Monday, October 6, 2014

Wireshark Capture Options



Promiscuous mode:
if promiscuous mode is disabled
 - Wireshark can capture  traffic destined only to interface  on which the capture is enabled + multicast and broadcast traffic
if promiscuous mode is enabled
-  Wireshark can capture  traffic from/to all MAC  addresses
- prosmiscous mode does not enable  WLAN adapater to  capture traffic regardless of SSID


Monitor Mode:
- enables Wireshark to capture WLAN traffic regardless of SSID
- available with AirPcap Adapters


*** with the normal adapters you can capture wireless traffic but  most likely the 802.11 header will be replaced with a fake Ethernet header

 AirPcap Adapter
- can capture wireless traffic on Windows environment
- on monitor mode they can capture  all 802.11  management control and data frames
-  they add a Radiotap or PPI header in front of 802.11 header wich provides channel and signal information  at the moment the packets were captures
*** if you want to capture packets on more channels you can use multiples AirPcap NICs with  AirPcap aggregate driver


Posted by at No comments:

Wednesday, October 1, 2014

Wireshark Capture Filters


Capture filter:
-should be used if you only want to save a small portion of the packets
-uses Berkeley Packet Filter syntax
-has different format than display filter


Configuration
-in order to configure a capture filter  click on Capture->Options and set the Capture Filter
*** there is also a shortcut button on the main ribbon ( 2nd from the left)






















-there is a list of predefined capture filters  in Capture->Capture Filters
you can used those example in  order to customize your own  filters







***the predefined capture filters are saved on the following folder:
C:\Documents and Settings\<Your user>\Application Data\Wireshark\cfilters





Examples:
ether host 00:00:10:00:00:01
capture only traffic from MAC displayed
ether host 00:00:10:00:00:01 and port 80
capture all http traffic form MAC displayed
port 53
capture all DNS traffic. capture all TCP and UDP traffic to/from port 53
arp
all ARP packets
tcp port 110
capture pop traffic
*** cannot use pop instead of this
udp port 67
all DHCP  packets
net 10.0.0.0/24
capture traffic only from the specific network range
tcp portrange 1501-1549
capture traffic from  specified port range
tcp port 23 not src host 10.0.0.1
capture all telnet traffic not from 10.0.0.1






http://wiki.wireshark.org/CaptureFilters
http://biot.com/capstats/bpf.html
Wireshark University videos


Posted by at No comments:
Subscribe to: Posts (Atom)