TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark

Kassie Kimball · 2023-07-27 · Read original ↗

ATT&CK techniques detected

23 predictions
T1040Network Sniffing
99%
"welcome to shark week : a guide for getting started with wireshark and tshark welcome to shark week : a guide for getting started with wireshark and tshark in honor of shark week1, i decided to write this blog to demonstrate various techniques i ’ ve found useful when analyzing n…"
T1040Network Sniffing
99%
"ll show some practical use cases for operationalizing your analysis … yes, we are going to pivot to the command line using tshark, where we can do something useful rather than just staring into a gui - abyss of packets! in all seriousness, there is nothing wrong with doing your a…"
T1040Network Sniffing
99%
"aids our ability to analyze the traffic more swiftly. to access capture options, navigate to capture - > options … from the main toolbar. input : limiting the capture to a target host to limit the capture to a target host, we can use the following filter syntax : host < ip _ addr…"
T1040Network Sniffing
99%
"http. request rather than just http. tshark - nr infile. pcap - y ' http. request ' - t fields - e header = y - e separator = ' | ' - e ip. src - e http. user _ agent with the above command applied, we now see that the only source ip associated with user - agent values is 192. 16…"
T1040Network Sniffing
99%
", but that approach doesn ’ t scale well. fortunately, wireshark provides us with the capability to view a given “ stream ” of network traffic. wireshark supports stream analysis over several different protocols – for this topic, we ’ ll be looking at tcp streams. to view a given…"
T1040Network Sniffing
98%
"been collected or some defined time derivative. below shows an example where wireshark is configured to write a new pcap file each time the captured data hits 100mbs. display filters! = capture filters once a packet capture file is opened or otherwise generated with wireshark, di…"
T1040Network Sniffing
98%
"from a virtual network adapter. resolve network addresses with resolve network addresses selected, wireshark will perform reverse dns lookups on all source and destination ip addresses within the capture. although this setting may seem convenient, it has the potential to “ tip - …"
T1040Network Sniffing
98%
"s tcp / ip layers. - packet bytes – the bottom - right pane ( in older versions the lowest pane ) displays the selected packet ’ s bytes, represented in a hex dump with ascii characters and an offset column, also represented in hex. the screen capture below shows an example of ea…"
T1040Network Sniffing
98%
"may be asking yourself, “ how do i know the specific field name to target for extraction? ” well, this is where having a running instance of wireshark comes in extremely handy! we can utilize the display filter trick in wireshark and find the specific field ( s ) we ’ re after. f…"
T1040Network Sniffing
98%
"always couple this with ‘ - n ’ which tells tshark not to perform any name resolution shenanigans. tshark - nr infile. pcap to apply a display filter, we use the ‘ - y ’ option followed by the display filter. tshark - nr infile. pcap - y ‘ dns ’ to write out a pcap file, we use t…"
T1040Network Sniffing
97%
"file. additionally, if we want to apply a capture filter, the ‘ - f ’ option is used. tshark - ni eth0 - f " host 192. 168. 20. 10 " - w test. pcap now let ’ s see what this looks like in real life … applying the ‘ http ’ display filter to a pcap file, we get the following output…"
T1040Network Sniffing
97%
"##456 ) option. one important note to mention about timestamps in packet captures – the timestamp is recorded at time of capture by the utility ( and most likely the system time ) from which the capture was taken. this may be a separate system from your analysis machine altogethe…"
T1040Network Sniffing
96%
"clients and it never ceases to amaze me the number of organizations that allow outbound traffic solely on the basis of the tcp / udp port number. analysts should proceed with caution when it comes to the resolve network addresses option. perhaps there are use cases where this fea…"
T1040Network Sniffing
95%
"interested in the field name, http. user _ agent. now, we can take that to tshark and extract all unique user - agent strings observed over http. tshark - nr infile. pcap - y ' http ' - t fields - e header = y - e separator = ' | ' - e ip. src - e http. user _ agent there is, how…"
T1040Network Sniffing
95%
"what i ’ m even looking at … where do i start? where ’ s the evil? what does it all mean!? ” if you are brand new to wireshark, this blog won ’ t alleviate all encountered difficulties – like a recipe for mastering anything new, it takes a lot of time, patience, practice, and mor…"
T1040Network Sniffing
94%
"let me explain a little more of what these settings do. - resolve physical addresses ( mac oui resolution ) – wireshark translates the first three octets of a mac address ( also known as oui or organizationally unique identifier ) to the assigned vendor name. - resolve network ad…"
T1040Network Sniffing
94%
"source ip address, and destination ip address. tshark - nr infile. pcap - y ' http ' - t fields - e frame. time _ epoch - e ip. src - e ip. dst by default, tshark will print to stdout with extracted field values as tab delimited. we can customize the output a bit more by adding t…"
T1040Network Sniffing
94%
"incident responder than being able to extract attacker artifacts from network traffic. the specific email used as a phish – containing urls and / or attachments, malicious file downloads, exfiltrated data, etc., etc. fortunately, wireshark has a built - in capability that allows …"
T1040Network Sniffing
92%
"guide provided some helpful tips and tricks for those getting started with wireshark and / or tshark, and equally important, sparked ideas to take your network - analysis - fu to the next level. if you find yourself overwhelmed while analyzing network traffic, it ’ s okay, this i…"
T1040Network Sniffing
88%
"in the field, and although these issues surface from time to time, the community that supports this tool addresses them quickly. the following wiki article provides more details on this topic : https : / / wiki. wireshark. org / security in short, keep your tools up to date and c…"
T1040Network Sniffing
84%
"red if the filter syntax is incomplete / invalid. many of the supported wireshark display filters use a hierarchical syntax represented in dot - notation. for example, if we want to apply an http - based display filter, but wish to be more granular in our selection, we can type :…"
T1040Network Sniffing
60%
"separator = ' | ' - e ip. src - e http. user _ agent | sort | uniq - c | sort - nr the above command results in the following output. the results show that we have two unique user - agent values in this packet capture file, and both are attributed to the host 192. 168. 88. 55. th…"
T1040Network Sniffing
59%
"( or network time protocol ) is commonly associated with both tcp / 123 and udp / 123. in the screen capture above, we can see in the packet details section where wireshark tagged the destination port as “ ntp ” ; however, if we peer into this conversation using the follow tcp st…"

Summary

Troy Wojewoda // In honor of Shark Week1, I decided to write this blog to demonstrate various techniques I’ve found useful when analyzing network traffic with Wireshark, as well as […]

The post Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark appeared first on Black Hills Information Security, Inc..