Wireshark

By | 18/04/2015

Promiscuous mode – when the network card captures the traffic that receives, although the device is not the destination. Not all the wireless adapters allow promiscuous mode. Monitor mode is not promiscuous mode.

WinPcap – Open source library for packet capture
Wireshark – Application for sniffint and represent packets

Passive sniffing – using hub, tap, span
Active sniffing – use an attack to receive all the traffic: arp spoofing, mac flooding, mac duplication. IDS noisy

Spanning – Forward traffic of one port to another port
Tapping – Put a device in a middle of a channel to tap the communication and forward it to the sniffer

Filters:

  • Capture filter – Packets won’t be captured
  • Display filter – Only visualization filters

 

Example filters

Capture filters:

host 172.24.1.1
port 67
tcp port 25
ether host xx:xx:xx:xx:xx:xx
not ether host xx:xx:xx:xx:xx:xx
wlan host xx:xx:xx:xx:xx:xx

Display filters:

ip.addr == x.x.x.x/X
!ip.addr == x.x.x.x/X
tcp.analysis.flags
wlan.fc.type_subtype == 8
http.response.code > 399
ftp.response.arg == "Login incorrect"