19 November, 2013

Wireshark

### Add Column:
Rigth click on packet details (host,src port, dst port) and click "Apply as column"

 ### How to generate ACLs,iptabes,Windows Firewall,IPFirewall Commands: 
Select any Packet -> Click Tools -> "Firewall ACL Rules"

 ### Start Capturing At Open Wireshark: 
Add -i # -k to the end of the shortcut, replacing # with 
the number of the interface you want to use. The -i option 
specifies the interface, while the -k option tells Wireshark 
to start capturing immediately.
"C:\Program Files\Wireshark\wireshark.exe" -i 2 -k

 ### Configure Remote capturing:
services.msc -> 
Remote Packet Capture Protocol v.0 (START)
Click the Capture Options link in Wireshark, then select "Remote"
Enter the address of the remote system and 2002 as the port

 ### How to change Mac resolv (c4:7d:4f:11:11:11 to cisco_11:11:11)
C:\Program Files\Wireshark\manuf (change this file)

 ### How to change Port Name  (22 to ssh)
C:\Program Files\Wireshark\services (change this file)

 ### Capture in Terminal: (as administrador)
C:\Program Files\Wireshark>tshark.exe -i 2 (Real Time Without saving any capture)
C:\Program Files\Wireshark>tshark.exe -i 2 -w c:\capture-01
Capturing on Microsoft
431
Note: (-i [interface number]) (-w [directory where save captured file])

 ### Download Files From Capture:
File -> Export Objects -> HTTP 

 ### Download FTP data 
Search ftp data conversation after 3 way handshake -> open first packet and click "save as" (pic1.jpg)

 ### Start Graphs Monitor:
Click "Statistics" ->  IO Gaphs 
Configure Filters 

 ###Display filter: 

 #Hide Protocol (s)
!(ipv6)
!(dns) && !(dhcp)

 #Capture Network 
net 192.168.1.0/24 
ip.addr == 172.16.0.0/16
vlan.id==10

 #Adding Simple Regular expressions:

 "[aA][bB][cC]"  or  "(?i)abc"     -  Abc,ABC,AbC

 "(?i)(abc|xyz)"  -  ABc,AbC or xyz,XyZ,XYz    | = or

 "(?i)(a.c|x..)"  -  AxC,AGc or Xhu,xgr,xJi    . = any single character

 Ejample :

frame matches "pass"
frame matches "(?i)pass"
frame matches "(?i)(pass|success)"
frame matches "(?i)(pa.s|su..ess)"
frame matches "(?i)(go{2}e)"

 Equal to           eq   ==    ip.dst == a.b.c.d
Not equal to       ne   !=    udp.dstport != 53
less than          lt   <     ip.ttl < 45 
greater or equal   ge   >=    tcp.analysis.bytes_in_flight >= 1000
contains          contains    dns.resp.name contains "google"
AND                 &&        (udp) && (dhcp)
or                 ||         (dns) || (http.response.code == 404)

At
Tags:: ,