Wireshark: The Basics TryHackMe Walktrhough

Task 1 Introduction

Wireshark is an open-source tool for network packet analysis, capable of examining live traffic and packet captures (PCAP).

Task 2 Tool Overview

Use Cases

• Identifying and solving network issues like load failures and congestion.
• Spotting security anomalies like rogue hosts, unusual port usage, and suspicious traffic.
• Studying protocol details like response codes and payload data.

GUI and Data

Toolbar The main toolbar contains multiple menus and shortcuts for packet sniffing and processing, including filtering, sorting, summarising, exporting and merging. Display Filter Bar The main query and filtering section. Recent Files List of the recently investigated files. You can recall listed files with a double-click. Capture Filter and Interfaces Capture filters and available sniffing points (network interfaces). The network interface is the connection point between a computer and a network. The software connection (e.g., lo, eth0 and ens33) enables networking hardware. Status Bar Tool status, profile and numeric packet information.

Panes

Packet List Pane Summary of each packet (source and destination addresses, protocol, and packet info). You can click on the list to choose a packet for further investigation. Once you select a packet, the details will appear in the other panels. Packet Details Pane Detailed protocol breakdown of the selected packet. Packet Bytes Pane Hex and decoded ASCII representation of the selected packet. It highlights the packet field depending on the clicked section in the details pane.

Colouring Packets

Wireshark colors packets based on different conditions and protocols for easy spotting of anomalies. Custom color rules can be created using display filters. Wireshark uses temporary and permanent packet coloring methods. Permanent coloring rules can be created via the “right-click menu” or “View → Coloring Rules” menu. Temporary coloring is done via the “right-click menu” or “View → Conversation Filter” menu.

Traffic Sniffing

Use the blue “shark button” to start, red to stop, and the green to restart network sniffing. The status bar shows the interface used and the number of packets collected.

Merge PCAP Files

Wireshark can merge two pcap files. Use the “File → Merge” menu to select a second file.

View File Details

Knowing pcap file details, such as file hash, capture time, comments, interface, and statistics, is crucial when working with multiple files. To view these, choose “Statistics → Capture File Properties” or click the “pcap icon at the bottom left” of the window.

Task 3 Packet Dissection

Packet Dissection

Packet dissection, or protocol dissection, examines packet details by decoding protocols and fields.

Packet Details

Clicking on a packet in the list pane opens its details, consisting of 5 to 7 OSI model layers.

Each time you click a detail, it will highlight the corresponding part in the packet bytes pane.

Let’s have a closer view of the details pane.

We can see seven distinct layers to the packet: frame/packet, source [MAC], source [IP], protocol, protocol errors, application protocol, and application data. Below we will go over the layers in more detail.

The Frame (Layer 1): This will show you what frame/packet you are looking at and details specific to the Physical layer of the OSI model.

Source [MAC] (Layer 2): This will show you the source and destination MAC Addresses; from the Data Link layer of the OSI model.

Source [IP] (Layer 3): This will show you the source and destination IPv4 Addresses; from the Network layer of the OSI model.

Protocol (Layer 4): This will show you details of the protocol used (UDP/TCP) and source and destination ports; from the Transport layer of the OSI model.

Protocol Errors: This continuation of the 4th layer shows specific segments from TCP that needed to be reassembled.

Application Protocol (Layer 5): This will show details specific to the protocol used, such as HTTP, FTP, and SMB. From the Application layer of the OSI model.

Application Data: This extension of the 5th layer can show the application-specific data.

Task 4 Packet Navigation

Packet Numbers

Wireshark assigns unique numbers to each investigated packet for easier analysis and reference.

Go to Packet

Packet numbers aid in counting, locating, and tracking packets within a network conversation.

Find Packets

Wireshark can find packets by content, accessible through the “Edit → Find Packet” menu. The search function accepts four input types (Display filter, Hex, String, and Regex).

Searches can be conducted in the packet list, packet details, and packet bytes panes.

Mark Packets

Marking packets in network analysis helps identify specific packets for further study or export. You can use the “Edit” or the “right-click” menu to mark/unmark packets.

Marked packets in network analysis are displayed in black, irrespective of their original connection type color.

Packet Comments

Analysts can add comments to packets to aid investigation; unlike marked packets, comments remain until manually removed.

Export Packets

Capture files can contain thousands of packets in a single file. As mentioned earlier, Wireshark is not an IDS, so sometimes, it is necessary to separate specific packages from the file and dig deeper to resolve an incident. This functionality helps analysts share the only suspicious packages (decided scope). Thus redundant information is not included in the analysis process. You can use the “File” menu to export packets.

Export Objects (Files)

Wireshark can extract files transferred through the wire. For a security analyst, it is vital to discover shared files and save them for further investigation. Exporting objects are available only for selected protocol’s streams (DICOM, HTTP, IMF, SMB and TFTP).

Time Display Format

Wireshark displays captured packets by default in “Seconds Since Beginning of Capture.” For a clearer view, switch to UTC Time Display Format via “View → Time Display Format.”

Expert Info

Severity Colour Info Chat Blue Information on usual workflow. Note Cyan Notable events like application error codes. Warn Yellow Warnings like unusual error codes or problem statements. Error Red Problems like malformed packets.

Frequently encountered information groups are listed in the table below. You can refer to Wireshark’s official documentation for more information on the expert information entries.

Group Info Group Info Checksum Checksum errors. Deprecated Deprecated protocol usage. Comment Packet comment detection. Malformed Malformed packet detection.

You can use the “lower left bottom section” in the status bar or “Analyse → Expert Information” menu to view all available information entries via a dialogue box. It will show the packet number, summary, group protocol and total occurrence.

Task 5 Packet Filtering

Wireshark offers two types of filters: capture and display. Display filters help analysts focus on specific events.

Basic Display Filter Usage:
Apply as Filter: Right-click on a field, use “Apply as Filter” to focus on packets with that value.
Conversation Filter: Filter packets related to a specific entity using “Analyse → Conversation Filter.”
Colourise Conversation: Highlights linked packets without applying a display filter. Use “View → Colourise Conversation.”
Prepare as Filter: Adds a filter query without applying it. Use “right-click” and choose an option from the menu.

Column Display:
Apply as Column: Add columns to the packet list pane to examine specific values across packets. Use “right-click” or “Analyse → Apply as Column.”

Stream Analysis
Follow Stream: Reconstructs and views raw traffic at the application level. Use “right-click” or “Analyse → Follow TCP/UDP/HTTP Stream.” Highlighted packets represent server (blue) and client (red) data.

Note: Click the “X button” to remove applied filters and view all packets in the capture file.