search
githubEdit

Module 5: Wireshark Essentials

hashtag
Getting Started

Putting the wireless adapter into monitor mode:

kali@kali:~$ sudo ip link set wlan0 down
kali@kali:~$ sudo iwconfig wlan0 mode monitor
kali@kali:~$ sudo ip link set wlan0 up

hashtag
Welcome Screen

Wireshark startup screen
Interface types selector

hashtag
Packet Display

Capturing - Packet list

Rearrange the packet list layout via Edit > Preferences > Appearance > Layout.

hashtag
Wireless Toolbar

Wireless toolbar checkbox
Wireless toolbar
circle-info

Wireshark doesn't channel hop and will stay on whatever channel the wireless adapter is currently on.

Changing the channel via script while listening with Wireshark:

airodump-ng could also be used for channel hopping. Running sudo airodump-ng wlan0mon would have a similar result to the above script.

hashtag
Saving and Exporting Packets

We can save the whole contents of a packet capture via File > Save or File > Save As... When saving the packets, we are also able to use a filter to save specified packets via File > Export Specified Packets...

Export specified packets

hashtag
Wireshark Filters

hashtag
Wireshark Display Filters

These filters just affect what packets are visible in Wireshark's packet list. Wireshark will still capture packets not shown due to a Display Filter.

Packet list columns

The best way to understand the Display Filter syntax is to create one with the Display Filter Expression screen found at Analyze > Display Filter Expression...

Display Filter Expression builder
Display Filter Expression builder - Relation explanations
Display filter autocomplete
Invalid filter
Filter with possibly unexpected results

Display filters can be bookmarked for later/repeated use via the bookmark button on the left of the Display Filter tool bar. Shortcuts can be created by clicking the + on the very right of the Display Filter toolbar.

hashtag
Wireshark Capture Filters

Capture Filters (AKA Berkeley Packet Filters (BPF)) allow Wireshark to only collect a specific type of data. They decrease the amount of data received rather than the amount displayed like a Display Filter. Capture filters are documented in the pcap-filter man page.

hashtag
Wireshark at the Command Line

Getting help for wireshark at the command line:

Listing all available interfaces along with their index numbers:

Starting a capture, specifying our interface in monitor mode (this will automatically open the GUI with the packet capture running):

hashtag
Remote Packet Capture

Covering multiple tools, it's good to understand pros and cons. Dumpcap has lower overhead compared to tcpdump and tshark. This difference in CPU usage will likely not be noticeable until transferring more data or using low power devices as the capture devices.

hashtag
Remote Packet Capture Setup

TCPdump output on stdout:

dumpcap output on stdout:

tshark output on stdout:

hashtag
Pipes

Named pipes, also known as First in, First out (FIFO) IPC objects, are present on the filesystem and allow bi-directional communications.

Unnamed pipes, also known as unnamed IPC objects, make use of the pipe() function. One way we might use this function is when we chain commands in terminals by using the pipe (|) character.

One pipe example:

Capturing traffic and piping it to Wireshark:

Creating a named pipe using mkfifo:

Configuring the named pipe in Wireshark:

  1. Capture > Options...

  2. Manage Interfaces > Pipes tab > +

  3. Enter the pipe's path name, in our case /tmp/named_pipe

  4. Click OK

Initiating a packet capture, writing to our named pipe:

Capturing traffic with tcpdump on a remote host and piping it to Wireshark on our device:

hashtag
Built-in Wireshark

External virtual interfaces in dropdown box

Select SSH remote capture: sshdump then Capture to open the options window.

circle-info

Wireshark typically captures from interfaces on the local system. These "External Capture" interfaces are using ExtCap, which allows executables to be seen as capture interfaces. All of these are separate binaries: ciscodump, dpauxmon, randpkt, sdjournal, sshdump, and udpdump. They provide data in PCAP format and can be found in the /usr/lib/x86_64-linux-gnu/wireshark/extcap/ directory (on a 64bit Kali). Some of these tools have man pages but they all are executed with a few arguments. All of them are similarly configured in the Wireshark GUI.

SSHdump - Server tab
SSHdump - Authentication tab
circle-info

In this example, we are authenticating to the remote system as root. To use a standard user instead, you will need to run 'sudo dpkg-reconfigure wireshark-common / yes' to reconfigure the wireshark package and 'sudo usermod -a -G wireshark kali' to add the user (kali in this example) to the wireshark group

SSHdump - Capture tab
SSHdump - Debug tab
circle-info

When Save parameter(s) on capture start is checked, the next time SSHdump is used, it won't prompt for settings and will start automatically. If the settings are not properly set and an error results, Wireshark does not make resetting to the defaults easy. They can be reset via Edit > Preferences... > Advanced. In the resulting Search: textbox, we type "sshdump". Then double click every modified parameter (anything in bold) to set SSHDump back to the default values. Click on OK and SSHDump is back to its default configuration.

hashtag
Advanced Preferences

hashtag
Coloring Rules

To make analysis easier, apply colored highlights to packets in the packet list via View > Colorize Packet List. Rules can be viewed under View > Coloring rules. When a rule matches, the processing stops. It also skips disabled (unchecked) rules.

hashtag
Wireshark Columns

Columns can be moved, resized, removed, hidden, and added in the Wireshark Packet List. They can be managed in Edit > Preferences... then selecting Columns under Appearance. They can also by managed by right-clicking the columns/drag-drop.

hashtag
Capture snaplen

Setting a snaplen or snapshot length, allows us to limit how much data we capture. All mentioned tools can set the snaplen for a capture. The default snaplen value is 262144.

hashtag
IEEE 802.11 Preferences

Various settings regarding 802.11 can be managed by going to Edit > Preferences then expanding Protocols and clicking on IEEE 802.11.

hashtag
WEP and WPA1/2 Decryption

To decrypt WEP and/or WPA1/2, we have to check Enable decryption and provide decryption keys. This can be done by clicking on Edit... to the right of Decryption keys. Adding a WEP key requires selecting wep in the Key type then filling in the Key field with the WEP key in hexadecimal.

Adding a WEP key

The wpa-pwd is for WPA passphrases. The format is PASSPHRASE:ESSID.

Adding a WPA PSK key with SSID

Omitting the ESSID results in Wireshark applying this passphrase to any network, using it along with the last found ESSID in the packet list.

The last option, wpa-psk allows us to enter the hexadecimal Pairwise Master Key (PMK). Thi sis useful for decrypting WPA1/2 Enterprise paackets, when using PSK and the ESSID, or when the passphrase contains a colon character.

Adding a WPA PMK

wpa_passphrase is part of wpa_supplicant can be used to generate the PMK. The wpa_passphrase command requires one parameter, the SSID. The second parameter, a passphrase, is optional. If we don't provide a passphrase, it will prompt for user input.

hashtag
WLAN Statistics

WLAN Statistics display an overview for all the wireless frames in the packet list. This can be viewed in Wireless > WLAN traffic.

PreviousModule 4: Linux Wireless Tools, Drivers, and StacksNextModule 6: Frames and Network Interaction

Last updated