Monday, October 6, 2014
Wireshark Capture Options
Promiscuous mode:
if promiscuous mode is disabled
- Wireshark can capture traffic destined only to interface on which the capture is enabled + multicast and broadcast traffic
if promiscuous mode is enabled
- Wireshark can capture traffic from/to all MAC addresses
- prosmiscous mode does not enable WLAN adapater to capture traffic regardless of SSID
Monitor Mode:
- enables Wireshark to capture WLAN traffic regardless of SSID
- available with AirPcap Adapters
*** with the normal adapters you can capture wireless traffic but most likely the 802.11 header will be replaced with a fake Ethernet header
AirPcap Adapter
- can capture wireless traffic on Windows environment
- on monitor mode they can capture all 802.11 management control and data frames
- they add a Radiotap or PPI header in front of 802.11 header wich provides channel and signal information at the moment the packets were captures
*** if you want to capture packets on more channels you can use multiples AirPcap NICs with AirPcap aggregate driver
Wednesday, October 1, 2014
Wireshark Capture Filters
Capture filter:
-should be used if you only want to save a small portion of the packets
-uses Berkeley Packet Filter syntax
-has different format than display filter
Configuration
-in order to configure a capture filter click on Capture->Options and set the Capture Filter
*** there is also a shortcut button on the main ribbon ( 2nd from the left)
-there is a list of predefined capture filters in Capture->Capture Filters
you can used those example in order to customize your own filters
***the predefined capture filters are saved on the following folder:
C:\Documents and Settings\<Your user>\Application Data\Wireshark\cfilters
Examples:
ether host 00:00:10:00:00:01
capture only traffic from MAC displayed
ether host 00:00:10:00:00:01 and port 80
capture all http traffic form MAC displayed
port 53
capture all DNS traffic. capture all TCP and UDP traffic to/from port 53
arp
all ARP packets
tcp port 110
capture pop traffic
*** cannot use pop instead of this
udp port 67
all DHCP packets
net 10.0.0.0/24
capture traffic only from the specific network range
tcp portrange 1501-1549
capture traffic from specified port range
tcp port 23 not src host 10.0.0.1
capture all telnet traffic not from 10.0.0.1
http://wiki.wireshark.org/CaptureFilters
http://biot.com/capstats/bpf.html
Wireshark University videos
Tuesday, September 30, 2014
Port scanning
TCP SYN scan
if response is:
1. TCP SYN/ACK------- port is open
if scanner does a half-connect scan /stealth scan will reply to SYN/ACK with a RST ( half-connect)
if scanner does a full scan, it will complete the 3-way handshake but no data will be sent
2. TCP RST, RST/ACK------- port is closed
3. no response------ packet loss
TCP FIN scan
if response is:
1. no response--- port might be open
2. TCP RST ----- port is closed
3. ICMP Destination Unreachable/ code 1,2,3,9,10 or 13 ------port firewalled
TCP X-mas scan ( FIN, URG, PUSH are set)
if response is:
1. no response--- port might be open
2. TCP RST ----- port is closed
3. ICMP Destination Unreachable/ code 1,2,3,9,10 or 13 ------port firewalled
if response:
1. no response---- port might be open
2. RST--- port is closed
TCP ACK scan ( ACK set)
if response is:
1. RST---- port might be open or closed
2. no response/ ICMP DU/code 1,2,3,9,10,13--- filtered
TCP Windows scan
is TCP ACK scan + it examines the window setting from RST packet
1. if window is >0 -------- port is open
2. if window=0 --------port is closed
UDP scan
if response is:
1. ICMP Destination Ureachable/Port Unreachable---- service unavailable,port closed
2. ICMP Destination Unreachable/ code 1,2,3,9,10 or 13-------- filtered
3. any other reponse------ port might be open
Sources:
http://en.wikipedia.org/wiki/Port_scanner
http://nmap.org/book/man-port-scanning-techniques.html
http://nerv0.blogspot.com/2014/03/port-scanningadvanced.html
Subscribe to:
Posts (Atom)