Cyber Sleuthing with WiresharkFilters

CybersecurityCybersecurityBeginner
Practice Now

Introduction

In this lab, you will learn how to use Wireshark display filters to analyze network traffic and identify potential security threats. Wireshark is a powerful network protocol analyzer that can capture and dissect network packets, making it an essential tool for cybersecurity professionals. By mastering Wireshark display filters, you will be able to quickly isolate and inspect specific types of traffic, streamlining your analysis efforts and enhancing your ability to detect and respond to security incidents.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("`Cybersecurity`")) -.-> cybersecurity/WiresharkGroup(["`Wireshark`"]) cybersecurity/WiresharkGroup -.-> cybersecurity/ws_display_filters("`Wireshark Display Filters`") subgraph Lab Skills cybersecurity/ws_display_filters -.-> lab-415944{{"`Cyber Sleuthing with WiresharkFilters`"}} end

Capturing Network Traffic

In this step, you will learn how to capture network traffic using Wireshark. This is a crucial first step in any network analysis process. Make sure you are in the "Desktop" environment.

Open the Wireshark application by running the following command in the terminal:

wireshark

Once Wireshark is open, double-click eth1 to start capturing traffic from eth1 network interface.

To simulate some network traffic, open another terminal and visit a website by entering the following command.

curl www.google.com

You should see some network traffic captured by Wireshark as the figure shown below.

Wireshark Network Traffic Capture

After capturing enough traffic, stop the capture by clicking the "Stop" button.

Applying Basic Display Filters

In this step, you will learn how to apply basic display filters in Wireshark to isolate specific types of network traffic.

  1. Continue from the previous step, you can enter the following filter in the filter toolbar to display only HTTP traffic.
http

This will show only the packets that are part of HTTP communications as shown below.
Wireshark Network Traffic Capture

  1. To display traffic from a specific source IP address, use the following filter:
ip.src == 172.19.0.4

You can replace 172.19.0.4 with the IP address you want to filter, or use ip.dst to filter out only the packets going to a specific IP address.

  1. To display traffic from a specific port, use the following filter:
tcp.port == 80

This will show only the packets that use TCP port 80 (HTTP).

Advanced Display Filters

In this step, you will learn how to use advanced display filters in Wireshark to perform more complex analysis tasks.

  1. To display traffic based on specific protocol, port, and http request method, use the following filter:
tcp.port == 80 and http.request.method == GET

This will show only the HTTP GET requests on TCP port 80.

  1. To display traffic based on a specific packet size range, use the following filter:
tcp.len >= 1000 and tcp.len <= 2000

This will show only the TCP packets with a length between 1000 and 2000 bytes.

  1. To display traffic based on a specific application-layer protocol, use the following filter:
http.host contains "google.com"

This will show only the HTTP traffic that is sent from/to google.

Experiment with different combinations of filters to refine your analysis further.

Summary

In this lab, you have learned how to use Wireshark display filters, a valuable skill that will enhance your ability to analyze network traffic and detect security incidents effectively. This lab has provided you with hands-on experience in using Wireshark display filters, and you can now apply this knowledge to real-world cybersecurity scenarios.

Other Cybersecurity Tutorials you may like