Module 5: Wireshark Essentials

Getting Started

Putting the wireless adapter into monitor mode:

kali@kali:~$ sudo ip link set wlan0 down
kali@kali:~$ sudo iwconfig wlan0 mode monitor
kali@kali:~$ sudo ip link set wlan0 up

Welcome Screen

Packet Display

Rearrange the packet list layout via Edit > Preferences > Appearance > Layout.

Wireshark doesn't channel hop and will stay on whatever channel the wireless adapter is currently on.

Changing the channel via script while listening with Wireshark:

for channel in 1 6 11 2 7 10 3 8 4 9 5
do
    iw dev wlan0mon set channel ${channel}
    sleep 1
done

airodump-ng could also be used for channel hopping. Running sudo airodump-ng wlan0mon would have a similar result to the above script.

Saving and Exporting Packets

We can save the whole contents of a packet capture via File > Save or File > Save As... When saving the packets, we are also able to use a filter to save specified packets via File > Export Specified Packets...

Wireshark Filters

Wireshark Display Filters

These filters just affect what packets are visible in Wireshark's packet list. Wireshark will still capture packets not shown due to a Display Filter.

The best way to understand the Display Filter syntax is to create one with the Display Filter Expression screen found at Analyze > Display Filter Expression...

Display filters can be bookmarked for later/repeated use via the bookmark button on the left of the Display Filter tool bar. Shortcuts can be created by clicking the + on the very right of the Display Filter toolbar.

Wireshark Capture Filters

Capture Filters (AKA Berkeley Packet Filters (BPF)) allow Wireshark to only collect a specific type of data. They decrease the amount of data received rather than the amount displayed like a Display Filter. Capture filters are documented in the pcap-filter man page.

Wireshark at the Command Line

Getting help for wireshark at the command line:

kali@kali:~$ wireshark --help
Wireshark 3.2.1 (Git v3.2.1 packaged as 3.2.1-1)
Interactively dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: wireshark [options] ... [ <infile> ]

Capture interface:
  -i <interface>, --interface <interface>
                           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>, --snapshot-length <snaplen>
                           packet snapshot length (def: appropriate maximum)
...
  -k                       start capturing immediately (def: do nothing)
...
  -I, --monitor-mode       capture in monitor mode, if available
...
  -D, --list-interfaces    print list of interfaces and exit
...

Listing all available interfaces along with their index numbers:

kali@kali:~$ sudo wireshark -D
Capture-Message: 14:05:44.552: Capture Interface List ...
Capture-Message: 14:05:44.697: Loading External Capture Interface List ...
1. eth0
2. lo (Loopback)
3. any
4. wlan0mon
5. nflog
6. nfqueue
7. ciscodump (Cisco remote capture)
8. dpauxmon (DisplayPort AUX channel monitor capture)
9. randpkt (Random packet generator)
10. sdjournal (systemd Journal Export)
11. sshdump (SSH remote capture)
12. udpdump (UDP Listener remote capture)

Starting a capture, specifying our interface in monitor mode (this will automatically open the GUI with the packet capture running):

kali@kali:~$ sudo wireshark -i wlan0mon -k
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
...

Remote Packet Capture

Covering multiple tools, it's good to understand pros and cons. Dumpcap has lower overhead compared to tcpdump and tshark. This difference in CPU usage will likely not be noticeable until transferring more data or using low power devices as the capture devices.

Remote Packet Capture Setup

TCPdump output on stdout:

kali@kali:~$ sudo tcpdump -i wlan0mon -w - -U
�ò�tcpdump: listening on wlan0mon, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes

dumpcap output on stdout:

kali@kali:~$ sudo dumpcap -w - -P -i wlan0mon
Capturing on 'wlan0mon'
�ò�File: -
9UY^m*.Hl	�������������5����5��1�d
...

tshark output on stdout:

kali@kali:~$ sudo tshark -w - -i wlan0mon
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlan0mon'

�M<+���������6Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (with SSE4.2)Linux 5.4.0-kali3-amd64:Dumpcap (Wireshark) 3.2.1 (Git v3.2.1 packaged as 3.2.1-1)�wlan0mon
...

Pipes

Named pipes, also known as First in, First out (FIFO) IPC objects, are present on the filesystem and allow bi-directional communications.

Unnamed pipes, also known as unnamed IPC objects, make use of the pipe() function. One way we might use this function is when we chain commands in terminals by using the pipe (|) character.

One pipe example:

kali@kali:~$ ls /var/log | more

Capturing traffic and piping it to Wireshark:

kali@kali:~$ sudo tcpdump -U -w - -i wlan0mon | wireshark -k -i -
tcpdump: listening on wlan0mon, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes

Creating a named pipe using mkfifo:

kali@kali:~$ mkfifo /tmp/named_pipe
kali@kali:~$ ls -l /tmp/named_pipe
prw-r--r-- 1 kali kali 0 Jul 27 20:47 /tmp/named_pipe

Configuring the named pipe in Wireshark:

Capture > Options...
Manage Interfaces > Pipes tab > +
Enter the pipe's path name, in our case /tmp/named_pipe
Click OK

Initiating a packet capture, writing to our named pipe:

kali@kali:~$ sudo tcpdump -U -w - -i wlan0mon > /tmp/named_pipe

Capturing traffic with tcpdump on a remote host and piping it to Wireshark on our device:

kali@kali:/$ ssh root@10.11.0.196 "sudo -S tcpdump -U -w - -i wlan0mon" | sudo wireshark -k -i -
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
root@10.11.0.196's password:******
tcpdump: listening on wlan0mon, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes

Built-in Wireshark

Select SSH remote capture: sshdump then Capture to open the options window.

Wireshark typically captures from interfaces on the local system. These "External Capture" interfaces are using ExtCap, which allows executables to be seen as capture interfaces. All of these are separate binaries: ciscodump, dpauxmon, randpkt, sdjournal, sshdump, and udpdump. They provide data in PCAP format and can be found in the /usr/lib/x86_64-linux-gnu/wireshark/extcap/ directory (on a 64bit Kali). Some of these tools have man pages but they all are executed with a few arguments. All of them are similarly configured in the Wireshark GUI.

In this example, we are authenticating to the remote system as root. To use a standard user instead, you will need to run 'sudo dpkg-reconfigure wireshark-common / yes' to reconfigure the wireshark package and 'sudo usermod -a -G wireshark kali' to add the user (kali in this example) to the wireshark group

When Save parameter(s) on capture start is checked, the next time SSHdump is used, it won't prompt for settings and will start automatically. If the settings are not properly set and an error results, Wireshark does not make resetting to the defaults easy. They can be reset via Edit > Preferences... > Advanced. In the resulting Search: textbox, we type "sshdump". Then double click every modified parameter (anything in bold) to set SSHDump back to the default values. Click on OK and SSHDump is back to its default configuration.

Advanced Preferences

Coloring Rules

To make analysis easier, apply colored highlights to packets in the packet list via View > Colorize Packet List. Rules can be viewed under View > Coloring rules. When a rule matches, the processing stops. It also skips disabled (unchecked) rules.

Wireshark Columns

Columns can be moved, resized, removed, hidden, and added in the Wireshark Packet List. They can be managed in Edit > Preferences... then selecting Columns under Appearance. They can also by managed by right-clicking the columns/drag-drop.

Capture snaplen

Setting a snaplen or snapshot length, allows us to limit how much data we capture. All mentioned tools can set the snaplen for a capture. The default snaplen value is 262144.

IEEE 802.11 Preferences

Various settings regarding 802.11 can be managed by going to Edit > Preferences then expanding Protocols and clicking on IEEE 802.11.

WEP and WPA1/2 Decryption

To decrypt WEP and/or WPA1/2, we have to check Enable decryption and provide decryption keys. This can be done by clicking on Edit... to the right of Decryption keys. Adding a WEP key requires selecting wep in the Key type then filling in the Key field with the WEP key in hexadecimal.

The wpa-pwd is for WPA passphrases. The format is PASSPHRASE:ESSID.

Omitting the ESSID results in Wireshark applying this passphrase to any network, using it along with the last found ESSID in the packet list.

The last option, wpa-psk allows us to enter the hexadecimal Pairwise Master Key (PMK). Thi sis useful for decrypting WPA1/2 Enterprise paackets, when using PSK and the ESSID, or when the passphrase contains a colon character.

wpa_passphrase is part of wpa_supplicant can be used to generate the PMK. The wpa_passphrase command requires one parameter, the SSID. The second parameter, a passphrase, is optional. If we don't provide a passphrase, it will prompt for user input.

kali@kali:~$ wpa_passphrase test abcdefg:
network={
	ssid="test"
	#psk="abcdefg:"
	psk=a1c425c0f4e5ff3746920c90cc55d17f4773512b6c1ed415526a3bcea3351b5b
}

WLAN Statistics

WLAN Statistics display an overview for all the wireless frames in the packet list. This can be viewed in Wireless > WLAN traffic.

PreviousModule 4: Linux Wireless Tools, Drivers, and Stacks NextModule 6: Frames and Network Interaction

Last updated 10 months ago