Hi everyone,
In this article, We'll Include general informations about Network. We'll understand various protocols workness logic. We'll know and use " WireShark" software.
WHAT IS WIRESHARK ? USING FOR WHICH PURPOSES ?
Wireshark Is using on, network's transmission speed, on network problems and analyz to packages. We can do these processes with WireShark software;
Checking to transferring data trafic in real-time
Analyse network traffic
Capturing network's every packages and analyzing these packages that captured now or earlier.
Ability to edit captured packages
Save that captured packages and combine with other packages
Filtering network traffic with various commands
Determine VoIP calls on network and convert them to voice
Help with various plugins to increase protocol number's
You can download WireShark software in this link;
https://www.wireshark.org/download.html
WHAT IS NETWORK ?
We call the system that devices connect to each other wired or wireless as Network. Computers can contant with users by using networks. LAN (stands for Local Area Network) is a kind of network that computers in local areas created and connected to each other, but on the other hand WAN (stands for Wide Area Network) is another kind of network that computers in wide areas created and connected to each other. In this article we'll analyse network trafiic.
TCP/IP MODEL STRUCTURE
TCP/IP consists of 2 parts call upper and lower. Upper part calls TCP protocol, lower part calls IP protocol. TCP protocol provides split packages that data before transferring. After transferring, it provides combine again. IP part provides the redirecting packages to related network address. In this model, If we need that new protocols can easily place in avaible layers. But It hasn't got solid rules. So OSI model works better than TCP/IP. TCP/IP model consist 4 layers.
OSI MODEL STRUCTURE
It consists 7 layers. OSI model, setsc ommunication rules between computers. Unlike TCP/IP model, layers' and their relation with each other exactly defined. Unnecessary layers aren't using in this model. So working with OSI model is better. But OSI model has some bad things. These bad things complicates developing new protocols.
USING PROTOCOLS IN TCP/IP MODEL
ARP PROTOCOL
This protocol provides, convert IP address to MAC address. In provides, computers' communication with each other in local network. For example; When A computer want to communicate with B computer, It looks B computer's ARP table. In this table If there are IP and MAC addresses belong to B in table, they can communicate. But If there aren't any MAC address belong to B (computer), A (computer) his IP and MAC address and B computer's IP address' collect in ARP package and sends too all computers as " broadcast " in local network. We are calling that " Request ". All computers that received the request compare IP address which came with package with their own IP address. If IP addresses dont pair, there'ld be no response to request. IP address which in package is belong to B computer. So, B computer accepts this request and get A computer's IP and MAC addresses in ARP package and sends this package to A computer as " unicost ". Replying this message is "Reply". By this means A and B computers' keep each others IP and MAC addresses in their ARP tables.
DHCP PROTOCOL
DHCP protocol provides appoint dynamic IP addresses to computers. Also, this protocol send to devices DNS address, Submask address, Gateway address and sends windows server addresses. For example; Computers, which want to connect to local network, check to existence of DHCP server, sends DHCP Discover package to all computers on network. When DHCP server received this package, sends a package called 'DHCP Offer' that contains IP informations and IP address's exposure time to the computer that sent the package and asks to computer to accept or reject. If computer accepts this package, computer send DHCP request as broadcast. DHCP server gets request and IP, DNS, Submask, Gateway and windows server address send to computer as DHCP ACK package. By this means, request sender computer joins to network.
DNS PROTOCOL
This procotocol provides entitle to IP addresses. Thanks to this protocol, domain to be connected is send to local DNS server by computer. If local DNS server has been interacted with sended IP address, sends its IP and create communitication with domain adress of request sender computer. ( D E V A M I V A R ) ...........
FTP PROTOCOL
This protocol provides file transfer between server and client. Three way handshake is created between server and client. After that, client is checked over port 21 if it's identified through server or not. If it won't identify, data will transfer over port 20 in order to client's requests
HTTP PROTOCOL
This protocol sets data exchange rules between server and client. Client requests access to datas belong to address. It is called " Request ". Server checks if this incoming address exist in itself or not. if is that so, it sends datas about address to client as 'Response'. By this means client shows to users these datas with various web browsers.
KNOW TO WIRESHARK MENU
Open Wireshark software. We will see this screen. There is " Capture " title. We can select ethernet which we want to capture netowork traffic and we can watch network traffic. We can select interface which we want on " All interfaces shown " text. We can see network traffics with double click on interfaces.
We can set settings to ourselves with watching Capture > Options way. We can filter captured network packages and we can select interfaces all of or partially.
We can filter to capturing packages in " Capture Filter Seelcted Interfaces " text. We can see various filter options when we click on green button. (Capture only TCP packages, capture only UPD packages...)
We can manage network interfaces with " Manage Interface " text
Now look to " Output " text. We can transfer captured network traffic to computer on " File " title. And we can select the file type of " pcapng " or " pcap ". Also we can stop the capturing network traffic automatically when these packages reached the size which we setted.
Now look " Options " text. We can see varios options in it. We can make network traffic more understanable by configuring these settings however we want.(For example; Activate to real time package capturing, hiding capturing network traffic information, parsing name of movement layer, parsing name of network, parsing netwok name, parsing MAC address').Again, we can stop the capturing network traffic automatically when these packages reached the size which we setted.
Click "File" menu and click "Open" text, you can open files which is supporting from WireShark. If you want to processing on these files, you can do. You can open old files which you opened on WireShark with "Open Recent" option.
Click "File" and "Merge". You can combine saved old traffic flows and new traffic flows in this page.
On "Go" menu, you can make transitions in packages.
You can listen packages in "Telepgony" menu.
You can reach statistics belong to traffic flows in "Statistics" menu.
Now look to "Edit" page. You can set options in "Prefences" text. (You can change view, You can look statistics)
WIRESHARK COLORING SETTINGS
There are some coloring settings on WireShark for make more understandable and speed up to analyze grapic. Changing color is providing to us easiness. Now look these settings. Clicl the Menu text. Find the "Coloring Rules" text and click it. And we are seeing coloring setting. These colors is a standart colors. They can change from us.
We can add new coloring filter with clicking "+". After selecting filter, we can select filter package which we want with clicking "display filter expression" text.
For example, let's assume that we're examining packages that has size 0. Let's choose our package like below and click "OK".
As you can see, our package is in Filter section now.
Now let's set background and font color of this package. Click on "Background" button below there and choose your color.
Then, do the same process for font color from "Foreground". Check it one last time and click "OK" to save it.
FEATURE OF TIME DISPLAY FORMAT
Time Display Format prodives packages are chosen as timing structures. Find "Time Display Format" from "View" menu. We'll see a pop-up tab. We can see packages as any time frame we want. For example, date and time based or only time based..
FEATURE OF NAME RESOLUTION
You can find Name Resolution from "View" menu, too. This feature allows you to change MAC addresses to computer names. Also it helps to see protocol structure that transport layer used, domain addresses of IP addresses, and name of remote network.
COMMANDS OF TRAFFIC PACKAGE CAPTURING FILTER
We can use various filters to more confortable use for WireShark. I'll show you how to reach that filters.
First, right click on "Filter" button. And click "Display Filter Expression" on that opened menu.
Now we are seeing all filters of we can use. You can use these for comfortable using.
Also, you can get information about filters with clicking blue colored shape.
CAPTURING TNETWORK TRAFFIC WITH USING WIRESHARK
First, we'll click find and double click to network name which we want to listen on "Capture" page.
As you can see on photo, our packages is listing with start button. There are 3 diffrent parts. First part shows listing packages and shows all procceses on network to us.
Second part shows detailed informations (IP addresses, protocols..) to us. If you want to get detailed informations, you can double click for see them.
And third part shows localation of starting (line) to selected line. We can see netowork package "hexadecimal" format on the left, we can see ASCII format on the right.
If you want to listening, you can press "stop" button. If you want to restart, you can click "green button" near the stop button. You can do other processes in that menu too. (go to selected package fastly, stop coloring settings, enlarge texts...)
CREATING COLON AND PROFİLE WITH WIRESHARK
We can make coloring to ourselves, we can make filter settings and we can define colon scructures which is using in analyzing. If we want to do these things, we need to create profile. in Wireshark.
First, we'll select Interface which network traffic we want to fallow. And start traffic flow.
Now we dont need to look traffic flow. Click to "Profile" text and click "New" in opened menu.
Now we need set name. You can set however you want. I set "Profile 1". And save.
You can manage profil structure however you want. These settings will be remained.
Now I'll show "how to create columns" and "how to edit columns" titles. There are some columns. These are "No", "Time", "Source", "Destination", "Protocol", "Lenght", "Info". They are default columns. Now we'll create our column. Now go to you cursor on columns line and right click. We'll see this menu
Now click "Column Prefences". We'll see this menu.
as you can see, there are colons and their description. You can edit and delete these columns. Also you can add new cloumn. Now we'll create new cloumn. And it shows source ports to us. First, click plus ( + ) buttom (you can see on photo). Now we'll set name for new column. And select type (I said, i will select source code). And press "OK" to save.
As you can see, our column has been created.
WIRESHARK STATISTICS MENU
Wireshark creates statistic datas about logged traffic flow. We're gonna see these statistics under this heading.
FEATURE OF SUMMARY
You can learn something about general structure of network traffic (such as when the first and last package is captured, etc.) with this feature. You need to find "Capture File Properties" from "Statistic" menu. Also you can leave a comment from "Capture File Comments".
FEATURE OF ADDRESS SOLUTION
It's the feature that shows domain addresses of IP addresses within traffic. You need to find "Resolved Adresses" from same menu.
FEATURE OF PROTOKOL HIERARCHY
This feature shows detailed traffic package informations about interaction percent of packages that have TCP/IP model structure, structures of incoming and outgoing packages, incoming data amount, etc. You need to find "Protocol hierarchy" from same menu.
FEATURE OF CONVERSATION
This feature shows user that machines interacted within traffic and which protocol structure they used. You need to find "Conversation" from same menu.
FEATURE OF ENDPOINTS
It shows machine that the last interacted with. You need to find "Endpoints" from same menu.
FEATURE OF I/O GRAPHS
This feature shows structure of network to user as graphic. You need to find "IO Graphs" from same menu.
FEATURE OF FLOW GRAPHS
This feature shows flows of sent and received packages. We can learn how every process performed within network flow with this feature. You need to find "Flow Graphs" from same menu.
HTTP PROTOCOL STATISTICS
We can monitor the statistics about processes that use HTTP protocol with this feature. You need to find "HTTP" from same menu and choose any process you want to see the statistics.
LOOKING AT THREE WAY HANDSHAKE STRUCTURE ON WIRESHARK
We've talked about three way handshake structure earlier. Now we gonna try to look at it on Wireshark. I'm gonna explain it through .pcap file that i downloaded to my pc. Firstly, click "Open" from "File" menu and choose that file. Traffic flow of our file displayed.
We need only traffics that uses TCP protocol in order to observing three way handshake structure. Take a closer look to this 3 line and what happens in there.
When two machines wanted to contact with each other, source machine who wants to connect sends SYN package to targeted machine and set SEQ value as 0.
Targeted machine who received SYN package sends SYN ACK package and sets ACK value as 1 to point out that accepted the connection.
Source machine who received SYN ACK package confirms the connection, sends ACK package to targeted machine and set SEQ and ACK values as 1.
That's how three way handshake is performed and start to data exchange.
When a machine wanna stop this connection, sends FIN package to other one.
That machine who received FIN package finishes this process by sending ACK package.
And that's how to stop this connection.
ANALYZING ARP PROTOCOL PACKETS
You need to remember that ARP protocol is the one who converting IP addresses into MAC addresses. You can see your ARP table by inputting this command to CMD.
Now let's see this process on Wireshark. Choose your interface from "Capture". Then filter it only "ARP".
As you can see, "Broadcast" is the first one. It wants MAC address of IP address that identified on server information section with broadcast. I've mentioned it earlier, we call this process as "Request". Here it is:
Let's see the response to that request. Server specifies IP address of which client wants to connect and says "whoever has this IP address, send me your MAC address". We can see it in INFO column. And here is the detailed one (with sender and receiver IP&MAC addresses, protocol type, etc.):
ANALYSING DHCP PROTOCOL PACKET
We know that this protocol is a kind of protocol that give automatically gives several addresses to the machine connected to network. We gonna examine DHCP protocol packet in this title. Let's see what's the IP address:
Then choose our interface on Wireshark. Traffic flow started to listing.
Now we need to release our IP address.
And we need to renew it, duh..
After getting new IP address, go back to Wireshark and filter "bootp".
At the first, we can see traffic flow that happens when we release our IP address. Under that, we can see that it received request incoming from port 68 and sent data from port 67.
In here, client wanted an IP address by sending DHCP discover packet. DHCP server that received this packet, sent DHCP offer packet back. As you know, DHCP offer packet is the one that provide several addresses to client. Let's examine this packet and see provided addresses. Click on DHCP offer line and see details.
Here it is: submask address, router address, time offsett, and IP address.
And check the below one about DHCP request is sent. This packet shows that client accepted offers sent by DHCP server. So DHCP ACK packet is assigned to client with offered infos by server.
ANALYSING DNS PROTOCOL PACKAGE
DNS protocol is the one that converts website domains to IP addresses. Now we gonna examine it on Wireshark. Input below command to see websites that you've visited. Here's the info about turkhackteam for example.
Now let's clear our browser cache.
Now check out table again.
We are no longer able to see THT's IP address. Run the Wireshark and send ping to website from CMD.
We sent request to website. Let's see what's going on to Wireshark. Filter "dns" and search it. We can see that there is query process first. Then server performed response and convert domain to IP. Here is detailed version:
ANALYSING HTTP PROTOCOL PACKET
This protocol works on application layer and uses TCP protocol on transport layer.
Let's say that you entered a website. TCP protocol is the first run. Three way handshake is performed when the protocol is triggered. If three way handshake is performed succesfully, connection can be done and visit request sends to server with HTTP protocol. After that, server starts to sending datas. It's possible to see this process through Wireshark.
FEATURE OF FOLLOW TCP/UDP STREAM
We can fallow TCP/UDP streams with feature of fallow TCP/UDP stream in Wireshark. This feature makes more understandable streaming traffic on Wireshark. Basen on everything we learned till this heading, we can say that it'ld be so confusing for someone familiar with it to understand TCP/IP protocol structure flowing over network on wireshark. When we want to control flowing traffic without packet filter, we know that it's gonne be damn hard even if we're familiar with TCP/IP protocol structure. I'll show you how to make more understandable streaming traffic. And our traffic will be graphical. Now continue,
I opened a "pcap" file on Wireshark. And I right click traffic streamings which is using TCP protocol, and I click "Follow TCP/UDP Stream" text.
Now a page opened. You can see TCP traffic streaming in diffrent formats on this page. And you can reach source codes of website which you surfed. You can save this traffic with "Save As"
EXPORT OBJECT FEATURE
You can determine a file on traffic streaming, Also you can save which format you want that file.
If you use this feature, you need click "File" menu and select "Expert Object". After select, you will see a page. Select "HTTP" on page.
After, you will see a new page. You can see real formats of traffic streaming files. Also you can save them.
SOLVING SSL TRAFFIC
In this title, we'll try to crack a password of network traffic. But It was passworded with SSL protocol. We'll crack it with SSL password. So, we need a SSL key to crack it. I was downloaded pcap and key type files from Internet. Now we'll open our pcap file. And It is opening,
We'll open "Edit" menu and click "Prefences" option.
Now select "RSA Key" (you can see on left bar). And press "Add New Key File" button and select our .key file. and press okay.
Open "File" menu and click "Export Object". Now press "HTTP" text. And you can see crypted datas and you can save them.
DISPLAYIN SSL CERTIFICATE INSIDE OF SSL PACKETS
Now we gonna get SSL certificate of website from SSL packets that we display. It's enough to filter "SSL".
Then click on a packet, doesn't matter which one, and check "Certificate" info.
Right click on "Certificate : .." and choose "Export Packet Bytes".
Then it's gonne explore where to save it. Choose anywhere and save it as ".crt" or ".cer" extension. Then open that saved file. Here is what does mine look like.
CONVERTING VOIP PACKETS TO VOICE
Lemme talk about RTP protocol and VoIP first. RTP protocol is used for end to end transport processes in communication that has media exchange in it. VoIP is the IP structure that used for voice calls over internet. In this protocol, voices are send to other side as packets. And this title is about converting this packets to voice.
First of all, we need to see protocols which have RTP structure. I opened an example .pcap file for RTP protocol.
Then find RTP -> RTP Streams from "Telephony" menu.
We have two different voices.
Choose one and click on "Analyze".
We need to see a screen like this. Just hit "Play Streams".
We got voice from packets here. Click "Play" to listen this voice. And we can even check voice's date and time.
FEATURE OF EXPERT INFO
This feature show users datas like warning or reminder about captured packets over network traffic. But to use this feature, network traffic needs to be performed. When it's done, we can see messages and its source. Click on that icon i showed in the below screenshot.
A new screen is displayed now. This is the warning message.
You can see that it's a lil bit detailed, too. If there is one than one of this messages, click on one of them and see its details. We can even filter this messages. Click on "Show" button and choose whatever you want.
MERGING CAPTURED TRAFFIC FLOWS
With this process, we gonna merge seperately captured traffic flows into one file. Open your .pcap file first.
Then find "Merge" from "File" menu to merge with other.
When we click open, that two packets are merged now on Wireshark.
Now let's save this merged packets as one file. Find "Save As" from "File" menu. Choose your folder, input folder's name, and click "OK". Now they are in one .pcap file.
That's all we can give. Take care!
Credit: M3m0ry & R4V3N
Original: Click Me ! 'blackcoder
In this article, We'll Include general informations about Network. We'll understand various protocols workness logic. We'll know and use " WireShark" software.
WHAT IS WIRESHARK ? USING FOR WHICH PURPOSES ?
Wireshark Is using on, network's transmission speed, on network problems and analyz to packages. We can do these processes with WireShark software;
Checking to transferring data trafic in real-time
Analyse network traffic
Capturing network's every packages and analyzing these packages that captured now or earlier.
Ability to edit captured packages
Save that captured packages and combine with other packages
Filtering network traffic with various commands
Determine VoIP calls on network and convert them to voice
Help with various plugins to increase protocol number's
You can download WireShark software in this link;
https://www.wireshark.org/download.html
WHAT IS NETWORK ?
We call the system that devices connect to each other wired or wireless as Network. Computers can contant with users by using networks. LAN (stands for Local Area Network) is a kind of network that computers in local areas created and connected to each other, but on the other hand WAN (stands for Wide Area Network) is another kind of network that computers in wide areas created and connected to each other. In this article we'll analyse network trafiic.
TCP/IP MODEL STRUCTURE
TCP/IP consists of 2 parts call upper and lower. Upper part calls TCP protocol, lower part calls IP protocol. TCP protocol provides split packages that data before transferring. After transferring, it provides combine again. IP part provides the redirecting packages to related network address. In this model, If we need that new protocols can easily place in avaible layers. But It hasn't got solid rules. So OSI model works better than TCP/IP. TCP/IP model consist 4 layers.
OSI MODEL STRUCTURE
It consists 7 layers. OSI model, setsc ommunication rules between computers. Unlike TCP/IP model, layers' and their relation with each other exactly defined. Unnecessary layers aren't using in this model. So working with OSI model is better. But OSI model has some bad things. These bad things complicates developing new protocols.
USING PROTOCOLS IN TCP/IP MODEL
ARP PROTOCOL
This protocol provides, convert IP address to MAC address. In provides, computers' communication with each other in local network. For example; When A computer want to communicate with B computer, It looks B computer's ARP table. In this table If there are IP and MAC addresses belong to B in table, they can communicate. But If there aren't any MAC address belong to B (computer), A (computer) his IP and MAC address and B computer's IP address' collect in ARP package and sends too all computers as " broadcast " in local network. We are calling that " Request ". All computers that received the request compare IP address which came with package with their own IP address. If IP addresses dont pair, there'ld be no response to request. IP address which in package is belong to B computer. So, B computer accepts this request and get A computer's IP and MAC addresses in ARP package and sends this package to A computer as " unicost ". Replying this message is "Reply". By this means A and B computers' keep each others IP and MAC addresses in their ARP tables.
DHCP PROTOCOL
DHCP protocol provides appoint dynamic IP addresses to computers. Also, this protocol send to devices DNS address, Submask address, Gateway address and sends windows server addresses. For example; Computers, which want to connect to local network, check to existence of DHCP server, sends DHCP Discover package to all computers on network. When DHCP server received this package, sends a package called 'DHCP Offer' that contains IP informations and IP address's exposure time to the computer that sent the package and asks to computer to accept or reject. If computer accepts this package, computer send DHCP request as broadcast. DHCP server gets request and IP, DNS, Submask, Gateway and windows server address send to computer as DHCP ACK package. By this means, request sender computer joins to network.
DNS PROTOCOL
This procotocol provides entitle to IP addresses. Thanks to this protocol, domain to be connected is send to local DNS server by computer. If local DNS server has been interacted with sended IP address, sends its IP and create communitication with domain adress of request sender computer. ( D E V A M I V A R ) ...........
FTP PROTOCOL
This protocol provides file transfer between server and client. Three way handshake is created between server and client. After that, client is checked over port 21 if it's identified through server or not. If it won't identify, data will transfer over port 20 in order to client's requests
HTTP PROTOCOL
This protocol sets data exchange rules between server and client. Client requests access to datas belong to address. It is called " Request ". Server checks if this incoming address exist in itself or not. if is that so, it sends datas about address to client as 'Response'. By this means client shows to users these datas with various web browsers.
KNOW TO WIRESHARK MENU
Open Wireshark software. We will see this screen. There is " Capture " title. We can select ethernet which we want to capture netowork traffic and we can watch network traffic. We can select interface which we want on " All interfaces shown " text. We can see network traffics with double click on interfaces.
We can set settings to ourselves with watching Capture > Options way. We can filter captured network packages and we can select interfaces all of or partially.
We can filter to capturing packages in " Capture Filter Seelcted Interfaces " text. We can see various filter options when we click on green button. (Capture only TCP packages, capture only UPD packages...)
We can manage network interfaces with " Manage Interface " text
Now look to " Output " text. We can transfer captured network traffic to computer on " File " title. And we can select the file type of " pcapng " or " pcap ". Also we can stop the capturing network traffic automatically when these packages reached the size which we setted.
Now look " Options " text. We can see varios options in it. We can make network traffic more understanable by configuring these settings however we want.(For example; Activate to real time package capturing, hiding capturing network traffic information, parsing name of movement layer, parsing name of network, parsing netwok name, parsing MAC address').Again, we can stop the capturing network traffic automatically when these packages reached the size which we setted.
Click "File" menu and click "Open" text, you can open files which is supporting from WireShark. If you want to processing on these files, you can do. You can open old files which you opened on WireShark with "Open Recent" option.
Click "File" and "Merge". You can combine saved old traffic flows and new traffic flows in this page.
On "Go" menu, you can make transitions in packages.
You can listen packages in "Telepgony" menu.
You can reach statistics belong to traffic flows in "Statistics" menu.
Now look to "Edit" page. You can set options in "Prefences" text. (You can change view, You can look statistics)
WIRESHARK COLORING SETTINGS
There are some coloring settings on WireShark for make more understandable and speed up to analyze grapic. Changing color is providing to us easiness. Now look these settings. Clicl the Menu text. Find the "Coloring Rules" text and click it. And we are seeing coloring setting. These colors is a standart colors. They can change from us.
We can add new coloring filter with clicking "+". After selecting filter, we can select filter package which we want with clicking "display filter expression" text.
For example, let's assume that we're examining packages that has size 0. Let's choose our package like below and click "OK".
As you can see, our package is in Filter section now.
Now let's set background and font color of this package. Click on "Background" button below there and choose your color.
Then, do the same process for font color from "Foreground". Check it one last time and click "OK" to save it.
FEATURE OF TIME DISPLAY FORMAT
Time Display Format prodives packages are chosen as timing structures. Find "Time Display Format" from "View" menu. We'll see a pop-up tab. We can see packages as any time frame we want. For example, date and time based or only time based..
FEATURE OF NAME RESOLUTION
You can find Name Resolution from "View" menu, too. This feature allows you to change MAC addresses to computer names. Also it helps to see protocol structure that transport layer used, domain addresses of IP addresses, and name of remote network.
COMMANDS OF TRAFFIC PACKAGE CAPTURING FILTER
We can use various filters to more confortable use for WireShark. I'll show you how to reach that filters.
First, right click on "Filter" button. And click "Display Filter Expression" on that opened menu.
Now we are seeing all filters of we can use. You can use these for comfortable using.
Also, you can get information about filters with clicking blue colored shape.
CAPTURING TNETWORK TRAFFIC WITH USING WIRESHARK
First, we'll click find and double click to network name which we want to listen on "Capture" page.
As you can see on photo, our packages is listing with start button. There are 3 diffrent parts. First part shows listing packages and shows all procceses on network to us.
Second part shows detailed informations (IP addresses, protocols..) to us. If you want to get detailed informations, you can double click for see them.
And third part shows localation of starting (line) to selected line. We can see netowork package "hexadecimal" format on the left, we can see ASCII format on the right.
If you want to listening, you can press "stop" button. If you want to restart, you can click "green button" near the stop button. You can do other processes in that menu too. (go to selected package fastly, stop coloring settings, enlarge texts...)
CREATING COLON AND PROFİLE WITH WIRESHARK
We can make coloring to ourselves, we can make filter settings and we can define colon scructures which is using in analyzing. If we want to do these things, we need to create profile. in Wireshark.
First, we'll select Interface which network traffic we want to fallow. And start traffic flow.
Now we dont need to look traffic flow. Click to "Profile" text and click "New" in opened menu.
Now we need set name. You can set however you want. I set "Profile 1". And save.
You can manage profil structure however you want. These settings will be remained.
Now I'll show "how to create columns" and "how to edit columns" titles. There are some columns. These are "No", "Time", "Source", "Destination", "Protocol", "Lenght", "Info". They are default columns. Now we'll create our column. Now go to you cursor on columns line and right click. We'll see this menu
Now click "Column Prefences". We'll see this menu.
as you can see, there are colons and their description. You can edit and delete these columns. Also you can add new cloumn. Now we'll create new cloumn. And it shows source ports to us. First, click plus ( + ) buttom (you can see on photo). Now we'll set name for new column. And select type (I said, i will select source code). And press "OK" to save.
As you can see, our column has been created.
WIRESHARK STATISTICS MENU
Wireshark creates statistic datas about logged traffic flow. We're gonna see these statistics under this heading.
FEATURE OF SUMMARY
You can learn something about general structure of network traffic (such as when the first and last package is captured, etc.) with this feature. You need to find "Capture File Properties" from "Statistic" menu. Also you can leave a comment from "Capture File Comments".
FEATURE OF ADDRESS SOLUTION
It's the feature that shows domain addresses of IP addresses within traffic. You need to find "Resolved Adresses" from same menu.
FEATURE OF PROTOKOL HIERARCHY
This feature shows detailed traffic package informations about interaction percent of packages that have TCP/IP model structure, structures of incoming and outgoing packages, incoming data amount, etc. You need to find "Protocol hierarchy" from same menu.
FEATURE OF CONVERSATION
This feature shows user that machines interacted within traffic and which protocol structure they used. You need to find "Conversation" from same menu.
FEATURE OF ENDPOINTS
It shows machine that the last interacted with. You need to find "Endpoints" from same menu.
FEATURE OF I/O GRAPHS
This feature shows structure of network to user as graphic. You need to find "IO Graphs" from same menu.
FEATURE OF FLOW GRAPHS
This feature shows flows of sent and received packages. We can learn how every process performed within network flow with this feature. You need to find "Flow Graphs" from same menu.
HTTP PROTOCOL STATISTICS
We can monitor the statistics about processes that use HTTP protocol with this feature. You need to find "HTTP" from same menu and choose any process you want to see the statistics.
LOOKING AT THREE WAY HANDSHAKE STRUCTURE ON WIRESHARK
We've talked about three way handshake structure earlier. Now we gonna try to look at it on Wireshark. I'm gonna explain it through .pcap file that i downloaded to my pc. Firstly, click "Open" from "File" menu and choose that file. Traffic flow of our file displayed.
We need only traffics that uses TCP protocol in order to observing three way handshake structure. Take a closer look to this 3 line and what happens in there.
When two machines wanted to contact with each other, source machine who wants to connect sends SYN package to targeted machine and set SEQ value as 0.
Targeted machine who received SYN package sends SYN ACK package and sets ACK value as 1 to point out that accepted the connection.
Source machine who received SYN ACK package confirms the connection, sends ACK package to targeted machine and set SEQ and ACK values as 1.
That's how three way handshake is performed and start to data exchange.
When a machine wanna stop this connection, sends FIN package to other one.
That machine who received FIN package finishes this process by sending ACK package.
And that's how to stop this connection.
ANALYZING ARP PROTOCOL PACKETS
You need to remember that ARP protocol is the one who converting IP addresses into MAC addresses. You can see your ARP table by inputting this command to CMD.
Kod:
arp -a
Now let's see this process on Wireshark. Choose your interface from "Capture". Then filter it only "ARP".
As you can see, "Broadcast" is the first one. It wants MAC address of IP address that identified on server information section with broadcast. I've mentioned it earlier, we call this process as "Request". Here it is:
Let's see the response to that request. Server specifies IP address of which client wants to connect and says "whoever has this IP address, send me your MAC address". We can see it in INFO column. And here is the detailed one (with sender and receiver IP&MAC addresses, protocol type, etc.):
ANALYSING DHCP PROTOCOL PACKET
We know that this protocol is a kind of protocol that give automatically gives several addresses to the machine connected to network. We gonna examine DHCP protocol packet in this title. Let's see what's the IP address:
Kod:
ipconfig
Then choose our interface on Wireshark. Traffic flow started to listing.
Now we need to release our IP address.
Kod:
ipconfig /release
And we need to renew it, duh..
Kod:
ipconfig /renew
After getting new IP address, go back to Wireshark and filter "bootp".
At the first, we can see traffic flow that happens when we release our IP address. Under that, we can see that it received request incoming from port 68 and sent data from port 67.
In here, client wanted an IP address by sending DHCP discover packet. DHCP server that received this packet, sent DHCP offer packet back. As you know, DHCP offer packet is the one that provide several addresses to client. Let's examine this packet and see provided addresses. Click on DHCP offer line and see details.
Here it is: submask address, router address, time offsett, and IP address.
And check the below one about DHCP request is sent. This packet shows that client accepted offers sent by DHCP server. So DHCP ACK packet is assigned to client with offered infos by server.
ANALYSING DNS PROTOCOL PACKAGE
DNS protocol is the one that converts website domains to IP addresses. Now we gonna examine it on Wireshark. Input below command to see websites that you've visited. Here's the info about turkhackteam for example.
Kod:
ipconfig /displaydns
Now let's clear our browser cache.
Kod:
ipconfig /flushdns
Now check out table again.
Kod:
ipconfig /displaydns
We are no longer able to see THT's IP address. Run the Wireshark and send ping to website from CMD.
Kod:
ping www.turkhackteam.org
We sent request to website. Let's see what's going on to Wireshark. Filter "dns" and search it. We can see that there is query process first. Then server performed response and convert domain to IP. Here is detailed version:
ANALYSING HTTP PROTOCOL PACKET
This protocol works on application layer and uses TCP protocol on transport layer.
Let's say that you entered a website. TCP protocol is the first run. Three way handshake is performed when the protocol is triggered. If three way handshake is performed succesfully, connection can be done and visit request sends to server with HTTP protocol. After that, server starts to sending datas. It's possible to see this process through Wireshark.
FEATURE OF FOLLOW TCP/UDP STREAM
We can fallow TCP/UDP streams with feature of fallow TCP/UDP stream in Wireshark. This feature makes more understandable streaming traffic on Wireshark. Basen on everything we learned till this heading, we can say that it'ld be so confusing for someone familiar with it to understand TCP/IP protocol structure flowing over network on wireshark. When we want to control flowing traffic without packet filter, we know that it's gonne be damn hard even if we're familiar with TCP/IP protocol structure. I'll show you how to make more understandable streaming traffic. And our traffic will be graphical. Now continue,
I opened a "pcap" file on Wireshark. And I right click traffic streamings which is using TCP protocol, and I click "Follow TCP/UDP Stream" text.
Now a page opened. You can see TCP traffic streaming in diffrent formats on this page. And you can reach source codes of website which you surfed. You can save this traffic with "Save As"
EXPORT OBJECT FEATURE
You can determine a file on traffic streaming, Also you can save which format you want that file.
If you use this feature, you need click "File" menu and select "Expert Object". After select, you will see a page. Select "HTTP" on page.
After, you will see a new page. You can see real formats of traffic streaming files. Also you can save them.
SOLVING SSL TRAFFIC
In this title, we'll try to crack a password of network traffic. But It was passworded with SSL protocol. We'll crack it with SSL password. So, we need a SSL key to crack it. I was downloaded pcap and key type files from Internet. Now we'll open our pcap file. And It is opening,
We'll open "Edit" menu and click "Prefences" option.
Now select "RSA Key" (you can see on left bar). And press "Add New Key File" button and select our .key file. and press okay.
Open "File" menu and click "Export Object". Now press "HTTP" text. And you can see crypted datas and you can save them.
DISPLAYIN SSL CERTIFICATE INSIDE OF SSL PACKETS
Now we gonna get SSL certificate of website from SSL packets that we display. It's enough to filter "SSL".
Then click on a packet, doesn't matter which one, and check "Certificate" info.
Right click on "Certificate : .." and choose "Export Packet Bytes".
Then it's gonne explore where to save it. Choose anywhere and save it as ".crt" or ".cer" extension. Then open that saved file. Here is what does mine look like.
CONVERTING VOIP PACKETS TO VOICE
Lemme talk about RTP protocol and VoIP first. RTP protocol is used for end to end transport processes in communication that has media exchange in it. VoIP is the IP structure that used for voice calls over internet. In this protocol, voices are send to other side as packets. And this title is about converting this packets to voice.
First of all, we need to see protocols which have RTP structure. I opened an example .pcap file for RTP protocol.
Then find RTP -> RTP Streams from "Telephony" menu.
We have two different voices.
Choose one and click on "Analyze".
We need to see a screen like this. Just hit "Play Streams".
We got voice from packets here. Click "Play" to listen this voice. And we can even check voice's date and time.
FEATURE OF EXPERT INFO
This feature show users datas like warning or reminder about captured packets over network traffic. But to use this feature, network traffic needs to be performed. When it's done, we can see messages and its source. Click on that icon i showed in the below screenshot.
A new screen is displayed now. This is the warning message.
You can see that it's a lil bit detailed, too. If there is one than one of this messages, click on one of them and see its details. We can even filter this messages. Click on "Show" button and choose whatever you want.
MERGING CAPTURED TRAFFIC FLOWS
With this process, we gonna merge seperately captured traffic flows into one file. Open your .pcap file first.
Then find "Merge" from "File" menu to merge with other.
When we click open, that two packets are merged now on Wireshark.
Now let's save this merged packets as one file. Find "Save As" from "File" menu. Choose your folder, input folder's name, and click "OK". Now they are in one .pcap file.
That's all we can give. Take care!
Credit: M3m0ry & R4V3N
Original: Click Me ! 'blackcoder
Son düzenleme: