NF Post 3 : Wireshark
Wireshark is a free open source GUI protocol analyzer that can be downloaded for free. It enables users to interactively browse the data traffic on a computer network.
Bellow is the default interface of Wireshark. It includes :
- Packet list
- Packet details
- Packet bytes
example usage of wireshark:
Filtering based on port number
filtering based on protocol
filtering based on http host
The terminal version of wireshark is tshark. here are some basic command of tshark :
- Capture traffic and write to file
- tshark -w filename.pcap
- Disable network naming resolution to show IP addresses and port numbers, -n
- tshark -n -r filename.pcap
- Select output format using T flag
- tshark -r filename.pcap -T pdml
- Prints a specific field using –e flag
- tshark -r filename.pcap -T fields -e frame.number-e ip.addr -e udp
- Decode specific packet using -d
- tshark -r filename.pcap -d tcp.port==insert port number , http
- Read packet using wiresharkfilter using -R
- tshark -r filename.pcap-R ‘ip.addr== insert ip address’
Example usage of tshark:
capture traffic and write to file example.pcap
the result:
find DNS names in pcap file