TryHackMe: Complete Beginner (Supplements)

author: Nathan Acks
date: 2021-11-22

Wireshark 101

Filtering Captures

Wireshark filters are generally pretty straight forward boolean operations (and / &&, ne / !=, etc.). These operate on objects that are generally written as protocol.property. For example: ip.src, ip.dst, and ip.addr (where ip.addr = ip.src ∪ ip.dst for a given IP address).

Protocol filters an also use a service name as shorthand. For example, tcp.port == 22 and ssh have the same filter meaning, as do udp.port == 53 and dns.

NOTE: Wireshark is very picky about everything being lower case, but will also helpfully offer to auto-complete your input and will indicate a correctly formed query by highlighting the search bar green.

Packet Dissection

Wireshark breaks down packets into 5 - 7 layers that kinda-sorta-not-exactly correspond to the OSI Model.

IMHO, this is actually a much clearer way to think about things though.

ARP Traffic

The ARP protocol links OSI layers 2 and 3 by mapping IP addresses to MAC addresses. ARP packet message headers contain two operation codes: REQUEST (1) and REPLY (2).

Basically, an ARP request will broadcast “to” a particular IP address but using the “broadcast” MAC address (00:00:00:00:00:00), and the computer with that IP address will then reply in a non-broadcast fashion (since this requires that both the MAC address and IP address be filled in, such a direct reply provides the desired information by way of its very existence).