Update wireshark-tricks.md
This commit is contained in:
parent
61142facbb
commit
42fa705fef
@ -29,14 +29,13 @@ The following tutorials are amazing to learn some cool basic tricks:
|
||||
|
||||
**Expert Information**
|
||||
|
||||
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analised**:
|
||||
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analyzed**:
|
||||
|
||||
![](<../../../.gitbook/assets/image (570).png>)
|
||||
|
||||
**Resolved Addresses**
|
||||
|
||||
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, mac to manufacturer...\
|
||||
This is interesting to know what is implicated in the communication.
|
||||
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, MAC to the manufacturer, etc. It is interesting to know what is implicated in the communication.
|
||||
|
||||
![](<../../../.gitbook/assets/image (571).png>)
|
||||
|
||||
@ -84,14 +83,13 @@ Other interesting filters:
|
||||
|
||||
### Search
|
||||
|
||||
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\
|
||||
\_\_You can add new layers to the main information bar _(No., Time, Source...)_ pressing _right bottom_ and _Edit Column_
|
||||
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column.
|
||||
|
||||
Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)
|
||||
|
||||
## Identifying Domains
|
||||
|
||||
You can add a column that show the Host HTTP header:
|
||||
You can add a column that shows the Host HTTP header:
|
||||
|
||||
![](<../../../.gitbook/assets/image (403).png>)
|
||||
|
||||
@ -126,11 +124,11 @@ Press _Edit_ and add all the data of the server and the private key (_IP, Port,
|
||||
It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/)\
|
||||
To detect this search inside the environment for to variable `SSLKEYLOGFILE`
|
||||
|
||||
A file of shared keys will looks like this:
|
||||
A file of shared keys will look like this:
|
||||
|
||||
![](<../../../.gitbook/assets/image (99).png>)
|
||||
|
||||
To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it in (Pre)-Master-Secret log filename:
|
||||
To import this in wireshark go to _edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename:
|
||||
|
||||
![](<../../../.gitbook/assets/image (100).png>)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user