TryHackMe: Complete Beginner (Supplements)
author: Nathan Acks
date: 2021-11-22
Wireshark 101
Filtering Captures
Wireshark filters are generally pretty straight forward boolean operations (and / &&, ne / !=, etc.). These operate on objects that are generally written as protocol.property. For example: ip.src, ip.dst, and ip.addr (where ip.addr = ip.src ∪ ip.dst for a given IP address).
Protocol filters an also use a service name as shorthand. For example, tcp.port == 22 and ssh have the same filter meaning, as do udp.port == 53 and dns.
NOTE: Wireshark is very picky about everything being lower case, but will also helpfully offer to auto-complete your input and will indicate a correctly formed query by highlighting the search bar green.
Packet Dissection
Wireshark breaks down packets into 5 - 7 layers that kinda-sorta-not-exactly correspond to the OSI Model.
- Frame (OSI physical layer)
- Source (OSI data link layer)
- IP (OSI network layer)
- Protocol (OSI transport layer)
- Protocol errors and reassembly information (optional)
- Application (OSI session, presentation, and application layers)
- Application data (optional, breaks down the actual application data in some cases)
IMHO, this is actually a much clearer way to think about things though.
ARP Traffic
The ARP protocol links OSI layers 2 and 3 by mapping IP addresses to MAC addresses. ARP packet message headers contain two operation codes: REQUEST (1) and REPLY (2).
Basically, an ARP request will broadcast “to” a particular IP address but using the “broadcast” MAC address (00:00:00:00:00:00), and the computer with that IP address will then reply in a non-broadcast fashion (since this requires that both the MAC address and IP address be filled in, such a direct reply provides the desired information by way of its very existence).