coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update wireshark-tricks.md

Browse Source
This commit is contained in:
Taleb Qasem 2022-09-10 18:48:59 +06:00 committed by GitHub
parent 61142facbb
commit 42fa705fef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
View File

@ -29,14 +29,13 @@ The following tutorials are amazing to learn some cool basic tricks:
**Expert Information**
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analised**:
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analyzed**:
![](<../../../.gitbook/assets/image (570).png>)
**Resolved Addresses**
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, mac to manufacturer...\
This is interesting to know what is implicated in the communication.
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, MAC to the manufacturer, etc. It is interesting to know what is implicated in the communication.
![](<../../../.gitbook/assets/image (571).png>)
@ -84,14 +83,13 @@ Other interesting filters:
### Search
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\
\_\_You can add new layers to the main information bar _(No., Time, Source...)_ pressing _right bottom_ and _Edit Column_
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column.
Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)
## Identifying Domains
You can add a column that show the Host HTTP header:
You can add a column that shows the Host HTTP header:
![](<../../../.gitbook/assets/image (403).png>)
@ -126,11 +124,11 @@ Press _Edit_ and add all the data of the server and the private key (_IP, Port,
It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/)\
To detect this search inside the environment for to variable `SSLKEYLOGFILE`
A file of shared keys will looks like this:
A file of shared keys will look like this:
![](<../../../.gitbook/assets/image (99).png>)
To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it in (Pre)-Master-Secret log filename:
To import this in wireshark go to _edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename:
![](<../../../.gitbook/assets/image (100).png>)