TCP Dump Analyses with Wireshark

This repo aims to store all notes from TCP Dump analyses using Wireshark tool. The repo contains tips, tricks, teory overview and good practices.

References

Wireshark Ultime Hands On

Wireshark Docs

Requirements

Wireshark

GeoLite2 Free Geolocation Data

Commands

tcpdump -i eth0 -s 65535 -w /tmp/tcp_dump.pcap

tshark -i eth0 -Y "ip.src==10.224.106.73 and http"

Interface

Filters

eq not or and
==  !   |  &&

contains (exact string) # frame contains google
match (regex) # http.host matches "\.(org|com|br)"

Statistics

Tips & Tricks

TCP Options to take a look

• TTL (Time to Live) - Router passed throw;

• Window Size

• Delta Time (Time between last packages sent/received)

• TCP Options

  • Acknowledment
  • Push
  • Reset
  • Syn

Multi Remote Hosts TCP Dump + WireShark Analysis

mkfifo /tmp/pcap
wireshark -k -i /tmp/pcap

ssh user@host1 "tcpdump -s 0 -U -n  -w -" > /tmp/pcap
ssh user@host2 "tcpdump -s 0 -U -n  -w -" > /tmp/pcap

TLS Decrypted

To read TLS messages we need to have the Keys changed between client and server.

To do that we have two ways:

Linux + Mac

Add SSLKEYLOGFILE variable to environment

echo 'export SSLKEYLOGFILE=/tmp/sslkeylogfile.log' >> ~/.bash_profile

Java Apps

Add Java Agent to application running to store all SSL keys in file

https://github.com/neykov/extract-tls-secrets

Install Java JDK

wget https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.tar.gz
wget https://repo1.maven.org/maven2/name/neykov/extract-tls-secrets/4.0.0/extract-tls-secrets-4.0.0.jar
tar -xzvf jdk-17_linux-x64_bin.tar.gz
ln -s jdk-17.0.9/bin/java .
echo JAVA_HOME=$(pwd)/jdk-17.0.9/bin >> ~/.bash_profile

Run extract-tls-secrets .jar

java -jar ~/Downloads/extract-tls-secrets-4.0.0.jar list
java -jar ~/Downloads/extract-tls-secrets-4.0.0.jar <pid> /tmp/secrets.log

Upload TLS secrets on wireshark in:

Preferences > Protocols > TLS > (Pre)-Master-Secret Log Filename

Results