See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/362645639

Wireshark

Article · May 2021

CITATIONS READS
0 293

1 author:

Amey Parulkar
Splunk
13 PUBLICATIONS 2 CITATIONS

SEE PROFILE

All content following this page was uploaded by Amey Parulkar on 12 August 2022.

The user has requested enhancement of the downloaded file.

 2021

WIRESHARK

PROTOCOL ANALYZER
PARULKAR, AMEYUDAY

MSC CYBERSECURITY | UWL

Table of Contents
1 Introduction .......................................................................................................................................... 2
2 Wireshark Capture ................................................................................................................................ 3
2.1 Sniffing Twitter via Wireshark ....................................................................................................... 3
2.1.1 Launch Wireshark ................................................................................................................. 3
2.1.2 Sniff www.twitter.com .......................................................................................................... 4
2.2 Capture Browser Process .............................................................................................................. 5
2.2.1 Chrome Browser ................................................................................................................... 5
2.2.2 Mozilla/Firefox Browser ........................................................................................................ 6
2.2.3 Microsoft Edge Browser ........................................................................................................ 6
3 Finding MAC Address ............................................................................................................................ 7
4 Protocol Listing using Wireshark........................................................................................................... 8
5 Delta time between HTTP GET and HTTP OK using Wireshark ............................................................. 9
6 Finding IP of uwl.ac.uk and user device using Wireshark ................................................................... 10
7 ARP Requests ...................................................................................................................................... 11
7.1.1 ARP request sent from User device .................................................................................... 11
7.1.2 ARP request sent to User device ......................................................................................... 12
8 Wireshark Extra Feature ..................................................................................................................... 13
8.1.1 Creating Configuration Profiles ........................................................................................... 14
8.1.2 Creating Embed Display Filter ............................................................................................. 17
9 References .......................................................................................................................................... 20
1 Introduction

All things in this world are analyzed, recorded, and stored in some or the other form. Using the data, humans can
decode the outcomes and conclusions. Example, Weighing machine to weigh your weight, Scale to measure
height/distance and finally, packet sniffers to investigate the health of a network.

Packets of any network can be sniffed with the help of the most popular tool that is used referred to as Wireshark.

Wireshark has been a default standard for analysis of packets in any type of network (Enterprise or Service Provider).
It allows users to sniff the network by viewing the ingress and egress traffic via your network adaptor (wired/wireless)

[1]

The following report would cover multiple aspects of this tool. It will not just explain on how to capture raw packets,
but also, make sure how to make use of display filter and capture filter capability to pin-point to a specific
investigation.

It will also shed some light on how we calculate the delta time between the packets as well as cover a couple of extra
or new features that we explored during the research on this tool for this report.

This is an open source tool and the latest version of it can be downloaded from the below mentioned URL.

https://www.wireshark.org/
2 Wireshark Capture

We will try to sniff the packets from the wireless connection by accessing a specific website and observe the behavior
of the network via different browsers.

2.1 Sniffing Twitter via Wireshark

2.1.1 Launch Wireshark

 Once Wireshark is launched, the default page detects the interfaces under "Capture" section. User can select
the required interface/adaptor for which the packets are to be sniffed. Example: WiFi/Ethernet etc.
 We select the wired ethernet interface in our scenario
2.1.2 Sniff www.twitter.com

 Once Wireshark is started, packets starts to capture and display only the packets that are being sent and
received by my device:

 We use the “nslookup” command via CMD to check for the domain name resolution of twitter.com
  We use the display filter “ip.src” and “ip.dst” between my device and the twitter API IP

2.2 Capture Browser Process

2.2.1 Chrome Browser
 Launching Chrome browser depicts some default browse processes being launched by default such as
o googleapis
 o clientservices.googleapis
o outhaccountmanader.googleapis
o setup.icloud.com

2.2.2 Mozilla/Firefox Browser

 Launching Firefox browser depicts some default browser processes being launched by default such as
o download-installer.cdn.mozilla.net
o content-signature-2.cdn.mozilla.net
o firefox-settings.services.mozilla.net
o firefox-settings-attachments.cdn.mozilla.net
o aus5.mozilla.org

2.2.3 Microsoft Edge Browser

 Launching Microsoft Edge browser downloads various browser processes such as
 o assets.msn.com
o c.bing.com
o c.msn.com
o edge.microsoft.com
o config.edge.skype.com

3 Finding MAC Address

 The MAC address of the device can be fetched from the frame layer of the packets that are sniffed using
Wireshark.

 This can be added as a column for more visibility using the “Apply as Column” by selecting the parameter
and right clicking and selecting “Apply as Column”
4 Protocol Listing using Wireshark

 Launch Wireshark and capture raw packets from an interface input.

 Multiple protocols observed without any filters applied to packets that are sniffed.

 List of protocol observed in the current sniff are:

o NBNS
o OCSP
o SSDP
o SSL
o TCP
o HTTP
o DNS
o MDNS
o LLDP
o TLS V1.2
o TLS V1.3
o UDP
5 Delta time between HTTP GET and HTTP OK using Wireshark

 Launch Wireshark and capture raw packets from an interface input.

 From the unfiltered packet, we select one of the HTTP packets with GET message.

 We did a right click on that packet and selected "Follow TCP Stream" to get the response packet as well.

 The delta time between the GET and OK seems can be calculated from time column as the time difference
between HTTP GET and HTTP OK packet.

 In this scenario, it is around 171 milliseconds.

6 Finding IP of uwl.ac.uk and user device using Wireshark

 After launching the packet sniffer, we open the URL uwl.ac.uk and look for a client hello packet containing
the SNI "Server Name Indication" as uwl.ac.uk.
  Once located, we right click on that packet and select "Follow TCP Stream" to filter the packets associated
with that session only.
 The IP layer can provide us with the source and destination host IP address for their respective domain names
as highlighted

7 ARP Requests
7.1.1 ARP request sent from User device
 Launch Wireshark and select the interface on which packets are to be sniffed.
 In the capture filter section, enter “arp” as pre-defined filter before starting the capture.
 This will make sure that only ARP packets are captured.
  A total of 4 ARP requests are sent from device IP address within a minute timeframe.

7.1.2 ARP request sent to User device

 Launch Wireshark and select the interface on which packets are to be sniffed.
 In the capture filter section, enter “arp” as pre-defined filter before starting the capture.
 This will make sure that only ARP packets are captured.
  A total of 3 ARP requests are sent from the default gateway address to the device IP address within a minute
timeframe.

8 Wireshark Extra Feature

This section would discuss not just one but two extra features that can be used in Wireshark to use this tool in a much
more efficient manner. The two features are creating a new configuration profile and adding embedded display filters
in Wireshark for faster troubleshooting.

8.1.1 Creating Configuration Profiles

 Launch Wireshark tool.

 Go to the “Edit” option on the top left of the Wireshark screen and select “Configuration Profiles”

 The Configuration Profiles pop-up window will appear:

 Click on the “+” sign at the bottom left to add a new profile and name it appropriately.
 In our case, we will name it as “Bad TCP”. This profile in turn will contain a default embedded display filter to
filter out all Bad TCP packets
 Click on Ok once done.

 Before we launch Wireshark to capture packets from the interface selected. On the bottom right side, right
click and select the configuration profile recently created from the “Switch to” option.

 This will launch the Wireshark into the configuration profile or your choice. In this case, “Bad TCP”
 Please note that initially, this will be launch as a default profile and any changes performed such as addition
of columns or color coding of the packets etc. will be automatically saved and next time would be auto
applied when you launch Wireshark with this particular profile.

BEFORE Changes:

AFTER changes
8.1.2 Creating Embed Display Filter

 Launch Wireshark tool.

 Make sure to select your preferred “Configuration Profile” that was created in the previous section. In our
case, we select “Bad TCP” from bottom right using “Switch to” option or use “Edit  Configuration Profiles”
from top left of the Wireshark screen.

OR
 Once the desired profile is selected, click on the “+” on the extreme right side of the display bar

 This is where you can enter your display filter commands for your desired result. Label the filter and provide
a description (if needed). In our case, we will label it as “Bad TCP” and put the filter command as
“tcp.analysis.flags” to capture all bad TCP packets. (The filter will guide you to achieve the desired results)
 Once all information is provided, the “OK” tab get highlighted and you can click “OK” to embed this filter as
a button for that specific configuration profile as shown below:

 Now, whenever we launch Wireshark with raw packets and Switch to “Bad TCP” profile, we can make use of
the “Bad TCP” filter rather than searching for complex display filter combinations every time. This is more
efficient and saves a lot of time.

BEFORE filter is applied

 AFTER filter is applied (With one click)

9 References

1. https://www.redhat.com/sysadmin/introduction-
wireshark#:~:text=Developed%20in%201998%2C%20Wireshark%20has,(either%20wired%20or%20wireless)
2. https://en.wikiversity.org/wiki/Wireshark/Arp
3. https://wiki.wireshark.org/AddressResolutionProtocol
4. https://www.varonis.com/blog/how-to-use-wireshark/
5. https://www.comparitech.com/net-admin/wireshark-cheat-sheet/
6. https://stackoverflow.com/questions/65677915/wireshark-display-filter-for-protocol-802-11

View publication stats