This is an old revision of the document!
WIRESHARK NOTES
tcp_notes + Cheatsheet
This is to caprutue and show in wireshark live traffic. Running on a linux based router like openwrt:
tcpdump -i eth0 -U -s0 -w - 'not port 22' | /Applications/Eve\ Wireshark.app/Contents/MacOS/Wireshark -k -i - # To pull live traces from home openwrt router tcpdump -nni any -U -s0 'port 22 and not host 10.33.3.6' -w /var/tmp/trace -W 48 -G 1800 -C 100 -K
Before jumping to the pcap, have a look at these linux commands in the linux box:
ss -s netstat -s ss -l # open ports
more info here here
Tweaking wireshark:
Edit -> Preferences -> Appearance -> Confirm Unsaved Capture Files # to remove the 'unsaved packets' popup. Edit -> Preferences -> Advanced > gui.packet_list_show_minimap false # to disable minimap Add these columns ( Edit > Preferences and select User Interface > Columns ) - TCP-Len (this is not the default packet length, custom column) - Delta time (the time between captured packets) - Sequence analysis columns: Seq, Nxt-Seq, ACK <-- These are 'custom columns', they are created by __**going to the packet and right click, apply as column**__ - **rwnd** (aka receive window aka 'calculated window size' TRAVELS in the packet) <-- custom column, added as above. - See [[https://panda314159.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcpnotes]] Ctrl-Alt-1 # To show absolute time stamps: Edit -> Preferences -> Name Resolution -> Resolve MAC addresses) # disable MAC address resolution Preference>Layout>Put Bytes pane on the right Ctrl-Shift-A (Shift+comm+A) # To save and select profile with all the needed colums
Then you can save the profile with Shift+Ctrl+A
Analyse
FIRST THING determine in which end of the conversation we are capturing the packets «
- Expert information : for quick statistics on tcp, like RST
- Follow TCP or HTTP stream
STATISTICS
tcp.analysis.acks_frame If we want to check for timing in the tcp flow, do this in an already selected stream
Flow graph: this is a good start to locate full tcp convos
Tcptrace graph: (statistics>tcp stream>time-sequence) : long flat areas might mean end system and/or human user processing time.
Window Scaling (Statistics > TCP Streams > Window Scaling): It graphs bytes in flight together with rwnd. The latter must always be over the bytes in flight otherwise there's a problem. Also note that we need to capture from the point of the sender, otherwise bytes in flight might be wrong.
Filters:
Filter per ip:
ip.addr : for IPv4 quad dotted addresses !(ip.addr==192.168.0.112) CORRECT ; ip.addr!=192.168.0.112 is incorrect! ip.host for host names (FQDN)
Filter per TCP FLOWS
For the three way handshake : External Link
(tcp.flags.syn==1 ) || (tcp.flags == 0x0010 && tcp.seq==1 && tcp.ack==1) # This normally misses the 3rd ACK
tcp.port in {60000 60030} && !(tcp.port == 8800) # this is how to do AND NOT
tcp.dstport == 53072 || tcp.srcport == 53072
tcp.port in {8000..8999} # << PORT RANGES
FILTER PRIVATE RANGES:
not ip.dst==10.0.0.0/8 || not ip.src==10.0.0.0/8 ((tcp.flags.syn==1 && tcp.ack==1)) && !(ip.src==10.0.0.0/8) && !(ip.src==127.0.0.1) # acksyn from non private ranges. Useful to list outbound connections
DNS FIELDS (DNS error responses):
(!(dns.flags.rcode==0))&&(dns.flags.response==1)
FILTER TIMEOUTS:
tcp.analysis.keep_alive tcp.flags.reset == 1
To separate the different streams we use the filter below. tcp stram is an index assigned by wireshark. To see the window size evolution:
Statistics -> TCP Stream Graph -> Window Scaling Graph
To write the tcpdump output in pcap format. It can be found in the TCP header:
tcp.stream==1
To capture packets in the cli:
tcpdump -ni eth0 -s0 -vvv -C 100 -W 50 -w /tmp/example.pcap # 50 files of 100Mb max
REMOTE WIRESHARK:
linux to linux, through X11:
- Install a remote X server (i,e.: Xming for Windows , X11 for Linux)
- Run ssh with enabled forwarding: “ssh -x” for linux ; putty with Conn>SSH>X11 enable X11 fwd and x display location :0)
- root into server and “export XAUTHORITY=/home/jaime.santos/.Xauthority”
linux to windows, via ssh:
"C:\Program Files\PuTTY\plink.exe" -batch -ssh -pw r root@127.0.0.1 -P 2222 "tcpdump -s 0 -U -i vethbd861d9 -w - " | wireshark -k -i -
https://blog.sflow.com/2019/09/packet-analysis-using-docker.html
IPv6:
icmpv6.type == 128 || icmpv6.type == 129 # PING icmpv6.type == 133 || icmpv6.type == 134 # NS NA icmpv6.type == 135 || icmpv6.type == 136 # RS RA
Capture filters:
TODO
ANALYZE CAPTURES:
RST:
- For rst packets we check the ttl. If its maximum, it was just sent by the first hop we found. Note that max ttl decreases and depends greatly on the OS sending the packet. Linux and Mac is 64 ; Windows is 128
Capturing wireshark in the background (Windows):
"c:\Program Files\Wireshark\dumpcap.exe" -D # to get a list of the interfaces on your system.
You'll want these options:
- -i n Where 'n' is the number of the interface you want to capture on.
- -b duration:14400 To specify that dumpcap should start a new file after four hours (14400 seconds).
- -f “ip host 192.168.1.1 or ip host 192.168.10.10” To specify a capture filter for two IP hosts.
- -w filename.pcap To specify the base filename for your capture files.
So, putting it all together, you'll have something like:
dumpcap -i 1 -b duration:14400 -f “ip host 192.168.1.1 or ip host 192,168.10.10” -w filename.pcap
dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
* DECRYPT A TLS SESSION * Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark→Preferences→Protocols→TLS and set the pathname for “(Pre)-Master-Secret log filename” to /tmp/tlskeys.
