dokucama

User Tools

Site Tools

Trace: wireshark
network_stuff:wireshark

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:wireshark [2022/09/06 18:47] – external edit 127.0.0.1network_stuff:wireshark [2025/07/10 21:21] (current) jotasandoku
Line 1: Line 1:
 **__WIRESHARK NOTES__**\\ **__WIRESHARK NOTES__**\\
-[[https://softbackbone.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcp_notes]]\\ +[[https://panda314159.net/doku.php?id=network_stuff:tcpdump:tcpnotes|tcp_notes]] + [[https://www.stationx.net/wireshark-cheat-sheet/|Cheatsheet]] 
-  ssh root@router tcpdump -i eth0 -U -s0 -w - 'not port 22' | wireshark -k -i - # To pull live traces from home openwrt router+ 
 +This is to caprutue and show in wireshark live traffic. Running on a linux based router like openwrt: 
 +  tcpdump -i eth0 -U -s0 -w - 'not port 22' | /Applications/Eve\ Wireshark.app/Contents/MacOS/Wireshark -k -i - # To pull live traces from home openwrt router
   tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K    tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K 
  
Line 24: Line 26:
   Edit -> Preferences -> Name Resolution -> Resolve MAC addresses)  # disable MAC address resolution   Edit -> Preferences -> Name Resolution -> Resolve MAC addresses)  # disable MAC address resolution
   Preference>Layout>Put Bytes pane on the right   Preference>Layout>Put Bytes pane on the right
-  Ctrl-Shift-A   # To save and select profile with all the needed colums+  Ctrl-Shift-A (Shift+comm+A) # To save and select profile with all the needed colums
  
  
Line 33: Line 35:
  
 __Analyse__\\ __Analyse__\\
-FIRST THING determine in which end of the conversation we are capturing the packets <<+FIRST THING determine in which end of the conversation we are capturing the packets << (a) by just checking src/dst IPs. (b) by checking the TTL of the packet (eg: if TTL = 128 is not routed, so local)
 \\ \\
  
Line 139: Line 141:
   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
      
 +
 +----
 +*** DECRYPT A TLS SESSION ***
 +Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark->Preferences->Protocols->TLS and set the pathname for "(Pre)-Master-Secret log filename" to /tmp/tlskeys.
 +
 +\\
 +
 +both Chrome and Firefox honor the SSLKEYLOGFILE environment variable, making dissecting packets nice and easy.
 +
 +  $ export SSLKEYLOGFILE=/tmp/tlskeys
 +  $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome http-123.test.netmeister.org
  
  
network_stuff/wireshark.1662490020.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki