Day 9 : Networking - Where is all this data going

Wireshark PCP file analysis

Introduction

- Filtering techniques

Let's assume that we are looking for all packets that have been sent or received by the following IP address: 172.21.2.116. Thus, the following filter is helping us to display all network packets that have the IP address 172.21.2.116: ip.addr == 172.21.2.116

As a result, we can see that we were able to show only the packet(s) that we needed.

Next, we can also specify certain protocols, such as HTTP showing all packets for this protocol. We can also specify a domain name to narrow down the search. The following example shows that we are looking for HTTP packets that have the google.com domain name: http contains google.com

Next, we can also look at a specific port. Let's try to filter and list all packets for remote desktop protocol. We can do that by using tcp.port : tcp.port == 3389

However, assume that you are monitoring the network traffic and you want to exclude the RDP packets. In this case, we can use the not Wireshark rule as shown below.

Next, we will perform the packet analysis technique using Wireshark on various protocols, including HTTP, FTP, and DNS.

- filter http requests

• command http

• http.request.method == GET / POST

• follow > TCP stream

- DNS (Port 53)

• records URL for IP addresses, links them

• udp.port filter will specify DNS packets, by default they run on UDP port 53, sometimes on TCP port 53

• udp.port == 53 or dns only

- FTP (port 21)

• tcp.port == 21

• ftp-data for those with content