mod3mod3Wireshark and the Analysis ProcessWireshark and the Analysis Processlinks../mod3/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedIntroductionObjectives and Topicsidsal3_011Welcome to the lesson on Wireshark and the Analysis Process. When you have completed this lesson, you will be able to select the appropriate network interface that Wireshark will use to capture traffic and identify the basic types of data displayed in each pane of the default Wireshark window. You will also be able to identify some basic filter constructs for specifying the data you want Wireshark to look for, and some methods to capture unusual or malicious traffic. Finally, you will be able to identify some of Wireshark's data analysis tools and some key characteristics of malicious traffic. There are five topics in this lesson. After you have completed the Introduction, you will become acquainted with the features and layout of Wireshark and some of the available sniffing options. Next, you will learn about filters that can help you focus the packet capture process and target specific aspects of the network traffic, such as distinct protocols or IP addresses. Finally, you will learn about tools within Wireshark that you can use to analyze the data to look for malicious traffic. For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 17. Lesson title: Wireshark and the Analysis Process. Topic title: Introduction. Screen title: Objectives and Topics. Seven lesson learning objectives display in support of audio. Five topics display. The first topic is titled Introduction. The second topic is titled What is Wireshark? The third topic is titled Display filters. The fourth topic is titled The Analysis Process. The fifth and final topic is the Conclusion. A text box displays and states: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products.What is Wireshark?Overviewidsal3_022Wireshark is an open source, network protocol analyzer that can be used across multiple platforms. It can be used for network traffic analysis, network troubleshooting, and security analysis. Results of a packet capture, display in a graphical user interface. Wireshark has a multitude of capabilities from analyzing and dissecting hundreds of protocols, to identifying header fields, and analyzing data payloads. Wireshark can capture all traffic arriving at the network interface off the network and can save the data to a capture file. While this requires root or administrator privileges, non-privileged users can sniff traffic directed to the local machine and also read and analyze packets saved to capture files. There is also a command-line version of Wireshark called TShark, which dissects packets like Wireshark but operates at the command-line much like tcpdump. Screen 2 of 17. Topic title: What is Wireshark? Screen title: Overview. Image of the Wireshark logo and the main Wireshark screen display. Bulleted text displays in support of audio. The word T Shark becomes a rollover which states: T Shark is the command line version of Wireshark. It uses the packet capture filtering mechanism of tcpdump and the display filtering of Wireshark.Capture Interfaces and Sniffing Optionsidsal3_033Now that you have an understanding of what Wireshark can do, let's look at how to get packets into Wireshark. There are two ways to do this. One way is to open a capture file. Go to the File menu and open a capture file that was previously collected by Wireshark or another tool, such as tcpdump or WinDump. This will allow Wireshark to open, read, and perform protocol analysis on the packets in the capture file. The other way is to capture the packets live off the network by using Wireshark as a sniffer. To do this, go to the Capture menu. Select the "Interfaces" option to open the Interfaces window where you can see a list of available interfaces that Wireshark can sniff. There are different ways to identify which interface to sniff. Either you know the description of the interface, you know the correct IP address, or you can look at the number of packets and packets per second to see where the traffic is actually flowing. To use the default capture options, simply select "Start" for the interface you want and Wireshark will start sniffing on the selected interface. If you want to change the default options, select the Options button to launch the Capture Options window. Screen 3 of 17. Screen title: Capture Interfaces and Sniffing Options. Image showing the main tool bar in the Wireshark interface displays. Moving from left to right the in the tool bar, the tool options are File, Edit, View, Go, Capture, Analyze, Statistics, and Help. The file menu expands and Open is highlighted in the menu. The Capture menu expands. The options in the menu are Interfaces, Options, Start, Stop, Restart and Capture Filters. Interfaces is selected. Image of the Capture Interfaces window displays. It contains a description of any available interfaces, the I P address, number of packets and number of packets per second for each interface listed. The window contains three buttons for each interface displayed. The buttons are Start, Options and Details. Two callouts display. One callout points to the Start buttons in the Capture Interfaces window and states: To use the default capture options, select the Start button for the interface you want to sniff on. The other callout points to the Options button in the window and states: To change the default options, select the Options button to launch the Capture Options window.Packet Capture Filtersidsal3_044Here is the Capture Options entry window. It contains a number of options for configuring a capture session. For example, you can specify if you want to capture in promiscuous mode. This will capture all traffic arriving at the network interface. To capture in promiscuous mode, you must have administrator or root level privileges on your machine. You can also specify if you want Wireshark to show you the packets as they're collected in real-time. There is a field to specify the types of packets you want Wireshark to capture. To do this, you need to enter a BPF expression to control which packets are actually captured and passed up to Wireshark. Once you have specified all of the packet capture options you want, select "Start" within the Options menu and Wireshark will begin capturing packets. Next, we'll look at how Wireshark displays captured packets. Screen 4 of 17. Screen title: Packet Capture Filters. Image of the Wireshark Capture Options window displays. An arrow displays and points to the box where you can tell Wireshark to capture packets in promiscuous mode. The arrow moves to the box where you can tell Wireshark to update the list of packets in real time. The arrow moves to the Capture Filter open text field. T C P is typed into this field and the arrow moves to the Start button. A callout from Capture packets in promiscuous mode states: To capture packets promiscuously requires administrator or root level privileges. Callout from a dropdown arrow next to the Capture Filter field states: Select the arrow to use a saved filter or to modify a saved filter. A callout from Capture Filter field states: Enter a Berkeley Packet Filter or B P F expression to specify types of packets you want Wireshark to capture. The text Berkeley Packet Filter becomes a rollover which states: B P F expressions are built from primitives, shortcuts for specifying the desired contents of header fields. The table below shows some common primitives. Seven examples of primitive syntax display in the table with an explanation of each primitive. The first example is host one ninety two dot one sixty eight dot one dot two. The explanation states: Looks for packets with source or destination I P address one ninety two dot one sixty eight dot one dot two. The second example is s r c host one ninety two dot one sixty eight dot one dot three. The explanation states: Captures all packets coming from address one ninety two dot one sixty eight dot one dot three. The third example is d s t host one ninety two dot one sixty eight dot one dot four. The explanation states: Captures all packets going to address one ninety two dot one sixty eight dot one dot four. The fourth example is t c p. The explanation states: Captures only T C P packets. The fifth example is u d p. The explanation states: Captures only U D P packets. The sixth example is i c m p. The explanation states: Captures only I C M P packets. The seventh and final example is port fifty three. The explanation states: Looks for T C P or U D P packets with source or destination port of fifty three. Text displays in support of audio. When the narrator talks about using the and and not logical operators in combination, an example displays and reads: host one ninety two dot one sixty eight dot one dot five and not i c m p.Three Display Panesidsal3_055Wireshark has three display panes: packet list, packet details, and packet bytes. Select each pane for an explanation of how to read the contents of that pane. Three Display Panesidsal3_05_015 The packet list pane displays all packets captured and analyzed by Wireshark. Each line represents an individual packet and starts with a number. This number indicates the chronological order in which each packet was captured. This is useful when you and another person are analyzing the same packet capture file. You can quickly identify the packet of interest by stating the number rather than trying to explain, for example, which IP address the packet came from. The next column is a time stamp. By default it's a relative time stamp starting at zero for the first packet captured. The source and destination columns display the source and destination IP and MAC addresses, depending on the type of packet or frame that was captured. Under protocol, you see the highest level protocol that can be interpreted by Wireshark in that particular frame. For example, in packet 970, we see TCP, which is a layer four protocol in the OSI model. In packet 971, we see ARP, which is a layer two protocol. And, in packet 974, we see FTP, a layer seven protocol. You can access additional information about a packet of interest, by selecting that packet in the main Wireshark screen. The information will then display in the details and bytes panes. Packet List PanePopup 1 of 3. Popup title: Packet List Pane. Image of the packet list pane. Lines of data contain numerals, symbols and letters. There are six columns of data in the pane. These six, from left to right are Number, Time, Source, Destination, Protocol, and Info. Each column is highlighted in support of audio. Image of Oh S Eye model displays. Starting at the bottom the layers are labeled: 1 Physical, 2 Data Link, 3 Network, 4 Transport, 5 Session, 6 Presentation and 7 Application. Text displays in support of audio.Three Display Panesidsal3_05_025 The packet details pane displays the analysis results for the protocols and protocol fields for the packet you selected in the packet list pane. The results show you how Wireshark dissected the data in a tree format, which can be expanded and collapsed. At the top of the pane is the frame section, which provides information about the packet as it was captured off the network. Next are the headers for layers two through four, starting with the Ethernet header at layer two, the IP header for layer three, and the UDP header at layer four. Finally, there is the NetBIOS Name Service at layer seven. Wireshark steps its way from the overall frame to the most specific embedded protocol within the frame. In this example, we have a UDP packet going from source port 137 to destination port 137, which is the NetBIOS Name Service. When you expand the NetBIOS Name Service tree, you can see that there was a query for "w w w dot Google dot com." Normally, you wouldn't look in the NetBIOS Name Service or the Windows naming service for a DNS name. This is probably a mis-configured Windows machine that doesn't have a responding DNS server. So the machine has defaulted to NetBIOS Name Service to find the address of the machine called "w w w dot Google dot com." By selecting any of the fields in the packet details pane, the corresponding hexadecimal and ASCII data will display in the packet bytes pane. Packet Details PanePopup 2 of 3. Popup title: Packet Details Pane. Image of the packet details pane displays. Lines of data contain numerals, symbols and letters. Components of the pane are highlighted in support of audio.Three Display Panesidsal3_05_035 The bytes pane displays the hexadecimal format and the ASCII interpretation of these bytes for the packet selected in the packet list pane. Notice the series of capital letters in the ASCII section of the pane. This is the actual web address for "w w w dot Google dot com" from the details pane, encoded for the NetBIOS Name Service. This is commonly seen for NetBIOS Name Service packets. It's not readable directly, but is decodable by Wireshark. It's also common to see this if there are Windows machines operating on the network. Packet Bytes PanePopup 3 of 3. Popup title: Packet Bytes Pane. Image of the packet bytes pane displays. Lines of data contain numerals, symbols and letters. There are two sections in the pane. The hexadecimal section is on the left side and the ass kee section is on the right side. Components of the pane are highlighted in support of audio.Screen 5 of 17. Screen title: Three Display Panes. Reprise of the main Wireshark screen. The window has three sections. The top section is called the packet list pane. The middle section is called the packet details pane. The bottom section is called the packet bytes pane. Each pane becomes selectable as a popup.Knowledge Checkidsal3_066Knowledge Check1500550Enter Berkeley Packet Filters to specify types of packets to capturePacket Bytes Pane, for statement: Enter Berkeley Packet Filters to specify types of packets to capturePacket Details Pane, for statement: Enter Berkeley Packet Filters to specify types of packets to capturePacket List Pane, for statement: Enter Berkeley Packet Filters to specify types of packets to captureCapture Options Window, for statement: Enter Berkeley Packet Filters to specify types of packets to captureOptions Drop-Down Window, for statement: Enter Berkeley Packet Filters to specify types of packets to captureCorrect. The Capture Options window contains a field where you can enter Berkeley Packet Filter (BPF) expressions. BPFs tell Wireshark the types of packets you want to capture.Incorrect. The Capture Options window contains a field where you can enter Berkeley Packet Filter (BPF) expressions. BPFs tell Wireshark the types of packets you want to capture.Select interface to sniffPacket Bytes Pane, for statement: Select interface to sniffPacket Details Pane, for statement: Select interface to sniffPacket List Pane, for statement: Select interface to sniffCapture Options Window, for statement: Select interface to sniffOptions Drop-Down Window, for statement: Select interface to sniffCorrect. In the Options drop-down menu (located in the main Wireshark screen toolbar), you can select the "Interfaces" option to open the Interfaces window. In this window, you can see a list of available interfaces that Wireshark can sniff on.Incorrect. In the Options drop-down menu (located in the main Wireshark screen toolbar), you can select the "Interfaces" option to open the Interfaces window. In this window, you can see a list of available interfaces that Wireshark can sniff on.Set Wireshark to capture packets promiscuouslyPacket Bytes Pane, for statement: Set Wireshark to capture packets promiscuouslyPacket Details Pane, for statement: Set Wireshark to capture packets promiscuouslyPacket List Pane, for statement: Set Wireshark to capture packets promiscuouslyCapture Options Window, for statement: Set Wireshark to capture packets promiscuouslyOptions Drop-Down Window, for statement: Set Wireshark to capture packets promiscuouslyCorrect. The Capture Options window contains a number of options for configuring a capture session. You can specify that you want Wireshark to capture packets promiscuously.Incorrect. The Capture Options window contains a number of options for configuring a capture session. You can specify that you want Wireshark to capture packets promiscuously.View analysis results of protocolsPacket Bytes Pane, for statement: View analysis results of protocolsPacket Details Pane, for statement: View analysis results of protocolsPacket List Pane, for statement: View analysis results of protocolsCapture Options Window, for statement: View analysis results of protocolsOptions Drop-Down Window, for statement: View analysis results of protocolsCorrect. The packet details pane displays the results of the analysis of the protocols for the packet you selected in the packet list pane.Incorrect. The packet details pane displays the results of the analysis of the protocols for the packet you selected in the packet list pane.View hexadecimal and ASCII representation of dataPacket Bytes Pane, for statement: View hexadecimal and ASCII representation of dataPacket Details Pane, for statement: View hexadecimal and ASCII representation of dataPacket List Pane, for statement: View hexadecimal and ASCII representation of dataCapture Options Window, for statement: View hexadecimal and ASCII representation of dataOptions Drop-Down Window, for statement: View hexadecimal and ASCII representation of dataCorrect. The packet bytes pane displays the data in hexadecimal format and the ASCII interpretation of these bytes for the packet selected in the packet list pane.Incorrect. The packet bytes pane displays the data in hexadecimal format and the ASCII interpretation of these bytes for the packet selected in the packet list pane.View all packets capturedPacket Bytes Pane, for statement: View all packets capturedPacket Details Pane, for statement: View all packets capturedPacket List Pane, for statement: View all packets capturedCapture Options Window, for statement: View all packets capturedOptions Drop-Down Window, for statement: View all packets capturedCorrect. The packet list pane displays all of the packets in the current capture file.Incorrect. The packet list pane displays all of the packets in the current capture file.Now check your knowledge of the location of sniffing options within the Wireshark GUI. Screen 6 of 17. Screen title: Knowledge Check. This matching knowledge check presents six statements and five options. For each statement select the component of the Wireshark interface described. Moving for left to right the options are Packet Bytes Pane, Packet Details Pane, Packet List Pane, Capture Options Window and Options Drop Down Menu. Use your keyboard to cycle through the options.
Display FiltersBasic Display Filtersidsal3_077After you start capturing packets or have opened a saved capture file, you may want to focus on certain types or streams of packets or remove other types of packets that are displayed in the packet list pane. To do this, enter a filter expression in the display filter field at the top of the main screen. Some simple display filters are tcp, udp, and icmp. Use these filters to specify the layer four protocol you're interested in seeing. Each of these filters will display only the packets that contain the identified protocol. This narrows the focus to one particular protocol of the captured traffic. You can also specify fields within particular protocol headers. For example, you can filter on the IP addresses in the layer three header by indicating the source or destination IP addresses. Let's say you want to look only at the traffic coming from source address "192.168.1.1." To filter for that address, type "ip.src ==" before the source address. To display packets going to a specific IP address, you can use the "eq" operator. The string "eq" is the equivalent English comparison operator to the double equal sign. The filter looks for the traffic going only to destination address "10.17.8.9." You can also specify that you want to see packets with a certain source or destination address by using "ip dot addr." Next, we will look at using display filters to filter for ports and services. Screen 7 of 17. Screen title: Basic Display Filters. Reprise of the main Wireshark screen. Text displays in support of audio. Display Filter field is highlighted. An example of a filter using the E Q operator displays and reads: I p dot s r c = = one ninety two dot one sixty eight dot one dot one.
I p dot d s t e q ten dot seventeen dot eight dot nine. An example of a filter using the a d d r operator displays and reads: I p dot ay d d r equals symbol equals symbol ten dot ten dot ten dot ten.Refining Display Filtersidsal3_088To further refine the types of data you want to search for in a packet capture log, you can filter for specific TCP or UDP ports. Let's say you want to see if there is any SSH traffic going to or coming from a specific port. The expression for this filter is "tcp.port ==" followed by the port number. In this case, the port is 22. What if you want to search for DNS queries going to a DNS server or destination port 53? You would write your filter as "udp.dst port == 53." To look for data coming from an FTP data port, or port 20, you would enter "tcp.src port == 20." If you're looking for traffic going from an ephemeral port on one machine going to another machine, one way to do this is to look at all packets that have a source port greater than or equal to port 1024. This would typically show packets going from a client machine to a server. The filter expression for this is "tcp.src port > equals 1024." Screen 8 of 17. Screen title: Refining Display Filters. Reprise of the main Wireshark screen. Bulleted text displays in support of audio.
The "not equal" Operatoridsal3_099The ephemeral traffic filter uses the operator "greater than" which is a type of comparison operator. Other comparison operators include "less than" and "not equal to," to name two. On busy networks, filtering out traffic is a necessity to be able to find packets of interest. The "not equal to" operator allows us to remove, from the display, traffic that is expected to be normal and benign on the network. Let's take a deeper look at the "not equal to" operator because, in certain cases, it doesn't work like you think it would, for example when it's combined with the expression "tcp.port" or "ip.addr." In the example, " ip.addr != 1.2.3.4" you would think that the filter would produce all traffic that does NOT contain the address as a source or destination. In other words, the expression should be true for any packets when the source or destination is not equal to address "1.2.3.4." But, when you type that filter in the display filter field, the field turns yellow. Now, normally, the field is green when the filter uses the correct syntax. If the display filter is incorrect or incomplete, the color will be red. But when the field turns yellow, this tells you that the filter isn't going to work quite the way you think it will. Another way to know that the operator is not working as expected is to look at the total packets versus the filtered packets at the bottom of the bytes pane. In this example, notice that the total packets filtered are slightly less than the total packets captured. We would expect that our expression would filter out more than only 20 packets. Instead of using the "not equal to" operator, the recommendation is to invert another expression. To do this, you put the exclamation point in front of another expression. In the example, the exclamation point goes outside of the parentheses. You now know some basic display filters. Next, we'll look at combining filters with Boolean expressions. Screen 9 of 17. Screen title: The "not equal" Operator. Reprise of the main Wireshark screen. The "greater than" comparison operator displays. It appears as the greater than symbol followed by the equal symbol. The example reads: t c p dot s r c port greater than equals ten twenty four. The "less than" comparison operator displays. It appears as the less than symbol. There is no example displayed. The "not equal to" operator displays. It appears as an exclamation point followed by the equal symbol. An example of inverting the not equal operator displays. An example displays with the exclamation point positioned in front of an expression contained inside parentheses. The expression reads: exclamation point parenthesis i p dot a d d r equal equals one dot two dot three dot four. Text displays in support of audio.Boolean Operatorsidsal3_1010Combining simple filters with Boolean operators allows for more detailed filtering of packets. For example, you can combine filters by using the "and" operator. Let's say you want to look at TCP packets coming from the IP address "192.168.2.117." This filter would be written as "tcp and ip.src == 192.168.2.117." This tells Wireshark to display only TCP packets that come from the IP address you specified. Another example of how you might use the "and" operator is if you want to look for traffic traveling between two machines on the same subnet. In this case you are not looking for traffic that is going out to another network or for traffic that is coming in from another network. If you write the filter as "ip.addr == 192.168.0.0/16," you would get all the traffic that has some connection to that IP range. The goal is to display only the traffic traveling between the two machines, so the filter should be written as "ip.src == 192.168.0.0/16 and ip.dst == 192.168.0.0/16." This limits the display to only that traffic going between two machines within that IP range. The Boolean operator "or" can be used in a similar fashion as the "and" operator. For example, if you want to see the HTTP and HTTPS traffic on the standard ports, you would write a filter as "tcp.port == 80 or tcp.port == 443." This will show the traffic that has tcp port 80, for HTTP, or tcp port 443, for HTTPS, as either the source or destination port in the packet. The "not" operator can be used, not only as a comparison operator, such as in "not equal to" expressions, but also as a logical operator. Let's consider this example. Wireshark understands several hundred different protocols, including things that are outside the realm of IP like IPX and ARP. Wireshark can remove all of the frames that contain ARP traffic by using the operator "not." The filter "not arp" tells Wireshark to display all captured frames that are not ARP traffic, such as IPv4, IPv6, or IPX. This is useful as an analyst when you don't need to examine certain protocols that are on the network. Screen 10 of 17. Screen title: Boolean Operators. Reprise of the main Wireshark screen. Text displays and states: Examples of combined filters using Boolean operators and, or and not. Bulleted text displays in support of audio. Summary of Filtersidsal3_1111Before moving on, take a few minutes to review the uses and examples of some common display filters. As you review the example filters, remember they are a small subset of the possible display filters since every field in the packet details pane can be used in a filter expression. Screen 11 of 17. Screen title: Summary of Filters. Table displays containing filter expressions and Boolean operator descriptions and examples. The text states: An example of an expression to display packets with a specific source address is I p dot s r c equals equals one ninety two dot one sixty eight dot one dot one. An example of an expression to display packets with a specific destination address is I p dot e q ten dot seventeen dot eight dot nine. An example of an expression to display packets with a specific source or destination address is I p dot a d d r equals equals ten dot ten dot ten dot ten. An example of an expression to display traffic going to or coming from a port is t c p dot port equals equals twenty two. An example of an expression to display traffic going to a port is u d p dot d s t port equals equals fifty three. An example of an expression to display traffic coming from a port is t c p dot s r c port equals equals twenty. An example of an expression to display traffic from an ephemeral port is t c p dot s r c port greater than equals ten twenty four. An example using the Boolean operator not equal is exclamation point parenthesis i p dot a d d r equal equals one dot two dot three dot four. This will display traffic that does not contain an address as a source or destination. An example of using "and" to specify T C P packets coming from an I p address is t c p and I p dot s r c equals equals one ninety two dot one sixty eight dot two dot one seventeen. This will display layer three and layer four protocols. An example of using "and" to specify traveling exclusively to and from the i p address range is i p dot s r c equals equals one ninety two dot one sixty eight dot zero dot zero forward slash sixteen and i p dot d s t equals equals one ninety two dot one sixty eight dot zero dot zero forward slash sixteen. This will display traffic traveling between two machines on the same subnet. Example of using "or" to display all H T T P or H T T P S traffic using the standard ports is t c p dot port equals equals eighty or t c p dot port equals equals four forty three. An example of using "not" to remove all frames that contain A R P traffic is not a r p.Knowledge Checkidsal3_1212Knowledge Check1500550Which filter should you use to instruct Wireshark to filter for both layer 3 and layer 4 protocol header fields in relationship to a specific IP address?
Question 1 of 4.ip.addr == 192.168.1.113ip.addr != 192.168.1.113ip.dst == 192.168.1.113tcp and ip.src == 192.168.1.113tcp.srcport >= 1024udp.dstport == 53Correct. To display layer 3 and layer 4 protocols, use "and" to specify that you want to see TCP packets coming from the IP address.Incorrect. To display layer 3 and layer 4 protocols, use "and" to specify that you want to see TCP packets coming from the IP address.Which filter should you use to instruct Wireshark to display packets going to OR from 192.168.1.113?
Question 2 of 4.ip.addr == 192.168.1.113ip.addr != 192.168.1.113ip.dst == 192.168.1.113tcp and ip.src == 192.168.1.113tcp.srcport >= 1024udp.dstport == 53Correct. The filter "ip.addr" matches against both the IP source and destination addresses in the IP header.Incorrect. The filter "ip.addr" matches against both the IP source and destination addresses in the IP header.Which filter should you use to instruct Wireshark to display packets from an ephemeral port going to another machine?
Question 3 of 4.ip.addr == 192.168.1.113ip.addr != 192.168.1.113ip.dst == 192.168.1.113tcp and ip.src == 192.168.1.113tcp.srcport >= 1024udp.dstport == 53Correct. If you are looking for traffic from a source port greater than or equal to port 1024. Typically this is traffic from a client machine going to a server, since ephemeral ports are used by client software as source ports.Incorrect. If you are looking for traffic from a source port greater than or equal to port 1024. Typically this is traffic from a client machine going to a server, since ephemeral ports are used by client software as source ports.Which filter should you use to instruct Wireshark to search for DNS queries?
Question 4 of 4.ip.addr == 192.168.1.113ip.addr != 192.168.1.113ip.dst == 192.168.1.113tcp and ip.src == 192.168.1.113tcp.srcport >= 1024udp.dstport == 53Correct. You can combine simple filters to refine the types of data you want to display. By combining "udp" and "dstport," you are specifying the protocol and field you want to filter on. DNS queries typically use UDP with a destination port of 53.Incorrect. You can combine simple filters to refine the types of data you want to display. By combining "udp" and "dstport," you are specifying the protocol and field you want to filter on. DNS queries typically use UDP with a destination port of 53.Now check you knowledge of filter expressions, logical operators, and Boolean operators for creating display filters. Screen 12 of 17. Screen title: Knowledge Check. There are four multiple choice questions with the same six options. Moving from the top down the first option is i p dot a d d r equals equals one ninety two dot one sixty eight dot one dot one thirteen. The second option is i p dot a d d r exclamation point equals one ninety two dot one sixty eight dot one dot one thirteen. The third option is i p dot d s t equals equals one ninety two dot one sixty eight dot one dot one thirteen. The fourth option is t c p and i p dot s r c equals equals one ninety two dot one sixty eight dot one dot one thirteen. The fifth option is t c p dot s r c greater than equals ten twenty four. The sixth and final option is u d p dot d s t port equals equals fifty three. Use your keyboard to cycle through the options.The Analysis ProcessThe Analyze Tabidsal3_1313Wireshark contains a variety of analysis tools that can help you better understand the content of the packets and the streams of data flowing back and forth across the network. You'll find these techniques in the Analyze menu. Let's look at three options: Expert Info Composite, Follow TCP Stream, and Follow UDP Stream. Expert Info Composite gives you a list of events corresponding to a packet or series of packets. For example, you might see a stream of data such as "HTTP GET" or an FTP stream. This gives you a big-picture condensed view of the type of traffic without having to look at every packet in the capture log. Also, you may find something in Expert Info that you want to locate or understand better. One way to do that is to find one of the packets in that conversation and then use the Follow TCP Stream option in the Analyze drop-down menu. Wireshark will follow that stream and extract the payload data out of the packets. It consolidates the payload data into one view so you can examine what is going on between the two hosts. Let's look at packet 900 and follow the tcp stream to see what is happening in this FTP connection. To do this, select the Follow TCP Stream option from the Analyze drop-down menu. Or, you can right-click a packet and choose the Follow TCP Stream option from the contextual menu. After you select Follow TCP Stream, you get a listing of what happened in the FTP command session. You can see the commands in red and see the conversation go back and forth. For example, you can see the client asking for directory listings and changing the working directory. You don't see any data because you're looking at the command channel connection, not the data connection where the data passes back and forth. Notice the "entering passive mode" responses coming back from the server. The server then tells the client how to connect to get the data that it requested. You now have a better idea of what the client machine was doing without having to dig into the packets and look directly at the contents. You can do the same thing with UDP, even though the data is not really a stream. With the Follow UDP Stream option, Wireshark is intelligently connecting various UDP packets. An example is connecting TFTP transfer files going back and forth between two machines and creating a stream that you can view and follow the connection in the packet capture session. Screen 13 of 17. Topic title: The Analysis Process. Screen title: The Analysis Tab. Reprise of the main Wireshark screen. The Analyze option menu in the tool bar appears expanded. Starting from the top the options in the menu are Display filters, Display Filter Macros, Apply as a Filter, Prepare a Filter, Firewall A C L Rules, Enabled Protocols, Decode As, User Specified Decodes, Follow T C P Stream, Follow U D P Stream, Follow S S L Stream, Expert Info, Expert Info Composite and Conversation Filter. Bulleted text displays in support of audio. Image changes to the T C P stream data analysis results window. LIST command is highlighted with two lines of command channel data. The first line reads one fifty here comes the directory listing. The second line reads two hundred twenty six Directory send OK. C W D command is highlighted with two hundred fifty Directory successfully changed. Entering passive mode responses are indicated by the letters P A S V. Image changes back to the main Wireshark screen. Bulleted text displays in support of audio. Stringsidsal3_1414Another tool you'll find useful is the Find Packet string. With this tool you can search the data by specifying a string and allowing Wireshark to search through the packet for you. To use this tool you need to know what you want to look for like a particular type of traffic or a specific command in the traffic. Alternately, you may have noted something of interest in the Expert Info Composite or when you ran strings against the capture file, that you want to locate. Let's say you want to search for any IRC traffic because you know that's the command and control channel for a particular worm. You could look for this on port 6667 but attackers often use non-standard ports. An alternate way to look through IRC traffic to see if Wireshark captured a worm segment connecting into a botnet is to search for the JOIN command, which is the IRC command to connect to an IRC channel. From the main screen, select Edit and then Find Packet. Type the string you are looking for, in this case, "JOIN." Select the String option, so you know you're looking for the correct type of information. If you want, you can make this case sensitive by selecting the case sensitive option. Next, select the Find button. Wireshark then searches through packets looking for the string JOIN. In this example, Wireshark found the string JOIN in packet 928. You can see the string in the bytes pane. This is what IRC traffic should look like. To get a better look at what this traffic is about, select the callout to see the TCP stream. Stringsidsal3_14_0114 Following the stream, you see the word JOIN with the text "# dc dc pass." This is someone joining a particular channel with a password. You then see USER HOST and MODE with some information followed by another JOIN. Below JOIN, we see more information about a particular host. This is very interesting because it's indicative of bot traffic. Notice that the user names and nicknames are all long, random looking strings. These are not typical user names. It looks like this machine is infected with some kind of bot. View TCP StreamPopup 1 of 1. Popup title: View T C P Stream. The Follow T C P Streamwindow displays. Lines of data contain numerals, symbols and letters. Bot Alert text displays as a warning. The user name "o i n w p b j u y z" is highlighted in the data. A callout displays and points to the username in the data. Text in the callout states: Notice that the user names and nicknames are long random looking strings. They are not names that a person would normally use.Screen 14 of 17. Screen title: Strings. Reprise of the main Wireshark screen. Bulleted text displays in support of audio. The Edit option menu in the tool bar appears expanded. The Find Packet window displays. There is a data entry field titled Filter. The word JOIN appears in the field. Below the entry field are two lists of options. The first list allows you to select the packet list, packet details or the packet bytes pane to search. The second list contains string options. Image changes to the main Wireshark screen. A callout points to the word join in the bytes section. Text in the callout states: Wireshark found the string join in packet nine twenty eight. The callout becomes selectable as a popup.
Identifying Malicious Trafficidsal3_1515You now know how to use a string to search for the JOIN command in an attempt to identify a bot. There are other ways you can identify malicious traffic using Wireshark. You can use Wireshark as an intrusion detection analyst tool to analyze header fields and the data payload during a packet capture session. It can also be used to run searches for words from a dirty word list. A dirty word list is a forensic term describing a list of content a forensic investigator believes is related to a case. Select each analysis process for a description of what information you can look for in order to identify malicious traffic. Run a "dirty" word searchidsal3_15_0115You can use the strings tool to look for malicious traffic by checking for "dirty" words. "Dirty" words can be plain words, DNS names, and IP addresses, to name a few. To run a string search, open a Wireshark capture file and apply a display filter to filter out routine traffic. The next step is to review the resulting connections to look for "dirty" words and any unusual connections. Be sure to look at the IP addresses for unusual traffic. Run a Dirty Word SearchPopup 1 of 3. Popup title: Run a Dirty Word Search. Image of a magnifying glass displays. Bulleted text displays in support of audio. The text "Dirty words" becomes a rollover which states: A "dirty" word list is a forensic term describing a list of words or content that appears to be related to the case. It is created from existing evidence and knowledge of a specific case. A forensic investigator uses the list when searching additional evidence.Analyze header fieldsidsal3_15_0215When you analyze the header fields for malicious traffic, you want to look at the header fields in layers three and four for key indicators of a malicious event. Some items to focus on are ports, type of service, and HTTP or SMTP server. Examples of key indicators include: IP traffic that travels to or comes from certain foreign countries, protocols such as IRC running on non-standard ports, and addresses or protocols used in traffic from previous attackers. One more example is encrypted or encoded content on ports that are normally not encrypted, such as encrypted content on the FTP command channel port. Analyze Header FieldsPopup 2 of 3. Popup title: Analyze Header Fields. Reprise of O S I model with levels 3 Network and 4 Transport highlighted. Bulleted text displays in support of audio.Analyze data payloadidsal3_15_0315 When you analyze the data payload for malicious traffic, you want to look for unique key indicators of a malicious event in layer seven data. For example, if you see unique bytes that indicate an exploit was sent to a target and identify a response from the target, this indicates that the exploit attempt was successful. Examples of key indicators include signs of stage 2 Windows executables such as "This program cannot be run in DOS mode" and signs of IRC command and control traffic, such as the JOIN command followed by a channel number and password. Analyze Data PayloadPopup 3 of 3. Popup title: Analyze Data Payload. Reprise of O S I model, level 7 Application is highlighted. Bulleted text displays in support of audio.Screen 15 of 17. Screen title: Identifying Malicious Traffic. Reprise of the main Wireshark screen. Bulleted text displays in support of audio. The bullets become selectable as popups.
Knowledge Checkidsal3_1616Knowledge Check1500550Looks at TFTP transfer files going back and forth between two machinesExpert Info, for statement: Looks at TFTP transfer files going back and forth between two machinesFind Packet, for statement: Looks at TFTP transfer files going back and forth between two machinesFollow TCP Stream, for statement: Looks at TFTP transfer files going back and forth between two machinesFollow UDP Stream, for statement: Looks at TFTP transfer files going back and forth between two machinesCorrect. When you select the Follow UDP Stream analysis option, Wireshark intelligently connects UDP packets. This allows you to see TFTP transfer files going back and forth between two machines.Incorrect. When you select the Follow UDP Stream analysis option, Wireshark intelligently connects UDP packets. This allows you to see TFTP transfer files going back and forth between two machines.Looks for a particular type of traffic or a specific command in the traffic specified by the analystExpert Info, for statement: Looks for a particular type of traffic or a specific command in the traffic specified by the analystFind Packet, for statement: Looks for a particular type of traffic or a specific command in the traffic specified by the analystFollow TCP Stream, for statement: Looks for a particular type of traffic or a specific command in the traffic specified by the analystFollow UDP Stream, for statement: Looks for a particular type of traffic or a specific command in the traffic specified by the analystCorrect. When you select the Find Packet option, you can search the data by specifying a string and allowing Wireshark to search through the packet for you.Incorrect. When you select the Find Packet option, you can search the data by specifying a string and allowing Wireshark to search through the packet for you.Provides a list of events corresponding to a packet or series of packetsExpert Info, for statement: Provides a list of events corresponding to a packet or series of packetsFind Packet, for statement: Provides a list of events corresponding to a packet or series of packetsFollow TCP Stream, for statement: Provides a list of events corresponding to a packet or series of packetsFollow UDP Stream, for statement: Provides a list of events corresponding to a packet or series of packetsCorrect. When you select the Expert Info option, Wireshark gives you a list of events corresponding to a packet or series of packets. This is one way to find any "uncommon" or just notable network behavior.Incorrect. When you select the Expert Info option, Wireshark gives you a list of events corresponding to a packet or series of packets. This is one way to find any "uncommon" or just notable network behavior.Provides a consolidated view of traffic flowing between two hostsExpert Info, for statement: Provides a consolidated view of HTTP traffic flowing between two hostsFind Packet, for statement: Provides a consolidated view of HTTP traffic flowing between two hostsFollow TCP Stream, for statement: Provides a consolidated view of HTTP traffic flowing between two hostsFollow UDP Stream, for statement: Provides a consolidated view of HTTP traffic flowing between two hostsCorrect. When you select the Follow TCP Stream analysis option, Wireshark follows the TCP stream and extracts the data out of the packets. It consolidates the data into one view so you can examine what is going on between the two hosts.Incorrect. When you select the Follow TCP Stream analysis option, Wireshark follows the TCP stream and extracts the data out of the packets. It consolidates the data into one view so you can examine what is going on between the two hosts.Now check your knowledge of Wireshark analysis tools. Screen 16 of 17. Screen title: Knowledge Check. There are four multiple choice questions with the same four options. Moving from left to right the options are Expert Info, Find Packet, Follow T C P Stream and Follow U D P Stream. Use your keyboard to cycle through the options.ConclusionSummary and Conclusionidsal3_1717Congratulations! You have completed the Wireshark and the Analysis Process lesson. You should now be able to select the appropriate network interface that Wireshark will use to capture traffic and identify the basic types of data displayed in each pane of the default Wireshark window. You should also be able to identify some basic filter constructs for specifying the data you want Wireshark to look for, and some methods to capture unusual or malicious traffic. Finally, you should be able to identify some of Wireshark's data analysis tools and some key characteristics of malicious traffic. Screen 17 of 17. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Reprise seven lesson learning objectives. The first objective states: Select the appropriate network interface Wireshark uses. The second objective states: Identify the three panes in the default Wireshark window and the basic types of data displayed in each pane. The third objective states: Identify basic filter constructs to find specific data. The fourth objective states: Describe methods to capture unusual or malicious traffic on a network. The fifth objective states: Identify analysis methods for T C P I P header fields to identify malicious traffic. The sixth objective states: Identify analysis methods for data portions of T C P I P packets or streams to identify malicious traffic. The seventh and final objective states: Identify the characteristics of malicious traffic.