Day 9 : Networking - Where is all this data going
Wireshark PCP file analysis
PreviousDay 8 : Santa's Special Bag of Toys (John Hammond Special)NextDay 10 & 11 & 12 : Networking - Nmap & MsSQL & NFS (Network File System)
Last updated
Wireshark PCP file analysis
Last updated
Let's assume that we are looking for all packets that have been sent or received by the following IP address: 172.21.2.116. Thus, the following filter is helping us to display all network packets that have the IP address 172.21.2.116: ip.addr == 172.21.2.116
As a result, we can see that we were able to show only the packet(s) that we needed.
Next, we can also specify certain protocols, such as HTTP showing all packets for this protocol. We can also specify a domain name to narrow down the search. The following example shows that we are looking for HTTP packets that have the google.com domain name: http contains google.com
Next, we can also look at a specific port. Let's try to filter and list all packets for remote desktop protocol. We can do that by using tcp.port : tcp.port == 3389
However, assume that you are monitoring the network traffic and you want to exclude the RDP packets. In this case, we can use the not Wireshark rule as shown below.
Next, we will perform the packet analysis technique using Wireshark on various protocols, including HTTP, FTP, and DNS.
command http
http.request.method == GET / POST
follow > TCP stream
records URL for IP addresses, links them
udp.port filter will specify DNS packets, by default they run on UDP port 53, sometimes on TCP port 53
udp.port == 53 or dns only
tcp.port == 21
ftp-data for those with content
