Wireshark

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

USE flags

USE flags for net-analyzer/wireshark Network protocol analyzer (sniffer)

androiddump Install androiddump, an extcap interface to capture from Android devices
bcg729 Use media-libs/bcg729 for G.729 codec support in RTP Player
brotli Enable Brotli compression support
capinfos Install capinfos, to print information about capture files
captype Install captype, to print the file types of capture files
ciscodump Install ciscodump, extcap interface to capture from a remote Cisco router
dftest Install dftest, to display filter byte-code, for debugging dfilter routines
doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
dpauxmon Install dpauxmon, an external capture interface (extcap) that captures DisplayPort AUX channel data from linux kernel drivers
dumpcap Install dumpcap, to dump network traffic from inside wireshark
editcap Install editcap, to edit and/or translate the format of capture files
filecaps Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. libcap)
gui Enable support for a graphical user interface
http2 Enable support for the HTTP/2 protocol
ilbc Build with iLBC support in RTP Player using media-libs/libilbc
kerberos Add kerberos support
libxml2 Use dev-libs/libxml2 for handling XML configuration in dissectors
lua Enable Lua scripting support
lz4 Enable support for lz4 compression (as implemented in app-arch/lz4)
maxminddb Use dev-libs/libmaxminddb for IP address geolocation
mergecap Install mergecap, to merge two or more capture files into one
minizip Build with zip file compression support
netlink Use dev-libs/libnl
opus Enable Opus audio codec support
pcap Use net-libs/libpcap for network packet capturing (build dumpcap, rawshark)
plugins Install plugins
qt6 Build with Qt6 support instead of the default Qt5 for GUI support
randpkt Install randpkt, a utility for creating pcap trace files full of random packets
randpktdump Install randpktdump, an extcap interface to provide access to the random packet generator (randpkt)
reordercap Install reordercap, to reorder input file by timestamp into output file
sbc Use media-libs/sbc for playing back SBC encoded packets
sdjournal Install sdjournal, an extcap that captures systemd journal entries
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
sharkd Install sharkd, the daemon variant of wireshark
smi Use net-libs/libsmi to resolve numeric OIDs into human readable format
snappy Enable support for Snappy compression (as implemented in app-arch/snappy)
spandsp Use media-libs/spandsp for for G.722 and G.726 codec support in the RTP Player
sshdump Install sshdump, an extcap interface to capture from a remote host through SSH
ssl Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
text2pcap Install text2pcap, to generate a capture file from an ASCII hexdump of packets
tfshark Install tfshark, a terminal-based version of the FileShark capability
tshark Install tshark, to dump and analyzer network traffic from the command line
udpdump Install udpdump, to get packets exported from a source (like a network device or a GSMTAP producer) that are dumped to a pcap file
wifi Install wifidump, to dump and analyse 802.11 traffic
zlib Add support for zlib compression
zstd Enable support for ZSTD compression

Emerge

root #emerge --ask net-analyzer/wireshark
Note
To install Wireshark with all of the extra features, the following USE flag should be enabled: kerberos.

Configuration

Permissions

Warning
Running Wireshark as root can be dangerous and is unnecessary. See the Wireshark Security page for more details.

As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group (note, replace ${LOGNAME} by the user's actual login name):

root #gpasswd -a ${LOGNAME} pcap

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

root #newgrp pcap

Wireshark over SSH

Source system (the server you want to capture packets on) that you have SSH access to, with tcpdump installed, and available to your user (either directly, or via sudo without password). Destination system (where you run graphical Wireshark) with wireshark installed and working, and mkfifo available. Procedure:

Capture traffic remotely over SSH and Wireshark (ssh)

Note
Include -U for prevent buffering when using tcpdump instead of tshark
user $ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i -

Capture router traffic via wireshark (router)

Note
Include -U for prevent buffering when using tcpdump instead of tshark
user $ssh root@192.168.1.1 tcpdump -i any -U -s0 -w - 'not port 22' | wireshark -k -i -

Capture network traffic via Wireshark (android)

Warning
This require root on your android device
user $adb shell su -c tcpdump -nn -i wlan0 -U -s0 -w - 'not port 5555' | wireshark -k -i -

Capture radio/sms/gsm traffic via wireshark (android)

Warning
This require root on your android device
user $adb exec-out "su -c tcpdump -i any -U -w - 2>/dev/null" | wireshark -k -S -i -

Techniques

Network Name Resolution

To automatically resolve IP addresses to domain names, open the preferences window from Edit -> Preferences, clicking the Name Resolution panel and selecting the Enable Network Name Resolution check box.

Note
Enabling Network Name Resolution will increase the captured traffic due to additional DNS requests.

Filter packets to a specific IP Address

To see all incoming and outgoing traffic for a specific address, enter ip.addr == w.x.y.z in the filter box, replacing w.x.y.z with the relevant IP address. Additionally, to view only incoming traffic, replace ip.addr with ip.src; to view only outgoing traffic, replace ip.addr with ip.dst.

Terminal-based Wireshark

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is pcapng format, which is also the format used by Wireshark and various other tools.

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.

user $tshark -h

For example, to capture packets across a specified network interface and save the results, enter

user $tshark -i wlan0 -w capture-output.pcap

Replace wlan0 with the desired network interface and capture-output with the desired filename.

Note
Color output text similarly to the Wireshark GUI, requires a terminal with 24-bit color support Also supplies color attributes to pdml and psml formats
user $tshark -i any --color

Example Usage

Show only filetypes that begin with "text"
user $tshark -Y 'http.content_type[0:4] == "text"'
Show only javascript
user $tshark -Y tshark -i wlp2s0 -Y 'http.content_type contains "javascript"'
Show all http with content-type="image/(gif|jpeg|png|etc)"
user $tshark -Y 'http.content_type[0:5] == "image"'
Show all http with content-type="image/gif"
user $tshark -Y http.content_type == "image/gif"
Do not show content http, only headers
user $tshark -Y http.response !=0 || http.request.method != "TRACE"
To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31)
user $tshark -Y string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255
To match odd frame numbers
user $tshark -Y string(frame.number) matches "[13579]$"
To see just the file header for any capture type, capture no packets and send to xxd
An easy way to capture no packets is to filter by unused ipx in the capture filter. This example uses -F pcap for the pcap file type.
user $tshark -f ipx -a duration:1 -F pcap -w - 2>/dev/null | xxd -u

Print http data in a tree

user $tshark -q -i any -Y http -z http,tree
=======================================================================================================================================
HTTP/Packet Counter:
Topic / Item            Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start  
---------------------------------------------------------------------------------------------------------------------------------------
Total HTTP Packets      1                                                                     100%          0.0100        2.255        
 HTTP Request Packets   1                                                                     100.00%       0.0100        2.255        
  GET                   1                                                                     100.00%       0.0100        2.255        
 Other HTTP Packets     0                                                                     0.00%         -             -            
 HTTP Response Packets  0                                                                     0.00%         -             -            
  ???: broken           0                                                                                   -             -            
  5xx: Server Error     0                                                                                   -             -            
  4xx: Client Error     0                                                                                   -             -            
  3xx: Redirection      0                                                                                   -             -            
  2xx: Success          0                                                                                   -             -            
  1xx: Informational    0                                                                                   -             -            

---------------------------------------------------------------------------------------------------------------------------------------

Wireguard

WireGuard was initially started by Jason A. Donenfeld (zx2c4) in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.

Filter WireGuard traffic while capturing

user $tshark -i any udp[8:1] >= 1 and udp[8:1] <= 4 and udp[9:1] == 0 and udp[10:2] == 0

Assuming that your WireGuard traffic goes over the wlan0 interface using port 51820

download extract-handshakes.sh

user $extract-handshakes.sh > wg.keys & tshark -i wlan0 -owg.keylog_file:wg.keys -f 'udp port 51820'

Step-by-step instructions for these are not yet available for the version merged in Linux v5.6. What you basically have to do is to build offset-finder.c with the headers from drivers/net/wireguard/ and kernel headers and config matching your current kernel.

Dumpcat

Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.

By default, Dumpcap uses the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets’ time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.

Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing:

user $echo 1 > /proc/sys/net/core/bpf_jit_enable
Warning
Note that this can make your system less secure so change it back when your capture is done

Example Usage

Capture packets from interface any interface until 60s passed into output.pcapng
user $dumpcap -i any -a duration:60 -w output.pcapng
Tip
Use Ctrl-C to stop capturing at any time
Another example that will capture packets by size, duration, packets and files
user $dumpcap -a duration:100 -a files:10 -a filesize:10000 -a packets:10000 -b duration:100 -b files:1000 -b filesize:1024 -b packets:20 -w file.pcap

See also

  • Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
  • Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
  • Tcpdump — a command-line network monitoring and data acquisition tool.

External resources