Wireshark for Security Analysis | Customization & Common features

1/ Introduction

What is Wireshark?

Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).

In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, that has changed. Wireshark is available for free, is open source, and is one of the best packet analyzers available today. wireshark.org/docs/

Some intended purposes

Here are some reasons people use Wireshark:

  • Network administrators use it to troubleshoot network problems
  • Network security engineers use it to examine security problems
  • QA engineers use it to verify network applications
  • Developers use it to debug protocol implementations
  • People use it to learn network protocol internals
  • Wireshark can also be helpful in many other situations.

2/ Customizing Wireshark

Create a profile for your security analysis

Wireshark profiles are used to configure and use more than one set of preferences and configurations;
creating profiles is critical for better visibility, it will make your analysis far more organized and effective, so when you want to analyze different protocols or exercises you can save a set of settings specific for each type of use

Right-click on Profile:Default > New > Name it > Ok


Change the timestamp

Changing the time is a good practice for better visibility; Wireshark offers many time formats that you can choose from, choose your system time display format if you want to analyze events based on your local machine time, or UTC if you work remotely with multiple clients, you can also choose the time granularity from seconds to nanoseconds; the bottom of the line is that you have the choice on which format you prefer to work with based on your own needs

View > Time Display Format


Save filters as buttons

Since you're going to use filters excessively while investihttps://ahmedbelhadjadji.blogspot.com/2022/01/httpsahmedbelhadjadji.blogspot.comazure-sentinel-to-map.htmlgating, storing filters as buttons is truly a time saver

Enter your filter expression > hit the "+" icone > Name it > Ok



you can use those filters directly without typing them again as a part of the current profile


Nb: if you want to nest filters, we name as following: Parent node // child node

Coloring rules

View > Coloring rules > hit the "+" icon > set the filter and name it > choose a background color > Ok



Nb: this list applies colors on filters by priority
 

3/ Common Features

Statistics

Wireshark provides a wide range of network statistics which can be accessed via the Statistics menu.
These statistics range from general information about the loaded capture file (like the number of captured packets) to the statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured).

one useful statistic is the Protocol hierarchy, it provides the protocols in your capture


as you can see at the capture below that I have 4 ARP, 2 ICMP, 6 IGMP, TCP, and UDP packets



another commonly used statistic is the conversations 



I could see that there is another IP apart of mine, so if want to investigate further about it, I can either search for the 5353 port, or I can apply the packet information as a filter

Right-click > Apply as a Filter > Selected > A <-> B

I found that that port UDP:5353 is used for Multicast DNS


Identify GeoIP location resolution

We used this feature in Azure SIEM by using APIs to extract the Geolocation information AzureMap

you can download the GeoIP databases from maxmind.com and add them to Wireshark

you can also get the databases from here github.com/GeoLite.mmdb

go to Edit > Preferences > Name Resolution > MaxMind database directories > "+" > browse to the downloaded folder > Ok



if the changes don't appear instantly, you may want to restart Wireshark

we can try now another statistic we didn't talk about earlier

go to Statistics > Endpoints

you can take a good look at the external traffic you're connecting with

Map > Open in Browser


Custom columns

to add a column you can select a packet and go to the field you want to add a column for > 

Right-click > Apply as a Column


now that you added the column, you can modify it simply 

right-click on it > Edit Column > modify the Fields > Ok

in my case, I was looking for a column to show the source port either UDP and TCP, so I added “or tcp.srcport”


Name resolution

we can configure Wireshark to resolve transport names (like protocols)

Edit > Preferences > Resolve transport names

we can also resolve network addresses into hostnames, we have three options on how the name resolution is performed: Wireshark captured DNS packets, an external name resolver, or using selected DNS servers

we can also use the manual resolution to name a specific device, a client's IP for example

right-click on the IP > Edit Resolved Name > name it > Ok    



    In the next article, we'll be using these rules and features to analyze suspicious traffic




























Comments

Post a Comment

Popular posts from this blog

OpenVas: Vulnerability Scanning | Installation Guide

Image
  Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- R...
Read more

Nmap | TryHackMe Walkthrough

Image
  An in-depth look at scanning with Nmap, a powerful network scanning tool. This room was created by DarkStar  and  MuirlandOracle , as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap ). Task2: What networking constructs are used to direct traffic to the right application on a server? Ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) 1024 Task3: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? -sS Which switch would you use for a "UDP scan"? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the...
Read more