The process of intercepting, recording and analyzing network traffic communication patterns in order to detect and respond to security threats. Relevent network concepts include include understanding OSI layers, protocols, IP addresses, encryption and firewalls that will apply to traffic analysis. The primary file used in this process are network PCAP files (Package Captures) generated from a network interface in promiscuous mode. The majority of the packets are likely to be made up of TCP, UDP and ICMP protocol traffic.
- Pcap – Packet Capture File which includes: (1) Source and Destination port #s , (2) IP addresses , (3) Physical (MAC) addresses, (4) Protocol and Encryption info, (5) Header and Payload info, (6) Wireless info and other data,
- TCP IP Units of Data by Layer :
- TBD – Layer4 ; Application Layer (e.g.,
- Segment – Layer3; Transport Layer (e.g., Port)
- Packet – Layer2 Internet Layer (e.g., IP Address)
- Frame/Bit – Layer1 Link Layer (e.g., Ethernet MAC address, Wifi Address )
- Key Protocols:
Wireshark Packet Analyzer:
Wireshark is a GUI tool used to collect and analyze network packet capture file (PCAPs). Under the covers, it executes Tshark commands which could be entered directly on the commanc line. done on the command. Free versions of Wireshark are available in the Kali Linux distribution or can be downloaded to Windows or Mac OS.
- The menu (see Section 3.4, “The Menu”) is used to start actions.
- The main toolbar (see Section 3.16, “The “Main” Toolbar”) provides quick access to frequently used items from the menu.
- The filter toolbar (see Section 3.17, “The “Filter” Toolbar”) allows users to set display filters to filter which packets are displayed (see Section 6.3, “Filtering Packets While Viewing”).
- The packet list pane (see Section 3.18, “The “Packet List” Pane”) displays a summary of each packet captured. By clicking on packets in this pane you control what is displayed in the other two panes.
- The packet details pane (see Section 3.19, “The “Packet Details” Pane”) displays the packet selected in the packet list pane in more detail.
- The packet bytes pane (see Section 3.20, “The “Packet Bytes” Pane”) displays the data from the packet selected in the packet list pane, and highlights the field selected in the packet details pane.
- The statusbar (see Section 3.21, “The Statusbar”) shows some detailed information about the current program state and the captured data.
Recommended Steps for using Wireshark
- Read the CTF challenge and look for clues (i.e., protocols, ip addresses, etc.). The challenge is most likely going to be:
- require analysis of a capture file (PCAP) ; no live capture required
- related to a TCP or UDP protocols.
- Wireless scenarios will also show in capture file
- Open the File in Wireshark – (See 5.2 – Open Capture File)
- Use Filters to reduce the noise (see 6.3. Filtering Packets While Viewing) and focus on the CTF clues.
- Analyze the data in Wireshark:
- Wireshark – Open source GUI based traffic capture and analysis tool ( available in Kali Linux, Windows or Mac OS).
- tcpdump – packet analyzer utility for Linux command line (no GUI) that prints selected content from a PCAP file.
- WinDump – Windows version on tcpdump.
- ngrep – search for strings in network packets
- Malware-Traffic-Analysis.net – network traffic related to malware infections.
- Youtube: Newbies Guide to Network Traffic Analysis (1:26:13) ** NCL Course **
- Youtube: Wireshark 101: The OSI Model, Hak5 116 (8:27)
- Youtube: Wireshark Tutorial – The Network Analyser (21:28)
- Youtube: tcpdump – Traffic Capture & Analysis (23:19)
- Free Wireshark and Ethical Hacking Course:
- Youtube: Wireshark Tutorial – Installation and Password sniffing (11:25)
- Youtube: Wireshark: Packet Analysis and Ethical Hacking Course (05:07)
- Youtube: Wireshark Tutorial – Profiles and Password captures (09:08)
- Youtube: tshark and Termshark tutorial: Capture and view wireshark captures in a console (13:05)
- Document: Wireshark User Guide