# Wireshark tricks ## Wireshark tricks
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
## Improve your Wireshark skills ### Tutorials The following tutorials are amazing to learn some cool basic tricks: * [https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/](https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/) * [https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/) * [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/) * [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/) ### Analysed Information **Expert Information** Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analyzed**: ![](<../../../.gitbook/assets/image (570).png>) **Resolved Addresses** Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, MAC to the manufacturer, etc. It is interesting to know what is implicated in the communication. ![](<../../../.gitbook/assets/image (571).png>) **Protocol Hierarchy** Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **involved** in the communication and data about them. ![](<../../../.gitbook/assets/image (572).png>) **Conversations** Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them. ![](<../../../.gitbook/assets/image (573).png>) **Endpoints** Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them. ![](<../../../.gitbook/assets/image (575).png>) **DNS info** Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured. ![](<../../../.gitbook/assets/image (577).png>) **I/O Graph** Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.** ![](<../../../.gitbook/assets/image (574).png>) ### Filters Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\ Other interesting filters: * `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)` * HTTP and initial HTTPS traffic * `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)` * HTTP and initial HTTPS traffic + TCP SYN * `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)` * HTTP and initial HTTPS traffic + TCP SYN + DNS requests ### Search If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column. Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net) ## Identifying Domains You can add a column that shows the Host HTTP header: ![](<../../../.gitbook/assets/image (403).png>) And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**): ![](<../../../.gitbook/assets/image (408) (1).png>) ## Identifying local hostnames ### From DHCP In current Wireshark instead of `bootp` you need to search for `DHCP` ![](<../../../.gitbook/assets/image (404).png>) ### From NBNS ![](<../../../.gitbook/assets/image (405).png>) ## Decrypting TLS ### Decrypting https traffic with server private key _edit>preference>protocol>ssl>_ ![](<../../../.gitbook/assets/image (98).png>) Press _Edit_ and add all the data of the server and the private key (_IP, Port, Protocol, Key file and password_) ### Decrypting https traffic with symmetric session keys It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/)\ To detect this search inside the environment for to variable `SSLKEYLOGFILE` A file of shared keys will look like this: ![](<../../../.gitbook/assets/image (99).png>) To import this in wireshark go to \_edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename: ![](<../../../.gitbook/assets/image (100).png>) ## ADB communication Extract an APK from an ADB communication where the APK was sent: ```python from scapy.all import * pcap = rdpcap("final2.pcapng") def rm_data(data): splitted = data.split(b"DATA") if len(splitted) == 1: return data else: return splitted[0]+splitted[1][4:] all_bytes = b"" for pkt in pcap: if Raw in pkt: a = pkt[Raw] if b"WRTE" == bytes(a)[:4]: all_bytes += rm_data(bytes(a)[24:]) else: all_bytes += rm_data(bytes(a)) print(all_bytes) f = open('all_bytes.data', 'w+b') f.write(all_bytes) f.close() ```
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).