π Security Tool Cheatsheet
Alex Morgan — Senior Penetration Tester
What is Wireshark?
Wireshark is an open-source packet analysis tool that enables security analysts, network administrators, and penetration testers to capture and interactively browse the traffic on a computer network. It supports hundreds of protocols and media types, providing essential visibility into what is occurring on a network.
Installation
Wireshark can be installed on various operating systems. Here’s a quick guide:
- For Windows: Download the installer from https://www.wireshark.org/download.html and follow the prompts.
- For macOS: Use Homebrew with
brew install wireshark. - For Linux: Use your package manager, e.g.,
sudo apt install wireshark.
After installation, ensure that you are in a group that has permission to capture packets (like the ‘wireshark’ group on Linux).
Basic Syntax
To start capturing packets, you can simply run:
wireshark
This opens the GUI, but you can also use the command line:
tshark -i-w .pcap
Discovery
For discovering live hosts and services on the network:
tshark -i [interface] -O eth -w capture.pcap
Replace [interface] with the network interface you plan to analyze.
Scanning
To scan for specific protocols and filter traffic:
tshark -i [interface] -Y 'http' -w http_traffic.pcap
Exploitation
While Wireshark itself isnβt typically used for exploitation, it can help identify vulnerabilities such as:
tshark -Y 'ssl.handshake.type == 1' -w ssl_handshake.pcap
Analysis
For packet analysis:
wireshark -r capture.pcap
This opens the captured packets in the GUI for detailed analysis.
Evasion
Use filters to isolate malicious activity:
display filter: http.request.uri contains 'vuln'
Reporting
Exporting packet captures or summaries for reporting:
tshark -r capture.pcap -q -z io,stat,10
Quick Reference Table
| Flag | Description |
|---|---|
| -i | Specify the interface to capture from. |
| -Y | Apply a display filter. |
| -w | Write the packet details to a file. |
| -r | Read packets from a file. |
| -O | Show detailed protocol information. |
Pro Tips
- Use coloring rules in the GUI for quick visual cues (Analyze > Display Filters > Colors).
- Apply robust filter expressions like
ip.addr == 192.168.1.1to focus on specific traffic. - Save frequently-used filter expressions for easy access.
Real-World Examples
1. To capture traffic on a network and save it for later analysis: tshark -i eth0 -w my_capture.pcap
2. Analyze just HTTP traffic: tshark -i eth0 -Y 'http'
3. To analyze for security incidents: tshark -Y 'ip proto \tcp && tcp.port==22 || crypto && ssl'