Wireshark

Wireshark is Article description::a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Permissions
As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group (note, replace ${LOGNAME} by the user's actual login name):

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

Wireshark over SSH
Source system (the server you want to capture packets on) that you have SSH access to, with tcpdump installed, and available to your user (either directly, or via sudo without password). Destination system (where you run graphical Wireshark) with wireshark installed and working, and mkfifo available. Procedure:

Network Name Resolution
To automatically resolve IP addresses to domain names, open the preferences window from, clicking the panel and selecting the Enable Network Name Resolution check box.

Filter packets to a specific IP Address
To see all incoming and outgoing traffic for a specific address, enter ==  in the filter box, replacing  with the relevant IP address. Additionally, to view only incoming traffic, replace with ; to view only outgoing traffic, replace  with.

Terminal-based Wireshark
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is pcapng format, which is also the format used by Wireshark and various other tools.

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.

For example, to capture packets across a specified network interface and save the results, enter

Replace with the desired network interface and  with the desired filename.

If you capture no packets and send to xxd, you can see just the file header for any capture type
An easy way to capture no packets is to filter by unused ipx in your capture filter. In this example, we use -F pcap for the pcap file type.

Search for malicious URL with regex
You’re looking for an HTTP GET that contains a request for a URL that starts with http or '''https has the Sweden .se domain, and contains the word worm in the query string. Luckily, Wireshark gives you matches which uses PCRE regex syntax. A simple one that satisfies this is https?.*?\.se.*?worm. If this seems like greek', you can explore more info on regex101.

Given that this is GET, it’s better to just search the http protocol: http matches https?.*?\.se.*?worm Note that the regex is double quoted. With tshark, -Y "display filter" also needs to be double-quoted. In order to use this display filter, escape the inner quotes

Print http data in a tree
{{Cmd|tshark -q -i any -Y http -z http,tree|output=

=
========================================================================================================================== HTTP/Packet Counter: Topic / Item           Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start --- Total HTTP Packets     1                                                                     100%          0.0100        2.255 HTTP Request Packets  1                                                                     100.00%       0.0100        2.255 GET                  1                                                                     100.00%       0.0100        2.255 Other HTTP Packets    0                                                                     0.00%         -             - HTTP Response Packets 0                                                                     0.00%         -             - ???: broken          0                                                                                   -             - 5xx: Server Error    0                                                                                   -             - 4xx: Client Error    0                                                                                   -             - 3xx: Redirection     0                                                                                   -             - 2xx: Success         0                                                                                   -             - 1xx: Informational   0                                                                                   -             -

--- }}

Wireguard
WireGuard was initially started by in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.

Filter WireGuard traffic while capturing
Assuming that your WireGuard traffic goes over the wlan0 interface using port 51820

download extract-handshakes.sh

Step-by-step instructions for these are not yet available for the version merged in Linux v5.6. What you basically have to do is to build offset-finder.c with the headers from drivers/net/wireguard/ and kernel headers and config matching your current kernel.

Detect activity from malware generating FTP traffic
In addition to FTP, malware can use other common protocols for malicious traffic. Spambot malware can turn an infected host into a spambot designed to send dozens to hundreds of email messages every minute. This is characterized by several DNS requests to various mail servers followed by SMTP traffic on TCP ports 25, 465, 587, or other TCP ports associated with email traffic.

Dumpcat
Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.

By default, Dumpcap uses the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets’ time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.

Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing:

Editcap
Editcap is a program that reads some or all of the captured packets from the infile, optionally converts them in various ways and writes the resulting packets to the capture outfile (or outfiles)

External resources

 * https://www.wireshark.org/download/docs/user-guide.pdf Wireshark User's Guide.
 * https://wiki.wireshark.org/DisplayFilters - Display Filters
 * https://wiki.wireshark.org/Development/LibpcapFileFormat - Libpcap File Format
 * https://tshark.dev - tshark.dev
 * https://tshark.dev/capture/ tshark.dev - capturing
 * https://tshark.dev/capture/sources/ssh_interface/ tshark.dev - ssh interface
 * https://tshark.dev/capture/sources/downloading_file/ tshark.dev - downloading files
 * https://tshark.dev/analyze/packet_hunting/tshark_analysis/ tshark.dev - tshark analysis
 * https://tshark.dev/packetcraft/scripting/lua_scripts/ tshark.dev - lua scripts