Wireshark

Wireshark has been the prime choice for packet capturing for many users worldwide. It is a cross-platform tool that allows you to perform packet capturing and analysis.

Some of the main features of Wireshark are as follows:

• Live packet capture with analysis (offline analysis or on the fly)
• Deep packet inspection 
• Decryption support for protocols such as SSL/TLS, IPSEC, SNMPv3, Kerberos, WPA/WPA2, and more

Within Wireshark, you have the ability to apply a capture filter and a display filter. Understanding the differences between these two filters and how to apply them will help you capture the relevant packets and filter out the noise.

Capture filters are used to reduce the size of the raw packet captures, while display filters are used to filter out what is captured and only display certain data. Capture filters are applied before the capture starts and cannot be changed during the capture. On the other hand, display filters can be applied at any time.

Some capture filters can be very basic and simple. Let's go over a few examples:

• Capturing traffic for a specific host is as follows:

host 192.168.90.1

• Capturing traffic for a specific subnet is as follows:

net 192.168.90.0/24

• Some capture filters can be complex, such as the one to detect the heart bleed exploit:

tcp src port 443 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F)  - 4 * ((tcp[12] & 0xF0) >> 4) > 69))

Display filters can also be basic. Let's go over a few examples:

• Displaying traffic for communication between a specific source and its destination is done as follows:

ip.src==192.168.90.0/24 and ip.dst==192.168.90.1

• Looking for traffic on a specific port is done with the following command:

tcp.port eq 445 

In the following screenshot (Figure 25), I have marked the fields where you define a display and capture filter:

Wireshark has the ability to display credentials in clear text for unencrypted traffic. For example, while capturing Telnet traffic, we can use Follow | TCP Stream to follow the TCP stream as shown in Figure 26:

Note that by using the Follow | TCP Stream option, we are able to see the Username and Password in clear text, as shown in Figure 27:

Having the graphical interface of Wireshark makes it easier to work with packet captures. However, if you don't have the ability to use Wireshark, then you will need to know how to leverage a command-line packet capture tool such as tcpdump.