dokucama

User Tools

Site Tools

Trace: wireshark
network_stuff:wireshark

This is an old revision of the document!

WIRESHARK NOTES
tcp_notes

ssh root@router tcpdump -i eth0 -U -s0 -w - 'not port 22' | wireshark -k -i - # To pull live traces from home openwrt router
tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K

Before jumping to the pcap, have a look at these linux commands in the linux box: 

ss -s
netstat -s
ss -l  # open ports

more info here here

Tweaking wireshark: 

Edit -> Preferences -> Appearance -> Confirm Unsaved Capture Files  # to remove the 'unsaved packets' popup.
Edit -> Preferences -> Advanced > gui.packet_list_show_minimap false  # to disable minimap
Add these columns ( Edit > Preferences and select User Interface > Columns )
- TCP-Len (this is not the default packet length, custom column)
- Delta time (the time between captured packets)
- Sequence analysis columns: Seq, Nxt-Seq, ACK <-- These are 'custom columns', they are created by __**going to the packet and right click, apply as column**__
- **rwnd** (aka receive window aka 'calculated window size' TRAVELS in the packet) <-- custom column, added as above.
  - See [[https://panda314159.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcpnotes]]
Ctrl-Alt-1   # To show absolute time stamps:
Edit -> Preferences -> Name Resolution -> Resolve MAC addresses)  # disable MAC address resolution
Preference>Layout>Put Bytes pane on the right
Ctrl-Shift-A   # To save and select profile with all the needed colums

Then you can save the profile with Shift+Ctrl+A

Analyse
FIRST THING determine in which end of the conversation we are capturing the packets «

  • Expert information : for quick statistics on tcp, like RST
  • Follow TCP or HTTP stream

STATISTICS
tcp.analysis.acks_frame If we want to check for timing in the tcp flow, do this in an already selected stream
Flow graph: this is a good start to locate full tcp convos
Tcptrace graph: (statistics>tcp stream>time-sequence) : long flat areas might mean end system and/or human user processing time.
Window Scaling (Statistics > TCP Streams > Window Scaling): It graphs bytes in flight together with rwnd. The latter must always be over the bytes in flight otherwise there's a problem. Also note that we need to capture from the point of the sender, otherwise bytes in flight might be wrong.

Filters:
Filter per ip: 

ip.addr : for IPv4 quad dotted addresses
!(ip.addr==192.168.0.112) CORRECT ; ip.addr!=192.168.0.112 is incorrect!
ip.host for host names (FQDN)

Filter per TCP FLOWS
For the three way handshake : External Link

(tcp.flags.syn==1 ) || (tcp.flags == 0x0010 && tcp.seq==1 && tcp.ack==1)   # This normally misses the 3rd ACK
 tcp.port in {60000 60030} && !(tcp.port == 8800)   # this is how to do AND NOT
tcp.dstport == 53072  || tcp.srcport == 53072 
tcp.port in {8000..8999}  # << PORT RANGES


FILTER PRIVATE RANGES:

not ip.dst==10.0.0.0/8 || not ip.src==10.0.0.0/8
((tcp.flags.syn==1 && tcp.ack==1)) && !(ip.src==10.0.0.0/8) && !(ip.src==127.0.0.1)   # acksyn from non private ranges. Useful to list outbound connections

DNS FIELDS (DNS error responses): 

(!(dns.flags.rcode==0))&&(dns.flags.response==1)


FILTER TIMEOUTS: 

tcp.analysis.keep_alive
tcp.flags.reset == 1

To separate the different streams we use the filter below. tcp stram is an index assigned by wireshark. To see the window size evolution: 

Statistics -> TCP Stream Graph -> Window Scaling Graph

To write the tcpdump output in pcap format. It can be found in the TCP header: 

tcp.stream==1

To capture packets in the cli: 

tcpdump -ni eth0 -s0 -vvv -C 100 -W 50 -w /tmp/example.pcap     # 50 files of 100Mb max

REMOTE WIRESHARK:
linux to linux, through X11:

  1. Install a remote X server (i,e.: Xming for Windows , X11 for Linux)
  2. Run ssh with enabled forwarding: “ssh -x” for linux ; putty with Conn>SSH>X11 enable X11 fwd and x display location :0)
  3. root into server and “export XAUTHORITY=/home/jaime.santos/.Xauthority”

linux to windows, via ssh: 

"C:\Program Files\PuTTY\plink.exe" -batch -ssh -pw r root@127.0.0.1 -P 2222 "tcpdump -s 0 -U -i vethbd861d9 -w - " | wireshark -k -i -

https://blog.sflow.com/2019/09/packet-analysis-using-docker.html

IPv6:

icmpv6.type == 128 || icmpv6.type == 129 # PING
icmpv6.type == 133 || icmpv6.type == 134 # NS NA
icmpv6.type == 135 || icmpv6.type == 136 # RS RA

Capture filters:

TODO

ANALYZE CAPTURES:

RST:

  • For rst packets we check the ttl. If its maximum, it was just sent by the first hop we found. Note that max ttl decreases and depends greatly on the OS sending the packet. Linux and Mac is 64 ; Windows is 128


Capturing wireshark in the background (Windows): 

"c:\Program Files\Wireshark\dumpcap.exe" -D # to get a list of the interfaces on your system.

You'll want these options:

  • -i n Where 'n' is the number of the interface you want to capture on.
  • -b duration:14400 To specify that dumpcap should start a new file after four hours (14400 seconds).
  • -f “ip host 192.168.1.1 or ip host 192.168.10.10” To specify a capture filter for two IP hosts.
  • -w filename.pcap To specify the base filename for your capture files.

So, putting it all together, you'll have something like:

dumpcap -i 1 -b duration:14400 -f “ip host 192.168.1.1 or ip host 192,168.10.10” -w filename.pcap 

dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
network_stuff/wireshark.1657486608.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki