Wireshark: Capture, Filter and Inspect Packets

Computers communicate over the network using packets. This means that if we can intercept or spoof these packets we can learn a lot about the user and their network traffic. 

In this lab, you will be introduced to Wireshark. Wireshark is a networking tool that allows you to capture all of the outgoing and incoming packets from your machine.


Setting up Wireshark

Step 1: Open Wireshark by clicking the shark-fin icon on the Kali Linux toolbar.

shark-fin


Step 2: Click the eth0 interface to start the capture.

eth0

Step 4: There are three main screens in Wireshark. The figure below shows an annotated screenshot of three Wireshark screens.



Analyzing Network Traffic using Wireshark

Wireshark lets you capture packets from your own machine. This is a great tool for digital forensics, capturing traffic from an infected machine, and analyzing what is currently happening on the machine.

Step 5: Open the Browser and visit any website.

Stop 6: Click the red stop icon to stop the packet capture.

Step 7: Since there are so many packets in the Wireshark capture. They have built a great feature that allows you to filter packets. Click on the filter packets box at the top of the screen and type the following filter command.

filter

Step 8: Limit the packet capture to only one conversation by right-clicking on one of the packets and selecting conversation filter- >TCP.

Step 9: Wireshark also lets you reconstruct the stream data from the packet stream by clicking on the packet and selecting follow->TCP stream. You should see the HTML corresponding to the page.


Example of Wireshark

Now let’s take another example. For this purpose, Open another operating System on my virtual box. Click on the eth0 interface to start the capture.

Press the shark-fin icon (in the top left) to start the process of capturing packets or you can double-click to start the capture.

Open Firefox on Linux Lite. In my Wireshark, you see it just started capturing the packets. 

The first check is if it is the same IP address

Here you see it matched.

Now, I just opened this site. Here I sign up with a username and password.

Now we will check the packets in detail. First, stop the capture.

For communicating with a website, HTTP protocol comes in place. Let’s filter. 

Here you see my IP address just communicate with this site. After that, it responded with 200. 200 is used for OK. Here you see all the received files. On userinfo.php store the info of the user. 

Click the packet. Here you see the username and password.

You can analyze any network from a microscopic level.

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!