Wireshark Cheat Sheet
Last modified: 2024-08-20
Network protocol analyzer. It uses the pcapng file format.
Start
wireshark
# Open with .pcapng file
wireshark example.pcapng
Settings
Datetime Format When Packets Sent
Select “View → Time Display Format → Date and Time of Day”.
Filters
Enter the following text in a filtering form.
Datetime
frame.time >= "Jan 2, 2023 08:00:00" && frame.time <= "Jan 5, 2023 08:00:00"
DNS
dns
udp.port == 53
# Record type
dns.qry.type == 1 # A record
dns.qry.type == 2 # NS record
dns.qry.type == 5 # CNAME record
dns.qry.type == 6 # SOA record
dns.qry.type == 15 # MX record
dns.qry.type == 16 # TXT record
dns.qry.type == 28 # AAAA record
dns.qry.type == 252 # AXFR
# Query name
dns.qry.name matches "example.com"
# Reponse
dns.flags.response == 0 # No response
FTP
ftp
ftp-data
HTTP & HTTPS
# HTTP
http
tcp.port == 80
# HTTPS
ssl
tcp.port == 443
tcp.port == 80 || tcp.port == 443
# Methods
http.request.method == GET
http.request.method == POST
# Domains
http.host matches "example.com"
http.host == "example.com"
ICMP
icmp
IP Address
ip.addr == 10.0.0.1
ip.addr != 10.0.0.2
ip.addr == 10.0.0.1 && ip.addr == 10.0.0.2
ip.src == 10.0.0.1
ip.dst == 10.0.0.2
ip.src == 10.0.0.1 && ip.dst != 10.0.0.0/24
Kerberos (KRB4, KRB5)
kerberos
krb4
SMB
smb
smb2
SMTP
smtp
smtp.req.parameter contains "FROM"
SSH
ssh
tcp.port == 22
Detailed Information
- Right click on the row item.
- Select Follow -> TCP Stream. Another window opens.
- Find information by clicking the arrow on the right of "Stream *".
More Information
-
Analyze -> Expert Information
Read the expert information.
-
Statistics -> Capture File Properties
Read the capture file comments.
-
Statistics → Conversations
List IP conversations. We can find IP addresses involved in the traffic.
-
Statistics → Protocol Hierarchy
Show usage of ports and services.
-
View -> Name Resolution
Resolve IP addresses.
Data Exfiltration via DNS
-
Enter "dns" in filter form
-
If you found a domain such as follow, you may be able to retrieve threats.
93616e64792043...2038343931.vulnerable.com
-
For example, decode "936...".
Data Exfiltration via HTTP
- Open File -> Export Objects -> HTTP... .
- Click "Save all".
- Analyze steganographic files using tools like steghide.
WiFi Handshakes
When importing pcap file, then if we found the capture file is about WiFi handshakes, we can crack the WiFi password using this file.
aircrack-ng example.pcap -w wordlist.txt
Decrypting SSL/TLS Traffic
To retrieve data from TLS communications, we need to import the certificates (private key) into the WireShark at first. To find the certificates, the following commands may be useful in the server:
find / -name "*.key" 2>/dev/null
find /etc/apache2/ -name "*.key" 2>/dev/null
find /etc/nginx/ -name "*.key" 2>/dev/null
After getting the private key (e.g. ssl_private.key
), we can import it in the WireShark as below:
- In WireShark, go to the
Edit
→Preferences
→Protocols
→TLS
. - Click the
RSA key list Edit...
and fill each field (Ip address, Port, Protocol). The Protocol field value must betcp
. Then specify our found private key in the Key File. Click OK. - Fill
TLS debug fild
with arbitrary file name. Click OK.
Now we can observe TLS communication as HTTP
.
Decrypt Kerberos Cipher Data
Seeing packet details for the Kerberos packet, we may see the encrypted data and the CNAME string as such below:
Kerberos:
...
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: abcdef01234...
...
cname
cname-string:
CNameString: example
realm: EXAMPLE.LOCAL
We may be able to decrypt the cipher
value by cracking it.
Copy the cipher
value (e.g. abcdef01234…
) and concatenate with the krb
format (e.g. $krb...
) as below.
The format is something like:
$krb5pa$[etype_number]$[cname]$[realm]$[cipher]
So make the formatted string and crack the hash using hashcat:
# Kerberos 5, etype 17, Pre-Auth
echo -n '$krb5pa$17$example$EXAMPLE.LOCAL$abcdef01234..' > hash.txt
hashcat -m 19800 hash.txt wordlist.txt
# Kerberos 5, etype 18, Pre-Auth
echo -n '$krb5pa$18$example$EXAMPLE.LOCAL$abcdef01234...' > hash.txt
hashcat -m 19900 hash.txt wordlist.txt
Crack WiFi Password
In Wireshark, go to File
→ Save As...
and save the traffic as .pcap
file. Then check the target network using aircrack-ng
as below:
aircrack-ng example.pcap
If the network found, crack the password:
aircrack-ng example.pcap -w wordlist.txt
After cracking, we can set it to the WireShark preference.
- In WireShark, go to
Edit
→Preferences
→Protocols
→IEEE 802.11
. And click on theEdit
ofDecryption Keys
. - Select
wpa-pwd
for theKey type
and fill the password for theKey
.