Project | Wireshark For Beginners: Capture Packets

Hello, everyone! In this article, I will take you through a project on installing and setting up Wireshark on Ubuntu Linux.

We’ll explore the process of capturing packets on an Ethernet port, using display filters to detect HTTPS packets, identifying IP addresses, and excluding specific IP addresses from the capture.

Let’s dive into the world of network packet analysis and learn how to leverage Wireshark for comprehensive network monitoring and analysis.

Task 1

Install and set up Wireshark on Ubuntu:

● To install the most recent stable release of Wireshark on Ubuntu Linux, employ the add-apt-repository command as follows:

sudo add-apt-repository ppa:wireshark-dev/stable

●Wireshark should not be run as a superuser for security reasons.

●The user can be added to the Wireshark group to add packet capture capabilities:

sudo usermod -aG wireshark $USER

Task 2

Start a packet capture on an ethernet port and save it to file:

● The wired interface in Wireshark encompasses the capture of Ethernet packets, identified by the prefix ‘en’.

● Wireshark provides features to initiate packet capture, halt the capture, store the packets in a file, and load capture files.

● Saving a capture is only possible once the capture has been stopped.

Task 3

Use a display filter to detect HTTPS packets:

● To view specific packets within an existing packet capture, utilize a display filter.

● To exclusively display HTTPS traffic, apply a filter on TCP port 443 using the expression:

tcp.port == 443

After locating the client hello, I copy and paste the destination address: 52.149.246.39

This is the IP address linked to DuckDuckGo.com.

Task 4

Visit a web page and detect its IP address using a display filter:

● You can utilize a TLS handshake display filter to identify a website visit within a packet list.

tls.handshake.type ==1

First, navigate to the privacy and security settings in your browser and select “Clear data”. Afterward, return to Wireshark.

Commence packet capture and navigate to the browser to enter “Google.com”.

● A specific IP address is utilized as a filter to retrieve packet information for a particular website:

ip.addr == 172.253.62.106

ip.src == 172.253.62.106\

The expression “ip.src == 172.253.62.106” filters network packets to show only those originating from the IP address 172.253.62.106.

By using “ip.dst == 172.253.62.106,” we can capture all traffic directed to the server from various sources.

The expression “ip.dst == 172.253.62.106” is a filter used in network packet analysis tools like Wireshark. It filters packets to show only those with the destination IP address of 172.253.62.106, allowing you to analyze traffic directed specifically to that IP address.

Task 5

Locate all HTTPS packets from a capture not containing a certain IP address:

● You can use a conditional statement in Wireshark to include or exclude packets from the capture:

!(ip.addr == 34.149.100.209) and tcp.port == 443

● To prevent execution order errors, it’s important to use parentheses in compound conditionals. For example,

!(ip.addr == 34.149.100.209) and (tcp.port == 80 or tcp.port == 443)

On this occasion, I monitored packet traffic using Wireshark while accessing both DuckDuckGo and Google. Here are the results:

I will utilize a TLS handshake display filter to identify website visits within a packet list:

tls.handshake.type ==1

After that, I attempted to apply the filter to view all instances of tcp.port 443. This is what I did:

!(ip.addr == 34.149.100.209) and tcp.port == 443

Following that, I proceeded to examine all traffic except for the IP address 34.149.100.209. I entered the following command:

!(ip.addr == 34.149.100.209) and (tcp.port == 443 or tcp.port ==80)

Thank you for joining me on this Wireshark journey! We’ve covered the essential steps for installing Wireshark on Ubuntu, capturing packets, and using display filters to analyze network traffic.

By following these steps, you can gain valuable insights into your network’s behavior and security. I hope this guide has been helpful, and I encourage you to explore further with Wireshark to enhance your network monitoring capabilities.

Happy packet capturing!

Project Source: https://www.coursera.org/learn/wireshark-for-beginners-capture-packets/home/week/1