Use of Wireshark

 Using Of Wireshark

Learning how to use a sniffer effectively is probably one of the most important network-related lessons you can take, and I strongly recommend that practiced as much as possible. 

Download Wireshark For Windows

•  Peeking at a Sniffer 

Let's begin by peeking into a Wireshark capture file. This capture was taken as I ran dhclient eth0 and then opened my browser and browsed to http://www.offensive-security.com(This is most lovely site to learn Hacking). Looking at this for the first time might be overwhelming. However, take a deep breath, examine the packet capture line by line, and implement your knowledge of TCP/IP. 

Packet 1: DHCP Request. You ran dhclient, which broadcasts a DHCP request to a local DHCP server. Notice the broadcast destination address 255.255.255.255 and the source IP address 0.0.0.0. 

Packet 2: A DHCP server (192.168.1.1) replies in a unicast packet and assigns the IP 192.168.1.107. At this point the browser was opened, attempting to browse to www.offensive-security.com.

Packet 3: ARP Broadcast. You've attempted to send a packet to the Internet, and before your computer can actually send it, it needs to identify the default gateway on the local network. The default gateway IP address is configured on the requesting machine, but the default gateway MAC address is unknown. My machine sends a broadcast to the whole network, asking, “Who has 192.168.1.1? Tell 192.168.1.107.”

Packet 4: All computers on the local subnet receive this broadcast and check whether 192.168.1.1 belongs to them. Only 192.168.1.1 responds to this ARP broadcast and sends an ARP unicast reply to 192.168.1.107, informing it of the MAC address requested.

Packet 5: Now that your computer knows where to send its packets in order for them to reach the internet, you need to resolve the IP of www.offensive-security.com. Your computer sends a DNS query to the DNS server defined in your TCP/IP settings (24.224.127.143) and asks the DNS server for the IP address (A record) of www.offensive-security.com.

Packet 6: The DNS server replies and tells your computer that the IP address for www.offensive-security.com is 208.88.120.8.

Packet 7: Armed with this information, your computer attempts a three-way handshake (remember that buzzword from TCP/IP?) with 208.88.120.8 on port 80 and sends an SYN request.

Packet 8: The web server responds with an ACK and sends an SYN to your machine. Packet 9: You send a final ACK to the web server and complete the three-way handshake.

Packet 10: Now that the handshake is complete, your computer can start talking with the service using a specific protocol. Since you're using a web browser, your computer sends an HTTP GET request, which retrieves the index page, and all linked images, to your browser.

Packet 11: – end: The main page of www.offensive-security.com, including all linked images, is

loaded in your browser. 

 Capture and Display Filters (CDF)

Capture dumps are rarely as clear as this since there is usually a lot of background noise on a network. Various broadcasts, miscellaneous network services, and other running applications all make life harder when it comes to traffic analysis. Wireshark has two very convenient filter schemes: capture filters and display filters. Understanding how to use these filters is a recipe to conquering Wireshark.   

 Following TCP Streams  

As you may have noticed, packets 9–end are a bit difficult to comprehend because they contain fragments of information. Most modern sniffers, Wireshark included, know how to reassemble a specific session and display it in various formats.