This blog is NOT OFFICIAL website of Kali Linux. We just share Tutorials to learn Cybersecurity.

Wireshark -- Shark in Wires | Network Protocol Analyzer in Kali Linux

Wireshark is the most widely used network protocol analyzer tool formerly known as Ethereal. It is free and open-source. Wireshark is mostly used for network analysis and troubleshooting. It captures network traffics in real time and show them in human readable format.

Wireshark -- Shark in Wires | Network Protocol Analyzer in Kali Linux

We can use Wireshark to analyze the network traffic in order to find out which information is really flowing through a network. In this detailed tutorial we learn how we can use Wireshark in our Kali Linux system. So hang tight and read this very carefully.

Wireshark is comes preinstalled Kali Linux it can be opened by using wireshark command or from the Sniffing and Spoofing tab in the application menu.

wireshark in Kali Linux
Wireshark in Kali Linux
After opening the Wireshark we can see it as following screenshot:

Wireshark in Kali Linux

Here we can select the interface we want to capture the traffic. We can double click on the interface name to start capturing traffic. We can use the filters to see general packet filtering while capturing the network traffic. For an example tcp.port eq 80 or tcp.port == 80 as shown following:

wireshark port 80
By applying the filter we can see only the traffic on port 80. If we want to view requests only from a selected IP, we can select the request and right click on it. Then, we navigate to "Apply as Filter".

applying filters in wireshark

Then we see that the filter has been applied.

filtered port 80

Sometimes, we may want to look at the conversation happening between two hosts at the TCP level. Following the TCP stream is a feature that allow us to view all the traffic from X  to Y and Y to X. Let's try to use it. From the menu, we choose "Statistic" and then we click on "Conversations".

conversations in wireshark

In the window that comes up, we switch to the TCP tab. Here we can see a list of IPs and the packets transferred between them. To view the TCP stream, we select one of the IPs and click on "Follow Stream".

following stream in wireshark kali linux

Here we can see the data that was transferred via TCP.

wireshark in kali

Capture filters are used to capture traffic specific to the filter applied; for an example, if we only want to capture data from a particular host, we use the host x.x.x.x.

To apply a capture filter, we click on "Capture Options" and in the new window that opens we will see a field named "Capture Options". Here we can enter our filters:

Let suppose we are investigating an exploitation of HeartBleed in the network. We can use the following capture filter to determine if HeartBleed was exploited or not:
tcp src port 443 and (tcp[ ((tcp[12] & 0xF0) >> 4) *4] =0x18) and (tcp[((tcp[12] & 0xF00 >> 4) * 4 + 1] = 0x03) and (tcp[ ((tcp[12] & 0xF0) >> 4) *4 +2] <0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >>4) >69) )
There are lots of filters in Wireshark. The following links are very useful, these links contains a list of all filters in Wireshark. We need them when we are performing in-depth packet analysis.

In this tutorial we learned about Wireshark and it's uses in our Kali Linux. It is the all in tool in network analyze. Read more tutorials in our blog and follow us on Twitter and Medium for quick updates. If you have anything to say the comment box is below, we always replay.
Kali Linux


No comments
Post a Comment