**__WIRESHARK NOTES__**\\
[[https://panda314159.net/doku.php?id=network_stuff:tcpdump:tcpnotes|tcp_notes]] + [[https://www.stationx.net/wireshark-cheat-sheet/|Cheatsheet]]

This is to caprutue and show in wireshark live traffic. Running on a linux based router like openwrt:
  tcpdump -i eth0 -U -s0 -w - 'not port 22' | /Applications/Eve\ Wireshark.app/Contents/MacOS/Wireshark -k -i - # To pull live traces from home openwrt router
  tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K 

Before jumping to the pcap, have a look at these linux commands in the linux box:
\\
  ss -s
  netstat -s
  ss -l  # open ports
  
more info here [[https://www.cyberciti.biz/faq/check-network-connection-linux/|here]]

**Tweaking wireshark**:
  Edit -> Preferences -> Appearance -> Confirm Unsaved Capture Files  # to remove the 'unsaved packets' popup.
  Edit -> Preferences -> Advanced > gui.packet_list_show_minimap false  # to disable minimap
  Add these columns ( Edit > Preferences and select User Interface > Columns )
  - TCP-Len (this is not the default packet length, custom column)
  - Delta time (the time between captured packets)
  - Sequence analysis columns: Seq, Nxt-Seq, ACK <-- These are 'custom columns', they are created by __**going to the packet and right click, apply as column**__
  - **rwnd** (aka receive window aka 'calculated window size' TRAVELS in the packet) <-- custom column, added as above.
    - See [[https://panda314159.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcpnotes]]
  Ctrl-Alt-1   # To show absolute time stamps:
  Edit -> Preferences -> Name Resolution -> Resolve MAC addresses)  # disable MAC address resolution
  Preference>Layout>Put Bytes pane on the right
  Ctrl-Shift-A (Shift+comm+A) # To save and select profile with all the needed colums


Then you can save the profile with Shift+Ctrl+A


----

__Analyse__\\
FIRST THING determine in which end of the conversation we are capturing the packets << (a) by just checking src/dst IPs. (b) by checking the TTL of the packet (eg: if TTL = 128 is not routed, so local)
\\


{{:network_stuff:packet-analysis1.jpeg?400|}}
  * Expert information : for quick statistics on tcp, like **RST**
  * Follow TCP or HTTP stream

__STATISTICS__ 
\\
tcp.analysis.acks_frame If we want to check for timing in the tcp flow, do this in an already selected stream
\\
__Flow graph__: this is a good start to locate full tcp convos
\\
__Tcptrace graph__: (statistics>tcp stream>time-sequence) : long flat areas might mean end system and/or human user processing time.
\\
__Window Scaling__ (Statistics > TCP Streams > Window Scaling): It graphs bytes in flight together with rwnd. The latter must always be over the bytes in flight otherwise there's a problem. Also note that we need to capture from the point of the sender, otherwise bytes in flight might be wrong.
\\
{{:network_stuff:packet-analysis2.jpeg?200|}}
\\
__Filters:__\\
Filter per ip:
  ip.addr : for IPv4 quad dotted addresses
  !(ip.addr==192.168.0.112) CORRECT ; ip.addr!=192.168.0.112 is incorrect!
  ip.host for host names (FQDN)

Filter per TCP FLOWS\\
For the three way handshake : [[https://ask.wireshark.org/questions/230/displaying-all-tcp-connections-with-syn-packets|External Link]]\\
  (tcp.flags.syn==1 ) || (tcp.flags == 0x0010 && tcp.seq==1 && tcp.ack==1)   # This normally misses the 3rd ACK
   tcp.port in {60000 60030} && !(tcp.port == 8800)   # this is how to do AND NOT
  tcp.dstport == 53072  || tcp.srcport == 53072 
  tcp.port in {8000..8999}  # << PORT RANGES
\\
FILTER PRIVATE RANGES:\\
  not ip.dst==10.0.0.0/8 || not ip.src==10.0.0.0/8
  ((tcp.flags.syn==1 && tcp.ack==1)) && !(ip.src==10.0.0.0/8) && !(ip.src==127.0.0.1)   # acksyn from non private ranges. Useful to list outbound connections

DNS FIELDS (DNS error responses):
  (!(dns.flags.rcode==0))&&(dns.flags.response==1)
\\
FILTER TIMEOUTS: \\
  tcp.analysis.keep_alive
  tcp.flags.reset == 1
  

----


To separate the different streams we use the filter below. tcp stram is an index assigned by wireshark. 
To see the window size evolution:
  Statistics -> TCP Stream Graph -> Window Scaling Graph
To write the tcpdump output in pcap format. It can be found in the TCP header:
  tcp.stream==1 
To capture packets in the cli: 
  tcpdump -ni eth0 -s0 -vvv -C 100 -W 50 -w /tmp/example.pcap     # 50 files of 100Mb max


----

REMOTE WIRESHARK:\\
linux to linux, through X11:
  - Install a remote X server (i,e.: Xming for Windows , X11 for Linux)
  - Run ssh with enabled forwarding: "ssh -x" for linux ; putty with Conn>SSH>X11 enable X11 fwd and x display  location :0)
  - root into server and "export XAUTHORITY=/home/jaime.santos/.Xauthority"

linux to windows, via ssh:
  "C:\Program Files\PuTTY\plink.exe" -batch -ssh -pw r root@127.0.0.1 -P 2222 "tcpdump -s 0 -U -i vethbd861d9 -w - " | wireshark -k -i -
[[https://blog.sflow.com/2019/09/packet-analysis-using-docker.html]]



----

IPv6:\\
  icmpv6.type == 128 || icmpv6.type == 129 # PING
  icmpv6.type == 133 || icmpv6.type == 134 # NS NA
  icmpv6.type == 135 || icmpv6.type == 136 # RS RA

Capture filters:\\
  TODO


----
ANALYZE CAPTURES:\\

RST:\\
  * For rst packets we check the ttl. If its maximum, it was just sent by the first hop we found. Note that max ttl decreases and depends greatly on the OS sending the packet. Linux and Mac is 64 ; Windows is 128

----
\\
**Capturing wireshark in the background (Windows):**
  "c:\Program Files\Wireshark\dumpcap.exe" -D # to get a list of the interfaces on your system.
  
You'll want these options:

  * -i n Where 'n' is the number of the interface you want to capture on.
  * -b duration:14400 To specify that dumpcap should start a new file after four hours (14400 seconds).
  * -f "ip host 192.168.1.1 or ip host 192.168.10.10" To specify a capture filter for two IP hosts.
  * -w filename.pcap To specify the base filename for your capture files.

So, putting it all together, you'll have something like:

dumpcap -i 1 -b duration:14400 -f "ip host 192.168.1.1 or ip host 192,168.10.10" -w filename.pcap

  dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
  

----
*** DECRYPT A TLS SESSION ***
Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark->Preferences->Protocols->TLS and set the pathname for "(Pre)-Master-Secret log filename" to /tmp/tlskeys.

\\

both Chrome and Firefox honor the SSLKEYLOGFILE environment variable, making dissecting packets nice and easy.

  $ export SSLKEYLOGFILE=/tmp/tlskeys
  $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome http-123.test.netmeister.org