Differences

This shows you the differences between two versions of the page.

--- network_stuff:wireshark [2022/06/10 12:53] – jotasandoku
+++ network_stuff:wireshark [2025/07/10 21:21] (current) – jotasandoku
@@ Line 1: / Line 1: @@
 **__WIRESHARK NOTES__**\\
-[[https://softbackbone.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcp_notes]]\\
+[[https://panda314159.net/doku.php?id=network_stuff:tcpdump:tcpnotes|tcp_notes]] + [[https://www.stationx.net/wireshark-cheat-sheet/|Cheatsheet]]
-  ssh root@router tcpdump -i eth0 -U -s0 -w - 'not port 22' | wireshark -k -i - # To pull live traces from home router:
+This is to caprutue and show in wireshark live traffic. Running on a linux based router like openwrt:
+  tcpdump -i eth0 -U -s0 -w - 'not port 22' | /Applications/Eve\ Wireshark.app/Contents/MacOS/Wireshark -k -i - # To pull live traces from home openwrt router
   tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K
-Before jumping to the pcap, have a look at these linux commands: \\
+Before jumping to the pcap, have a look at these linux commands in the linux box:
+\\
   ss -s
   netstat -s
@@ Line 23: / Line 26: @@
   Edit -> Preferences -> Name Resolution -> Resolve MAC addresses)  # disable MAC address resolution
   Preference>Layout>Put Bytes pane on the right
-  Ctrl-Shift-A   # To save and select profile with all the needed colums
+  Ctrl-Shift-A (Shift+comm+A) # To save and select profile with all the needed colums
@@ Line 32: / Line 35: @@
 __Analyse__\\
-FIRST THING determine in which end of the conversation we are capturing the packets <<
+FIRST THING determine in which end of the conversation we are capturing the packets << (a) by just checking src/dst IPs. (b) by checking the TTL of the packet (eg: if TTL = 128 is not routed, so local)
 \\
@@ Line 46: / Line 49: @@
 __Flow graph__: this is a good start to locate full tcp convos
 \\
-__Tcptrace graph__, long flat areas might mean end system and/or human user processing time.
+__Tcptrace graph__: (statistics>tcp stream>time-sequence) : long flat areas might mean end system and/or human user processing time.
 \\
-__Window Scaling__ (Statistics > TCP Streams > Window Scaling)
+__Window Scaling__ (Statistics > TCP Streams > Window Scaling): It graphs bytes in flight together with rwnd. The latter must always be over the bytes in flight otherwise there's a problem. Also note that we need to capture from the point of the sender, otherwise bytes in flight might be wrong.
 \\
 {{:network_stuff:packet-analysis2.jpeg?200|}}
@@ Line 138: / Line 141: @@
   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
+----
+*** DECRYPT A TLS SESSION ***
+Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark->Preferences->Protocols->TLS and set the pathname for "(Pre)-Master-Secret log filename" to /tmp/tlskeys.
+\\
+both Chrome and Firefox honor the SSLKEYLOGFILE environment variable, making dissecting packets nice and easy.
+  $ export SSLKEYLOGFILE=/tmp/tlskeys
+  $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome http-123.test.netmeister.org

dokucama

User Tools

Site Tools

Differences

Page Tools