Welcome to "The Ultimate Guide to Wireshark: Your Journey to Become a Blue Teamer"! In this comprehensive guide, we'll explore every nook and cranny of Wireshark, the go-to tool for network analysis and troubleshooting. Whether you're a seasoned pro or just starting out on your blue team adventure, Wireshark is your trusty sidekick for dissecting network traffic and uncovering hidden insights. Let's dive in and unlock the full potential of Wireshark together! 💻

Understanding the Interface

Wireshark's user interface is your command center for navigating the world of packet sniffing. From the moment you open Wireshark, you're greeted with a plethora of menus and options designed to make your network analysis journey seamless. Let's first discuss the menus briefly.

  • File: This menu is your gateway to managing capture files. Open, merge, save, print – you name it, the File menu has got you covered. 📁
  • Edit: Customize packet data, search for specific packets, and manipulate packet details to your heart's content. ✏️
  • View: Control the display settings and layout of Wireshark, ensuring you have the perfect view for your analysis needs. 👀
  • Go: Navigate packet history with ease and jump to specific packet numbers for targeted analysis. 🚶‍♂️
  • Capture: Take charge of packet capture operations, start, stop, or restart captures, and configure capture options with precision. 📡
  • Analyse: Dive deep into packet analysis territory with tools for setting display and capture filters, following TCP/UDP streams, and accessing expert information. 🕵️‍♀️
  • Statistics: Uncover valuable insights with statistical analysis tools, from summaries to protocol hierarchies, and beyond. 📊
  • Telephony: Zoom in on VoIP calls and RTP streams for specialized analysis in the telephony realm. ☎️
  • Tools: Access handy utilities for resolving addresses, applying packet details as filters, and exporting objects from captured traffic. 🛠️
  • Help: Find assistance with documentation, manual pages, updates, and version information – your one-stop shop for Wireshark support. 🆘

Capturing packet with Wireshark

First time when you open Wireshark it will look like this. To capture packet from you network first choose the network interface from the down menu and then click on the shark fin icon under file menu. Then it will start capturing network traffic.

When you fire up Wireshark and start capturing that flowing river of network data, you're not just peering into a stream of ones and zeros – you're diving headfirst into the heartbeat of your digital world. But hey, don't let the tech lingo intimidate you! Think of Wireshark as your trusty pair of goggles, letting you see beneath the surface of your network and uncovering the secrets hidden within each packet.

Now, as you embark on your Wireshark journey, you'll notice some nifty menus pop up, each with its own bag of tricks to help you navigate the ocean of data swirling before your eyes. Let's break down these menus and see how they can turn you from a network novice into a data detective extraordinaire!

1. Time Menu: Time is of the Essence

  • Ever heard the phrase "timing is everything"? Well, in the world of packet sniffing, it's gospel! The Time menu lets you tweak how time is displayed in Wireshark, helping you pinpoint exactly when those packets made their grand entrance onto your network stage.

2. Source Menu: Where It All Begins

  • Picture this: Every packet that lands in your Wireshark capture has a story to tell, and it all starts with its source. While there isn't a fancy menu for sources, fear not! Wireshark's packet list pane proudly displays the source IP address of each packet, giving you the lowdown on where it all began.

3. Destination Menu: Follow the Trail

  • Ah, the destination – where every packet dreams of ending up! Just like a GPS guiding you to your favorite taco joint, Wireshark's packet list pane shows you the destination IP address of each packet, helping you track their journey across the network landscape.

4. Protocol Menu: The Language of the Packets

  • TCP, UDP, ICMP – it's like a babel of languages buzzing through your network! But don't worry, Wireshark's got your back. The Protocol menu automatically identifies the language (or protocol) spoken by each packet, so you can easily sift through the chatter and focus on what matters most.

5. Length Menu: Size Matters

  • You know what they say – size matters, especially when it comes to packets! Wireshark's packet list pane proudly displays the length of each packet, giving you a glimpse into their girth as they traverse the digital highway.

6. Info Menu: The Cliff Notes

  • Picture this: You're skimming through a novel, but who's got time to read every word? That's where the Info menu comes in handy! Wireshark's packet list pane provides a bite-sized summary of each packet, giving you the highlights reel without the fluff.

When you're deep into capturing network traffic with Wireshark and you click on a single packet, something magical happens – a whole new world of insights opens up right before your eyes! Let's take a closer look at the menu that appears at the bottom of your screen and decode what each section reveals:

Frame:

  • Think of the frame info as the packet's ID card. It tells you where the packet fits into the big picture. The frame number is like its spot in line – it helps you keep track of its order in the stream of captured data. The frame length shows you how big the packet is, kinda like knowing whether you're dealing with a tiny tweet or a lengthy email. And the interface tells you where the packet came from, helping you trace its journey through the network.

Internet Protocol (IP):

  • Ah, the IP details – they're like the packet's home address. The source IP is where the packet originated, while the destination IP is where it's headed. It's like peeking at the envelope to see who sent the letter and where it's going. Plus, you get tidbits like the IP version, protocol type, and time-to-live (TTL), giving you clues about the packet's travels and its importance in the grand scheme of things.

Transmission Control Protocol (TCP):

  • When it comes to TCP packets, it's all about the conversation. You've got the source and destination port numbers, which are like the phone numbers for the applications chatting away. Then there's the sequence and acknowledgment numbers, kinda like the call and response in a lively conversation. These details help you piece together the story of the data exchange and ensure everything flows smoothly between sender and receiver.

Raw Data:

  • Ah, the raw data – it's like peeking inside the packet's secret diary. Here, you'll find the packet's contents laid bare in both hexadecimal and ASCII formats. It's a treasure trove of information, revealing the nitty-gritty details of the packet's payload. From application-layer protocols to funky ASCII art, the raw data lets you dig deep and uncover hidden gems within the packet.

Now let's talk about the most important thing that you will be doing in your blue team journey

Searching through logs:

It's like sifting through a haystack to find that elusive needle! But fear not, my fellow blue teamer, for Wireshark's search features are here to lend you a helping hand. Let's dive into the art of log searching with Wireshark and uncover the secrets hidden within your network traffic:

There are a lot of search filters for Wireshark but It's impossible to cover all of them and you won't be needing all of them, so I listed out most used ones:

  1. IPv4 hotspot (ip.addr) - Find packets related to a specific IPv4 addr. Ex.: ip.addr==192.168.1.1. Useful when tracking down suspicious behavior.
  2. TCP ports (tcp.port) - Narrow down packets by TCP port number. Ex.: tcp.port==80. Essential for web traffic analysis.
  3. UDP harbor (udp.port) - Target packets bound for/from specific UDP ports. Ex.: udp.port==53. Great for DNS troubleshooting.
  4. Ethernet lingo (eth.type) - Decrypt Ethernet frames carrying IPv4 pkts. Ex.: eth.type==ip. Helps decipher digital jargon.
  5. MAC addresses (eth.addr) - Hone in on packets originating from/to specific MAC addrs. Ex.: eth.addr==ff:ff:ff:ff:ff:ff. Useful for identifying rogue devices.
  6. Payload size (frame.len) - Set boundaries for oversized packets. Ex.: frame.len<=1000. Protects networks from unwanted intrusions.
  7. Protocol names (_ws.col.protocol) - Fish out pkts belonging to specific transprt lyr protos. Ex.: _ws.col.protocol=="HTTP". Perfect for diving deeper into data streams.
  8. Keyword hunting (contains, matches, regex) - Sieve thru payload text for hints & clues. Ex.: contains "hello"|matches".*world$"|regex^[a-z]+$. Fun for finding hidden treasures!
  9. Time travel (frame.time) - Step back in time to review past events. Ex.: frame.time>="Jan 1, 2022 00:00:00.000000000 CET". Ensures you never miss a moment in the digital record.
  10. Display combos (&&, ||, not) - Mix & match search critera for complex filtering. Ex.: (ip.addr==192.168.1.1)&&(tcp.port==80). Conducts digital orchestra, guides data flow with precision. 
  11. Packet Lengths (frame.len) - Hunt for big fish or tiny minnows by filtering packets based on their size. Ex: frame.len > 1500
  12. IP Fragmentation (ip.flags) - Piece together fragmented packets to reconstruct the full picture. Ex: ip.flags.fragment == 1
  13. DNS Focus (dns) - Follow the breadcrumbs of domain name resolution to uncover mysteries. Ex: dns.flags.response == 0
  14. Suspicious Patterns (regex) - Hunt down threats using sophisticated search patterns. Ex: regex "(?i)password"
  15. Packet Payloads (data) - Dive into raw data to uncover hidden secrets. Ex: data contains "confidential"
  16. TCP Flags (tcp.flags) - Spot suspicious activity by monitoring TCP flags. Ex: tcp.flags == 0x02

Mastering Wireshark's Capabilities

Now that you've familiarized yourself with the Wireshark interface, it's time to explore its powerful capabilities in greater detail. Let's delve into each aspect to understand how you can leverage Wireshark to its fullest potential.

1. Packet List Pane: Your Traffic Summary Hub

The Packet List Pane is your primary dashboard, providing a summary of captured network traffic. Here, you'll find essential information such as source and destination IP addresses, protocols used, packet lengths, and timestamps. It serves as your starting point for identifying patterns, anomalies, and potential issues within your network traffic.

2. Packet Details Pane: Peeling Back the Layers

The Packet Details Pane allows you to inspect the contents of individual packets in detail. It provides a comprehensive view of packet headers, payloads, and metadata, enabling you to analyze packet structure and content. By examining packet details, you can gain insights into network protocols, communication patterns, and potential security threats.

3. Filtering: Sifting Through the Noise

Wireshark's filtering capabilities are indispensable for focusing on specific types of traffic and extracting meaningful information from captured data. You can create filters based on various criteria, such as IP addresses, protocols, ports, and packet attributes. By applying filters, you can isolate relevant traffic, streamline analysis, and pinpoint issues with precision.

4. Coloring Rules: Visualizing Traffic Patterns

Coloring Rules allow you to visually distinguish different types of packets based on predefined criteria. By assigning colors to packets matching specific conditions, you can quickly identify important traffic patterns, anomalies, or potential threats. Customizing coloring rules enhances visual clarity and facilitates rapid analysis of network traffic.

5. Statistics Views: Uncovering Insights

Wireshark offers a range of statistical analysis tools to help you uncover valuable insights into network traffic patterns and behavior. From packet summaries to protocol hierarchies, these statistics views provide detailed metrics and visualizations to aid in understanding network activity, identifying trends, and diagnosing performance issues.

6. Profiles: Tailoring Your Workspace

Profiles allow you to customize your Wireshark workspace to suit your individual preferences and workflow. You can create multiple profiles with different configurations, layouts, and settings tailored to specific analysis tasks or environments. Profiles streamline your workflow, improve efficiency, and ensure a personalized experience within Wireshark.

7. Preferences: Fine-Tuning Your Analysis Environment

Wireshark's preferences enable you to fine-tune various aspects of the application to optimize your analysis environment. From capture options to display settings, protocol preferences, and user interface customization, preferences allow you to tailor Wireshark to your specific needs and preferences. By adjusting preferences, you can enhance productivity, streamline workflows, and improve overall usability.

8. Keyboard Shortcuts: Accelerating Your Analysis

Keyboard shortcuts are your secret weapon for accelerating common tasks and navigating Wireshark with ease. By mastering essential shortcuts for tasks such as packet navigation, filter application, and analysis functions, you can work more efficiently and effectively within Wireshark. Keyboard shortcuts save time, minimize mouse clicks, and enhance productivity during network analysis.

So, there you have it, by following these steps, you can effectively capture network traffic using Wireshark and leverage its robust analysis capabilities to gain insights into network behavior and troubleshoot issues. Happy packet sniffing! 📶🕵️‍♂️