Chapter 7 Wireshark Part 1: Networking Crash Course
Computers communicate over the network using packets the packets. This means that if we can intercept or spoof these packets we can learn alot about the user and their network traffic.
In this lab you will get introduced to Wireshark. Wireshark is networking tool that allows you to capture all of the the outgoing and incoming packets from your machine.
7.2 Setting up
Step 1 Open Wireshark by clicking the shark-fin icon on the kali linux tool bar.
Step 2 Click the eth0 interface to start the capture.
Step 3 Press the shark-fin icon (in the top left) to start the process of capturing packets.
Step 4 There are three main screens in wireshark. The figure below shows an annonated screenshot of three wireshark screens.
7.3 Analyzing Network Trafffic
Step 5 Wireshark let’s you capture packets from your own machine. This is a great tool for digital forensics, capturing traffic from an infected machine and analyzing what is currently happening on the machine.
Step 6 Open the firefox app and visit http://www.cs.virginia.edu.
Step 7 Click the red stop icon to stop the packet capture.
Step 8 Since there are so many packets in the wireshark capture. They have built a great feature that allows you to filter packets. Click on the filter packets box at the top of screen and type the following filter command ip.dst==220.127.116.11 (Where 18.104.22.168 is the Ip address of cs.virginia.edu websever)
Step 9 Limit the packet capture to only one conversation by right clicking on one of the packets and selecting conversation filter->TCP.
Step 10 Wireshark also let’s you reconstruct the stream data from the packet stream by clicking on packet selecting follow->TCP stream. You should see the html conresponding the page.
The Follow TCP Stream will look like the figure below: