How to Read .dat Files in Wiireshark

Wireshark Tutorial and Cheat Sheet

Master network analysis with our Wireshark Tutorial and Cheat Sail.

Find immediate value with this powerful open source tool. When everything is upwardly and running, read through the tips and tricks to sympathise ways to troubleshoot problems, find security issues, and print your colleagues.

Even a bones understanding of Wireshark usage and filters can be a fourth dimension saver when you are troubleshooting network or application layer issues on the wire (or WIFI).

Examples to Understand the Power of Wireshark

Wireshark can be useful for many different tasks, whether you are a network engineer, security professional person or organisation administrator. Here are a few example employ cases:

Troubleshooting Network Connectivity

Visually understand package loss
Review TCP retransmission
Graph high latency packet responses

Examination of Application Layer Sessions (even when encrypted by SSL/TLS see below)

View full HTTP session, seeing all headers and information for both requests and responses
View Telnet sessions, encounter passwords, commands entered and responses
View SMTP or POP3 traffic, reading emails off the wire

Troubleshoot DHCP bug with parcel level data

Examine DHCP customer circulate
DHCP offer with address and options
Client requests for offered address
Ack of server acknowledging the request

Extract files from HTTP sessions

Consign objects from HTTP such as javascript, images, or even executables.

Extract file from SMB sessions

Similar to the HTTP export option but able to extract files transferred over SMB, the ever nowadays Microsoft File Sharing protocol.

Detect and Examination of Malware

Detect anomalous behaviour that could indicate malware
Search for unusual domains or IP accost endpoints
Use IO graphs to discover regular connections (beacons) to control and command servers
Filter out the "normal" and find the unusual
Extract large DNS responses and other oddness which may indicate malware

Examination of Port Scans and Other Vulnerability Scan types

Understand what network traffic the vulnerability scanner is sending
Troubleshoot vulnerability checks to understand false positives and false negatives

These examples only scratch the surface of the possibilities. Continue reading through the tutorial and start getting more from this powerful tool.

Installation of Wireshark

Wireshark will run on a diverseness of operating systems and is not hard to get upward and running. Nosotros will bear on Ubuntu Linux, Centos and Windows.

Install on Ubuntu or Debian

~# apt-get update ~# apt-get install wireshark tshark

Getting the latest version of Wireshark has a number of benefits. Many new features are released with major updates such every bit new protocol parsing and other features. At that place is a PPA bachelor for Ubuntu, add together the repository and update packages to ensure you are getting a more recent release.

~# add-apt-repository ppa:wireshark-dev/stable ~# apt-go update

Install on Fedora or CentOS

~# yum install wireshark-gnome

Install on Windows

Head over to the Wireshark Download folio, grab the installation executable and run it to install. Pretty straight forward, you will too be installing a bundle capture driver. This allows the network card to enter promiscuous way.

Getting Started with Filters

After running an initial capture you will see the standard layout and the parcel details that can be viewed through the interface.

When you have captured an HTTP session, finish the capture and try playing with a few basic filters and the Analyze | Follow | HTTP Stream options.

The filters are like shooting fish in a barrel to read and self-explanatory. You enter these expressions into the filter bar (or on the command line if using tshark). A primary benefit of the filters is to remove the noise (traffic yous don't want to see). As seen here, you tin can filter on MAC address, IP address, Subnet or protocol. The easiest filter is to type http into the filter bar. The results will at present only show HTTP (tcp port 80) traffic.

IP Address Filter Examples

ip.addr == 192.168.0.5 !(ip.addr == 192.168.0.0/24)

Protocol Filter Examples

tcp udp tcp.port == eighty || udp.port == fourscore http not arp and not (udp.port == 53)

Attempt generating a filter combination that shows all non HTTP and HTTPS traffic leaving your local organisation that is not destined for the local network. This is a expert style to notice software (malware fifty-fifty) that is communicating with the Internet using unusual protocols.

Follow the White Rabbit Stream

Once you have several packets showing HTTP, select one and then select Analyze | Follow | HTTP Stream from the drop-down menu. This volition evidence you an assembled HTTP session. In this new window, you see the HTTP request from the browser and HTTP response from the web server. Goal! You are now winning at Wireshark. Continue reading our Wireshark Tutorial for more than advanced tips.

Wireshark Follow Stream Example Screenshot

Resolve DNS in Wireshark

By default, Wireshark won't resolve the network accost that it is displaying in the console. Only showing IP addresses, past changing an option in the preferences, yous can enable the resolution of IP addresses to network names. This volition slow downward the display of packets, as it also does when using tcpdump, due to the DNS resolution that has to accept place. It is of import to understand if y'all are doing a alive capture, the DNS requests from your Wireshark host will exist additional traffic that you might exist capturing.

Edit | Preferences | Name Resolution | Enable Network Name Resolution

Tshark for the Command Line

If you haven't had a play with tshark, take a look at our tshark tutorial and filter examples. This plan is often overlooked but is a slap-up way to capture application layer sessions on a remote system. The advantage over tcpdump is you can capture and view application layer sessions on the wing, equally the protocol decoders included in Wireshark are likewise available to tshark.

Build Firewall Rules

A quick way to generate command line firewall rules, this can save a few minutes Googling for different firewall syntax. Select a dominion, and head up to the Tools | Firewall ACL Rules. Different firewall products such as Cisco IOS (standard and extended), ipfilter, ipfw, iptables, pf and fifty-fifty Windows firewall using netsh.

Wireshark Firewall Rules generator screenshot

Wireshark GeoIP Mapping

As long as Wireshark has been compiled with GeoIP support and yous have the Gratuitous Maxmind databases available, you can resolve IP addresses to locations. Look at About | Wireshark to see what has been compiled with the version you are using. If GeoIP is listed, ensure you have the GeoLite Metropolis, Country, and ASNum databases in a directory on your system running Wireshark. Point to the location of the databases in Edit | Preferences | Name Resolution.

Test it past loading a capture and selecting Statistics | Endpoints | IPv4. The columns on the correct show the location and ASN information for the IP accost.

Wireshark GeoIP example

A further function of the GeoIP feature is to filter traffic based on location using the ip.geoip brandish filter.

For instance, use this filter to exclude traffic from an ASN.
ASN 63949 is the Linode block, so the filter now displays only IP traffic non coming from this netblock.

ip and not ip.geoip.asnum == 63949

Of course, you can apply the same filter to city and country based queries. Doing this removes noise from your capture display and allows y'all to focus on the packets you care about.

Decrypt SSL/TLS sessions

One way of decrypting SSL/TLS sessions is to use the Private Fundamental from the server that is being connected to past the client. Using this central, you can decrypt the session and view the protocol under the SSL/TLS layer. For example, in a browser session y'all could see the apparently text HTTP.

Yous are not always going to have access to the servers individual key. Hence, at that place is another choice for easily viewing the browser SSL/TLS traffic from your local organisation. If Firefox or Chrome are loaded using a special environs variable, the individual SSL/TLS session symmetric keys will exist logged to a file that Wireshark tin can read. With these keys, Wireshark tin can show yous the session fully decrypted for the win!

1. Configure the Surround Variable

Linux / Mac

export SSLKEYLOGFILE=~/sslkeylogfile.log

Windows

Nether advanced system settings, select Environment Variables and add together the variable proper name SSLKEYLOGFILE with the variable value equally the path to where you want the file saved.

2. Configure Wireshark

From the drop-down menu select Edit | Preferences | Protocols | SSL | (Pre)-Master-Hole-and-corner Log Filename -- Browse to the log file yous placed in your surround variable.

First a capturing on your local system.

3. Restart Firefox or Chrome

Afterward browsing to a HTTPS site. The log file should start to increase in size as it logs the symmetric session keys.

Review the Wireshark session previously started. Yous should see something resembling the image below showing the decrypted sessions. Take note of the decrypted packets in the tab in the bottom pane.

Wireshark Follow SSL Stream Screenshot

Some other way to view the session is to use the assay drop down and follow the stream. If the session has successfully been decrypted y'all volition see the option for SSL under Stream.

Assay | Follow | Stream | SSL

Employ caution when logging these keys and pcaps. Someone with admission to the fundamental log file and your pcap might very well discover your passwords and authentication cookies inside the pcap.

Some other option for getting at the underlying HTTP traffic is using Burp Suite with its CA loaded in your browser. In this case, the proxy decrypts the connection on the client side and and so establishes a new SSL/TLS session to the server. In that location are many means to man in the middle (mitm) yourself, these are two of the most straightforward.

Extract files from PCAP using Consign (HTTP or SMB)

It is quite easy to extract files from a Wireshark capture using the export choice.

File | Export Objects | HTTP

The new Window volition show any files that were found. In this new Window you tin can relieve the individual files or relieve them all to a folder. A similar method tin be used to extract files from SMB sessions. This is the Microsoft Server Message Cake protocol that allows Windows File Sharing.

Screenshot showing the Wireshark export file object Window

Right Paw Condition Bar

Quickly jump to packets based on the color of the main display. For example, to find Scarlet - Errors run across the red line noted in the right hand side status bar and jump to that location with a click.

Wireshark Right Status Bar Screen shot

Sample PCAP'southward are readily bachelor

You may exist getting started with Wireshark and looking for interesting packet captures to explore, the Wireshark Samples page is a great place to offset. Due to the fact, at that place are plenty sample protocols to keep y'all busy for months and several worm / exploit samples for those excavation into Network Security Monitoring.

Setting up your Environment

A handy tip is to remember the default console is highly configurable. You lot may add or remove columns, fifty-fifty adding something every bit simple every bit a UTC fourth dimension column. Which might exist immediately useful if you are looking at historical pcaps.

The columns can be configured by going to Edit | Preferences | Appearance | Columns. In this expanse, you can also alter the layout, font, and colors.

This video has good configuration tips for the environment. Including troubleshooting tips and configurations for identifying issues through TCP sequence numbers.

capinfos

A handy command line tool that comes packaged with Wireshark is the capinfos binary. This control will produce a summary of a pcap with statistics, start / finish times and other details.

Run it as below or utilise the table choice -T to produce tab separated output that can exist imported into a spreadsheet or parsed on the command line.

examination@ubuntu:~$ capinfos exam.pcap File proper name:           test.pcap File type:           Wireshark/tcpdump/... - pcap File encapsulation:  Ethernet File timestamp precision:  microseconds (six) Packet size limit:   file hdr: 262144 bytes Number of packets:   341 k File size:           449 MB Data size:           444 MB Capture duration:    3673.413779 seconds Start packet fourth dimension:   2018-12-01 eleven:26:53.521929 Last parcel time:    2018-12-01 12:28:06.935708 Data byte rate:      120 kBps Data bit rate:       967 kbps Average bundle size: 1300.72 bytes Average packet rate: 93 packets/s SHA256:              989388128d676c329ccdbdec4ed221ab8ecffad81910a16f473ec2c2f54c5d6e RIPEMD160:           0742b6bbc79735e57904008d6064cce7eb95abc9 SHA1:                d725b389bea044d6520470c8dab0de1598b01d89 Strict time order:   Truthful Number of interfaces in file: 1

Wrapping Up

This post was originally published in 2011, information technology has undergone a major and much needed refresh. Whatever comments, improvements or tips to add to the Cheat Sail drop me a line on the Contact Page. Wireshark is one of those indispensable tools that many use but few actually chief. The rabbit hole goes deep on this one.

Have y'all seen our Free IP and Network Testing tools.

Notice. Explore. Learn.

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

desrochershateref.blogspot.com

Source: https://hackertarget.com/wireshark-tutorial-and-cheat-sheet/