save the profile with Shift+Ctrl+A Then you can save the profile with Shift+Ctrl+A
Line 33: Line 35:
  
 __Analyse__\\ __Analyse__\\
-FIRST THING determine in which end of the conversation we are capturing the packets <<+FIRST THING determine in which end of the conversation we are capturing the packets << (a) by just checking src/dst IPs. (b) by checking the TTL of the packet (eg: if TTL = 128 is not routed, so local)
 \\ \\
  
Line 41: Line 43:
   * Follow TCP or HTTP stream   * Follow TCP or HTTP stream
  
-__STATISTICS__ \\ +__STATISTICS__  
 +\\ 
 +tcp.analysis.acks_frame If we want to check for timing in the tcp flow, do this in an already selected stream 
 +\\
 __Flow graph__: this is a good start to locate full tcp convos __Flow graph__: this is a good start to locate full tcp convos
 \\ \\
-__Tcptrace graph__long flat areas might mean end system and/or human user processing time.+__Tcptrace graph__: (statistics>tcp stream>time-sequence) : long flat areas might mean end system and/or human user processing time.
 \\ \\
-__Window Scaling__ (Statistics > TCP Streams > Window Scaling)+__Window Scaling__ (Statistics > TCP Streams > Window Scaling): It graphs bytes in flight together with rwnd. The latter must always be over the bytes in flight otherwise there's a problem. Also note that we need to capture from the point of the sender, otherwise bytes in flight might be wrong.
 \\ \\
 {{:network_stuff:packet-analysis2.jpeg?200|}} {{:network_stuff:packet-analysis2.jpeg?200|}}
Line 137: Line 141:
   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
      
 +
 +----
 +*** DECRYPT A TLS SESSION ***
 +Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark->Preferences->Protocols->TLS and set the pathname for "(Pre)-Master-Secret log filename" to /tmp/tlskeys.
 +
 +\\
 +
 +both Chrome and Firefox honor the SSLKEYLOGFILE environment variable, making dissecting packets nice and easy.
 +
 +  $ export SSLKEYLOGFILE=/tmp/tlskeys
 +  $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome http-123.test.netmeister.org
  
  
network_stuff/wireshark.1654864961.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki