Wireshark

Wireshark is Article description::a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Permissions
As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group (note, replace ${LOGNAME} by the user's actual login name):

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

Wireshark over SSH
Source system (the server you want to capture packets on) that you have SSH access to, with tcpdump installed, and available to your user (either directly, or via sudo without password). Destination system (where you run graphical Wireshark) with wireshark installed and working, and mkfifo available. Procedure:

Network Name Resolution
To automatically resolve IP addresses to domain names, open the preferences window from, clicking the panel and selecting the Enable Network Name Resolution check box.

Filter packets to a specific IP Address
To see all incoming and outgoing traffic for a specific address, enter ==  in the filter box, replacing  with the relevant IP address. Additionally, to view only incoming traffic, replace with ; to view only outgoing traffic, replace  with.

Terminal-based Wireshark
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is pcapng format, which is also the format used by Wireshark and various other tools.

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.

For example, to capture packets across a specified network interface and save the results, enter

Replace with the desired network interface and  with the desired filename.

Example Usage

 * Show only filetypes that begin with "text":
 * Show only javascript:
 * Show all http with content-type="image/(gif|jpeg|png|etc)":
 * Show all http with content-type="image/gif":
 * Do not show content http, only headers:
 * To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
 * To match odd frame numbers:
 * To see just the file header for any capture type, capture no packets and send to xxd: An easy way to capture no packets is to filter by unused ipx in the capture filter. This example uses -F pcap for the pcap file type.

Search for malicious URL with regex
As an example, a filter is desired for an HTTP GET that contains a request for a URL that starts with http or https has the Sweden .se domain, and contains the word worm in the query string. Luckily, Wireshark allows matches which uses PCRE regex syntax. A simple one that satisfies this is https?.*?\.se.*?worm. If this seems confusing, explore more info on regex101 or other tutorials.

Given that this is GET, it is better to just search the http protocol: http matches https?.*?\.se.*?worm Note that the regex is double quoted. With tshark, -Y "display filter" also needs to be double-quoted. In order to use this display filter, escape the inner quotes

Print http data in a tree
{{Cmd|tshark -q -i any -Y http -z http,tree|output=

=
========================================================================================================================== HTTP/Packet Counter: Topic / Item           Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start --- Total HTTP Packets     1                                                                     100%          0.0100        2.255 HTTP Request Packets  1                                                                     100.00%       0.0100        2.255 GET                  1                                                                     100.00%       0.0100        2.255 Other HTTP Packets    0                                                                     0.00%         -             - HTTP Response Packets 0                                                                     0.00%         -             - ???: broken          0                                                                                   -             - 5xx: Server Error    0                                                                                   -             - 4xx: Client Error    0                                                                                   -             - 3xx: Redirection     0                                                                                   -             - 2xx: Success         0                                                                                   -             - 1xx: Informational   0                                                                                   -             -

--- }}

Wireguard
WireGuard was initially started by in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.

Filter WireGuard traffic while capturing
Assuming that your WireGuard traffic goes over the wlan0 interface using port 51820

download extract-handshakes.sh

Step-by-step instructions for these are not yet available for the version merged in Linux v5.6. What you basically have to do is to build offset-finder.c with the headers from drivers/net/wireguard/ and kernel headers and config matching your current kernel.

Active Hunting

 * Detect activity from malware generating FTP traffic: In addition to FTP, malware can use other common protocols for malicious traffic. Spambot malware can turn an infected host into a spambot designed to send dozens to hundreds of email messages every minute. This is characterized by several DNS requests to various mail servers followed by SMTP traffic on TCP ports 25, 465, 587, or other TCP ports associated with email traffic.
 * Analyze the traditional "pcap" filter to select what to capture from your interface:
 * Capture DNS traffic fo specific domain:
 * Capture all SSH traffic, except "192.168.1.2" IP-Address:
 * Extract only http request data from eth0 interface:
 * Extract source address, destination address, DNS request, DNS response from eth0 interface:
 * Extract only DHCP packets:
 * Display UDP traffic of non-standard port with rage of 1045 – 10000:
 * Hunt for client’s direct web access packets for local network:
 * Capture TCP traffic for FIN flag:
 * Hunt the current mysql query statement in real time. (-R: Filter out mysql query statements):
 * Hunt smpp protocol header and value:
 * Extract 200 packet and print out the visited URL:
 * Extract 200 packet and print out the visited SLL URL:
 * Capture HTTP Traffic (Active Hunting):
 * Captures all port 110 traffic and filters out the 'user' command and saves it to a PCAP file:
 * Display all packets coming from 1.2.3.4 except to 1.2.3.10 and have length less than 1800 bytes:

Passive Hunting

 * Command to read PCAP file:
 * Get details from a protocol hierarchy and statistics:
 * Capture statistics for a Specific Protocol. (Here we have selected HTTP protocol):
 * Analyze the address and length of each of those IP packets:
 * Capture only TCP communications:
 * Capture all IP conversation:
 * List of packets with a specific source IP address from DNS captured PCAP:
 * List of packets with a specific destination IP address from DNS captured PCAP:
 * Extract fields source address and destination address:
 * Capture python user agent:
 * Find the unique user-agent used for communications:
 * Get packet details in tree format:

Dumpcat
Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.

By default, Dumpcap uses the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets’ time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.

Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing:

Example Usage

 * Capture packets from interface any interface until 60s passed into output.pcapng:
 * Another example that will capture packets by size, duration, packets and files:

Editcap
Editcap is a program that reads some or all of the captured packets from the infile, optionally converts them in various ways and writes the resulting packets to the capture outfile (or outfiles)

Usage

 * See more detailed description of the options:
 * Shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file:
 * Delete packet 1000 from the capture file:
 * Limit a capture file to packets from number 200 to 750 (inclusive):
 * Get all packets from number 1-500 (inclusive):
 * Exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file:
 * Select just packets 1, 5, 10 to 20 and 30 to 40 for the new file:
 * Remove duplicate packets seen within the prior four frames:
 * Remove duplicate packets seen within the prior four frames while skipping radiotap headers:
 * Remove duplicate packets seen within the prior 100 frames use:
 * Remove duplicate packets seen equal to or less than 1/10th of a second:
 * Display the MD5 hash for all of the packets (and NOT generate any real output file):
 * Advance the timestamps of each packet forward by 3.0827 seconds:
 * Ensure all timestamps are in strict chronological order:
 * Introduce 5% random errors in a capture file:
 * Remove vlan tags from all packets within an Ethernet-encapsulated capture file:

External resources

 * https://www.wireshark.org/download/docs/user-guide.pdf Wireshark User's Guide.
 * https://wiki.wireshark.org/DisplayFilters - Display Filters
 * https://wiki.wireshark.org/Development/LibpcapFileFormat - Libpcap File Format
 * https://tshark.dev - tshark.dev
 * https://tshark.dev/capture/ tshark.dev - capturing
 * https://tshark.dev/capture/sources/ssh_interface/ tshark.dev - ssh interface
 * https://tshark.dev/capture/sources/downloading_file/ tshark.dev - downloading files
 * https://tshark.dev/analyze/packet_hunting/tshark_analysis/ tshark.dev - tshark analysis
 * https://tshark.dev/packetcraft/scripting/lua_scripts/ tshark.dev - lua scripts