MODULE 02

WIRESHARK
Managing and Manipulating Data
Module 02 Objectives:

❑ Wireshark Display Filter.

❑ Customizing Wireshark Experience.
❑ Creating Wireshark Filter Buttons.
❑ Utilizing Wireshark to Identify Hosts and Network Nodes.
❑ Exporting Captured Data From Wireshark.
 Display Filter

The Wireshark Display Filter

The display filter in Wireshark is a bar, which is
situated just above the column display portion.
This is where you enter expressions to filter the
frames, IP packets, or TCP segments from a
pcap that Wireshark displays.

Display filters allow you to concentrate on the

packets you are interested in while hiding the
current ones that you are not interested in. The
filters allow you to only display packets based
on:
❑ Protocol
❑ The presence of a field
❑ The values of fields
❑ Comparisons between fields
❑ … and a lot more!
The Wireshark Display Filter Filter: tcp.analysis.
When you enter text into the display filter, Wireshark
returns a list of recommendations based on the text you
entered.

While the display filter bar stays red, the

expression is not yet accepted.

If the display filter bar turns green, the

expression has been accepted and should
work properly.

If the display filter bar turns yellow, the

expression has been accepted; however,
more than likely, it will probably not work as
intended.
Display Filter Values
Wireshark's display
filter utilizes
Boolean
expressions,
allowing you to
define and chain
them together.
Display Filter Logical
You can combine
Operations
filter expressions
in Wireshark using
the logical
operators shown
in the Table.
Display Filter Functions The display
filter language
has a number
of functions
that will
convert fields.
Adding Custom Columns Wireshark allows for adding custom
columns based on almost any value found
in the frame details window. This is how
we add domain names used in HTTP and
HTTPS traffic to our Wireshark column
display.

To quickly find domains used in HTTP traffic,

use the Wireshark filter http.request and
examine the frame details window.

In the frame details window, expand the line

titled "Hypertext Transfer Protocol" by
left-clicking on the arrow that looks like a
greater than sign (>) to make it point down.
This reveals several additional lines.
Scroll down to the line starting with "Host:" to
see the HTTP host name. Left-click on this line
to select it. Right-click on the line to bring up a
menu. Near the top of this menu, select
"Apply as Column." This should create a new
column with the HTTP host name.
HTTP host names in the column display when filtering on
http.request.
Find Domains Used in Encrypted Use the Wireshark Filter
HTTPS Traffic ssl.handshake.type == 1
and examine the frame
details window.

Follow Steps 1
through 9.
HTTP server names in the column display when
filtering on ssl.handshake.type == 1.
HTTP Host and server names in the column display
when filtering on:
http.request or ssl.handshake.type == 1
 Adding
Source/
Destination
Port
Columns

"Source: Wireshark Episode #6 Adding Source/Destination Columns [Video].

YouTube https://www.youtube.com/watch?v=pAn_EYkBCpc
Saving Filters Save Filter: Click on the plus sign
to save your expression as a
filter button.

You have the following fields:

❑ Label.
❑ Filter.
❑ Comment.

Saved Filter: Basic

Wireshark Filters
ip.addr == x.x.x.x tcp contains xxx
Sets a filter for any packet that has x.x.x.x as the source or It is a filter that displays all TCP packets that contain a
destination IP address. certain term.
ip.addr == x.x.x.x && ip.addr == x.x.x.x
ip.src == xxxx && ip.dst == xxxx tcp.stream eq X tcp.flags.push == 1
Filters by sequence Important for troubleshooting.
number. This filter detects push events.
http or dns
Sets a filter to display all http and dns protocols. It lets udp contains xx:xx:xx dns.flags.rcode != 0
you narrow down to the exact protocol you need. It sets a filter for Indicates which dns requests
tcp.port==xxx certain HEX values at could not be correctly
Sets filters for any TCP packet with a specific source or any offset. resolved.
destination port. Sometimes is useful and less
http.request
time-consuming to look only at the traffic that goes into
It filters all HTTP GET and POST requests. It can show
or out of a specific port.
the most accessed web pages.
tcp.flags.reset==1 !(arp or icmp or dns)
Sets filters to display all TCP resets. All packets have a TCP Designed to filter out certain types of protocols. It
if this is set to 1; it tells the receiving computer that it masks out arp, icmp, dns, or other protocols you think
should at once stop using that connection. are not useful.
WIRESHARK
Display and
Capture
Filters

"Source: Wireshark Display & Capture Filters [Video].

YouTube https://www.youtube.com/watch?v=-y_ObCrHB0g
Managing and Manipulating Data

USING WIRESHARK TO
IDENTIFY HOSTS AND USERS
 DHCP Traffic
Host Information From Traffic Assists in identifying hosts for almost any
sort of machine connected to your
A MAC address, an IP address, and a host name are network.
the three identifiers of a host of a network.
NBNS Traffic
In most situations, suspicious activity alerts are based Is primarily generated by pcs running
on IP addresses. If you have access to complete Microsoft Windows, or by Apple hosts
network packet capture, a pcap retrieved on an running MacOS.
internal IP address should show an associated MAC
address and hostname.

How do we find such host information using

Wireshark? We filter on two types of traffic (activity):

1) Dynamic Host Configuration Protocol (DHCP), and 2)

NetBIOS Name Service (NBNS).
Import /Open a Saved PCAP File
❑ On Wireshark software, click FILE -> Open or
use the Keyboard keys (Ctrl +O).
❑ Navigate to the location where you saved your
Wireshark PCAP files.
❑ After making your selection of the file you want
to examine, click the Open button.
DHCP DORA Filter
DORA is the process used by DHCP for providing the IP Address to the client/host machine. It has four
main stages and obtains the IP address from the centralized server.

DISCOVER OFFER REQUEST ACK

DHCP: DORA
Filter: DHCP
❑ After applying the DHCP Filter, select one of the frames that shows DHCP Request in the information column.
❑ Go to the frame details section and expand the line for Dynamic Host Configuration Protocol (Request) as
shown in Picture 01.
❑ Expand the lines for Client Identifier and Host Name as indicated in Picture 02.
❑ Client Identifier details should reveal the MAC address, and the Host Name details should reveal a host name.

❑ MAC Address is: 00:15:5d:a9:01:23

❑ Hostname is: PSMOSADVL101
 Host Information From NBNS Traffic
❑ You may not see DHCP traffic in your pcap depending on how often a DHCP lease is renewed.
Fortunately, we can identify host names for PCs running Microsoft Windows or Apple hosts
running MacOS using NBNS traffic.

IP Address

HOST NAME

Mac Address
Device Models and Operating User-agent strings from HTTP
headers can show the operating
Systems from HTTP Traffic system. If the HTTP traffic is from an
Android smartphone, you may be
able to identify the device's
manufacturer and model.

In Picture 01, we used the

filter http.request and !(ssdp).
The first frame is the first HTTP
request to www.ucla.com. Follow
the TCP stream as shown in Picture
01.
Device Models and Operating
Systems from HTTP Traffic This TCP stream has HTTP request
headers as shown in Picture 02.
The User-Agent line represents the
Google Chrome web browser
version 104.0.0.0.0 running on
Microsoft's Windows 10 x64
operating system.

❑ Windows NT 5.1: Windows XP

❑ Windows NT 6.0: Windows Vista
❑ Windows NT 6.1: Windows 7
❑ Windows NT 6.2: Windows 8
❑ Windows NT 6.3: Windows 8.1
❑ Windows NT 10.0: Windows 10
Managing and Manipulating Data
Exporting Captured Data From Wireshark
❑ The “Export Specified Packets” Dialog Box.
❑ The “Export Packet Dissections” Dialog Box.
❑ The “Export Selected Packet Bytes” Dialog Box.
❑ The “Export PDUs to File…” Dialog Box.
❑ The “Strip Headers…” Dialog Box.
❑ The “Export TLS Session Keys…” Dialog Box.
❑ The “Export Objects” Dialog Box.
Exporting Data
Wireshark provides a variety of options for
exporting packet data. This section describes
general ways to export data from the main
Wireshark application.

There are many other ways to export or extract

data from capture files, including processing
TShark output and customizing Wireshark and
TShark using Lua scripts.
The “Export Specified Packets”
Dialog Box
❖ This is similar to the “Save” dialog box, but
it lets you save specific packets.

❖ This can be useful for trimming irrelevant or

unwanted packets from a capture file.
The Export Packet Dissections
Dialog Box
❖ The Export Packet Dissections dialog box lets you
save the packet list, packet details, and packet bytes
as plain text, CSV, JSON, and other formats.
❖ The format can be selected from the “Export As”
drop-down menu, and is further customized using
the “Packet Range” and “Packet Format” controls.
❖ Some controls are unavailable for some formats,
notably CSV and JSON. The following formats are
supported:
Plain text (as shown in the main window).
Comma-separated values (CSV).
C-compatible byte arrays.
PSML (summary XML).
PDML (detailed XML).
JavaScript Object Notation (JSON).
Examples of Exported Data
The “Export Selected Packet Bytes” Dialog Box
Export the bytes selected in the “Packet
Bytes” pane into a raw binary file.
 The Export PDUs to File… Dialog Box
Display Filter Seven Levels:
The “Export PDUs to File…” dialog box allows you to filter the captured
❑ DLT User. Export a protocol, which is framed
Protocol Data Units (PDUs) and export them into the file. It allows you to
in the user data link type table without the
export reassembled PDUs, avoiding lower layers such as HTTP without TCP
and decrypted PDUs without the lower protocols such as HTTP without TLS need to reconfigure the DLT user table. For
and TCP. more information, see the How to Dissect
1. In the main menu, select File → Export PDUs to File…. Wireshark will Anything page.
open a corresponding dialog box as shown in the picture below. ❑ DVB-CI. Use for the Digital Video
2. To select the data according to your needs, optionally type a filter value Broadcasting (DVB) protocol.
into the Display filter field. ❑ Logcat and Logcat Text. Use for the Android
3. In the field below the Display filter field, you can choose the level from logs.
which you want to export the PDUs to the file. There are seven levels. ❑ OSI layer 3. Use to export PDUs
4. To finish exporting PDUs to file, click the OK button in the bottom-right
encapsulated in the IPSec or SCTP
corner. This will close the originally captured file and open the exported
protocols.
results instead as a temporary file in the main Wireshark window.
5. You may save the temporary file just like any captured file. ❑ OSI layer 4. Use to export PDUs
encapsulated in the TCP or UDP protocols.
❑ OSI layer 7. Ue to export the following
protocols: CredSSP over TLS, Diameter,
protocols encapsulated in TLS and DTLS,
H.248, Megaco, RELOAD framing, SIP, and
SMPP.
 The “Export TLS Session Keys…”
Dialog Box
❖ Transport Layer Security (TLS) encrypts the communication
between a client and a server. The most common use for it is
web browsing via HTTPS.
❖ Decryption of TLS traffic requires TLS secrets. You can get
them in the form of stored session keys in a "key log file," or
by using an RSA private key file.
❖ The File → Export TLS Session Keys… menu option:
❑ Generates a new "key log file," which contains TLS
session secrets known by Wireshark. This feature is useful
if you typically decrypt TLS sessions using the RSA private
key file.
❑ The RSA private key is very sensitive because it can be
used to decrypt other TLS sessions and impersonate the
server.
❑ Session keys can be used only to decrypt sessions from
the packet capture file.
❑ Session keys are the preferred mechanism for sharing
data over the Internet.
Export Captured TLS Session Keys
1. In the main menu, 2. Type the desired file name in the Save As
select File → Export TLS field.
Session Keys…. 3. Choose the destination folder for your
Wireshark will open a file in the Where field.
corresponding dialog 4. Press the Save button to complete the
box. export file procedure.
The Export Objects Dialog Box
The Exports Objects Dialog Box features scans
through the selected protocol’s streams in the
currently open capture file or running capture, and
allows the user to export reassembled objects to
the disk. For example, if you select HTTP, you can
export HTML documents, images, executables, and
any other files transferred over HTTP to the disk.

If you have a capture running, this list is

automatically updated every few seconds with any
new objects seen. The saved objects can then be
opened or examined independently of Wireshark.
Summary
● Wireshark allows for adding custom columns based on
almost any value found in the frame details window. This
is how we add domain names used in HTTP and HTTPS
traffic to our Wireshark column display.
● In most situations, suspicious activity alerts are based on
IP addresses. If you have access to complete network
packet capture, a pcap retrieved on an internal IP
address should show an associated MAC address and
hostname.
● User-agent strings from HTTP headers can show the
operating system. If the HTTP traffic is from an Android
smartphone, you may be able to identify the device's
manufacturer and model.
Introduction to Network Sniffing
CASE STUDY
You are a level 2 analyst at the company. On Monday, you received numerous
tickets from various employees in a specific department about the same issue.
Employees in the design department are unable to access one of the web
servers, and receive error messages. You also receive the same error messages
when you attempt to connect to the server.
You decide to use a sniffer tool to capture and analyze the data, and you
discovered a large number of SYN flags generated from the same external IP
address that is not getting a response from the web server.
❏ What interface, network segment, device should your sniffer be running
on to have access to this data?
❏ What filters need to be used to see that specific data?
❏ What type of attack do you think this is, based on the data?
❏ What is your Mitigation Plan/Strategy?