Chapter 7 Wireshark Part 1: Networking Crash Course

7.1 Introduction

Computers communicate over the network using packets the packets. This means that if we can intercept or spoof these packets we can learn alot about the user and their network traffic.

In this lab you will get introduced to Wireshark. Wireshark is networking tool that allows you to capture all of the the outgoing and incoming packets from your machine.

7.2 Setting up

Step 1 Open Wireshark by clicking the shark-fin icon on the kali linux tool bar.

An annotated screen shot of the wireshark window

FIGURE 7.1: An annotated screen shot of the wireshark window

Step 2 Click the eth0 interface to start the capture.

Step 3 Press the shark-fin icon (in the top left) to start the process of capturing packets.

Step 4 There are three main screens in wireshark. The figure below shows an annonated screenshot of three wireshark screens.

An annotated screen shot of the wireshark window

FIGURE 7.2: An annotated screen shot of the wireshark window

7.3 Analyzing Network Trafffic

Step 5 Wireshark let’s you capture packets from your own machine. This is a great tool for digital forensics, capturing traffic from an infected machine and analyzing what is currently happening on the machine.

Step 6 Open the firefox app and visit http://www.cs.virginia.edu.

Step 7 Click the red stop icon to stop the packet capture.

Step 8 Since there are so many packets in the wireshark capture. They have built a great feature that allows you to filter packets. Click on the filter packets box at the top of screen and type the following filter command ip.dst==128.143.67.11 (Where 128.143.67.11 is the Ip address of cs.virginia.edu websever)

Filtering Packets on Wireshark

FIGURE 7.3: Filtering Packets on Wireshark

Step 9 Limit the packet capture to only one conversation by right clicking on one of the packets and selecting conversation filter->TCP.

TCP conversation filtering

FIGURE 7.4: TCP conversation filtering

Step 10 Wireshark also let’s you reconstruct the stream data from the packet stream by clicking on packet selecting follow->TCP stream. You should see the html conresponding the page.

Navigating to follow TCP stream on Wireshark

FIGURE 7.5: Navigating to follow TCP stream on Wireshark

The Follow TCP Stream will look like the figure below:
A screenshot of Follow TCP stream on Wireshark

FIGURE 7.6: A screenshot of Follow TCP stream on Wireshark