Wireshark tricks
Last updated
Was this helpful?
Last updated
Was this helpful?
The following tutorials are amazing to learn some cool basic tricks:
Clicking on Analyze --> Expert Information you will have an overview of what is happening in the packets analised:
Under Statistics --> Resolved Addresses you can find several information that was "resolved" by wireshark like port/transport to protocol, mac to manufacturer... This is interesting to know what is implicated in the communication.
Under Statistics --> Protocol Hierarchy you can find the protocols involved in the communication and data about them.
Under Statistics --> Conversations you can find a summary of the conversations in the communication and data about them.
Under Statistics --> Endpoints you can find a summary of the endpoints in the communication and data about each of them.
Under Statistics --> DNS you can find statistics about the DNS request captured.
Under Statistics --> I/O Graph you can find a graph of the communication.
(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)
HTTP and initial HTTPS traffic
(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)
HTTP and initial HTTPS traffic + TCP SYN
(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)
HTTP and initial HTTPS traffic + TCP SYN + DNS requests
If you want to search for content inside the packets of the sessions press CTRL+f You can add new layers to the main information bar (No., Time, Source...) pressing right bottom and Edit Column
You can add a column that show the Host HTTP header:
And a column that add the Server name from an initiating HTTPS connection (ssl.handshake.type == 1):
In current Wireshark instead of bootp
you need to search for DHCP
edit>preference>protocol>ssl>
Press Edit and add all the data of the server and the private key (IP, Port, Protocol, Key file and password)
A file of shared keys will looks like this:
To import this in wireshark go to edit>preference>protocol>ssl> and import it in (Pre)-Master-Secret log filename:
Extract an APK from an ADB communication where the APK was sent:
Here you can find wireshark filter depending on the protocol: Other interesting filters:
Practice:
It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in:
To detect this search inside the environment for to variable SSLKEYLOGFILE