WireShark

• Kendi PC'nizden 2 kablolu ethernet bağlantısını Bridge yaparak ve multicast yayınları da izleyebilerek WireShark capture'ı almak için o bridge'in ayarları nasıl olmalı

• Ayrıca bridge'de "promiscuous mode" enable edili olmalı. Yoksa DHCP Discovery istekleri Bridge'den geçmez.

  • netsh bridge show adapter

  • netsh bridge set adapter 1 forcecompatmode=enable

  • netsh bridge set adapter 2 forcecompatmode=enable

• Ayrıca wireshark'ta "promiscuous" disable durumda olmalı.

• If you want to show TCP connections number you must chose custom field type and then give field name this:

  • tcp.stream

• Capture filter samples:

  • Capture only traffic to or from IP address 192.168.1.33 and no udp protocol please: !udp and host 192.168.1.33

  • Capture only traffic which is going through this mac address:

    • ether host 24:58:6e:95:8f:52

    • or

    • ether host 24586e958f52

  • Capture only traffic with port which NTP uses: udp and port 123

• Display filter samples:

  • eth.addr == 6c:02:e0:17:ce:b1

  • ip.addr == 195.175.224.0/24

  • ip.src==192.168.1.1

  • tcp.port eq 25

  • http.request.full_uri and (not http.request.full_uri contains ".ico") and (not http.request.full_uri contains ".jpg") and (not http.request.full_uri contains ".js")  and (not http.request.full_uri contains ".css") and (not http.request.full_uri contains ".png")

  • http response data contains a string: data-text-lines contains "myString"

  • Show only TCP start + request response + TCP end : (tcp.flags.syn ==1 and tcp.flags.ack == 0) or http.request or http.response or (tcp.flags.fin == 1 and tcp.flags.ack == 1)

• Want to see multicast broadcast join etc:

  • Capture filter and Display filter: igmp

• SSL/TLS decrypt:

  • Edit > Preferences > Protocols > TLS > RSA keys list > Edit 

    • IP Address: is the IP/hostname. (* may be used in any part)

    • Port: 443

    • Protocol: http

    • Key File: Path to RSA PRIVATE KEY

  • Key file format should be like this:

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAtIvaDmeOGleYuxT01GfAmgugHVlqCOFfGYqy3gxMWt/fxO/7

s7BJzqnhAFOWBjmBAdj7hHmPyCoJM7/MdCDJt1y7d20BJAGxD0ZQ4kxzGZDCjc5z

....... some 20-100 lines of base64 encoded data ...............

Jh2kZkKoVG3Qr+66IlBDuVllIbwQU0F1fYy2FTjZL4vbmdupwHUyTnPK57vP8RJ7

cpc1qwLZxfurxZfhI9gxXOO5eUg1WBupw029SSoSafYBqO4a9wg1OA==

-----END RSA PRIVATE KEY----

• • Not like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIEpAIBAAKCAQEAtIvaDmeOGleYuxT01GfAmgugHVlqCOFfGYqy3gxMWt/fxO/7

s7BJzqnhAFOWBjmBAdj7hHmPyCoJM7/MdCDJt1y7d20BJAGxD0ZQ4kxzGZDCjc5z

....... some 20-100 lines of base64 encoded data ...............

Jh2kZkKoVG3Qr+66IlBDuVllIbwQU0F1fYy2FTjZL4vbmdupwHUyTnPK57vP8RJ7

cpc1qwLZxfurxZfhI9gxXOO5eUg1WBupw029SSoSafYBqO4a9wg1OA==

-----ENDENCRYPTED PRIVATE KEY-----

• After that open capture file, type "ssl and http" in filter area, if you see packages below you were succesful. Then right click any packet below  and Follow -> Http Stream. You should see decrypted contents.

• WireShark'ta SSL trafik hangi tür şifrelemeyi kullanıyor bulmak için. (dikkat server hello'ya bak)

• If WireShark cannot see your new USB to Ethernet Adapter in Windows

  • Open CMD as admin (be sure wireshark is not open):

    • for winPcap

      • net stop npf

      • net start npf

    • for npcap

      • net stop npcap

      • net start npcap