Wireshark

Exmples how to use Wireshark

These are common Wireshark commands

  • Filter http & https traffic in wireshark
    tcp port https
    tcp port http
  • Non-standard port,XX which is the port in use
    tcp.port == xx
    tcp.port == 80
    tcp.port == 443
  • View only HTTP GET or POST requests
    http.request.method == "GET"
    http.request.method == "POST"
  • View only specific target host
    http.host == "host.example.com"
  • View only ssl handshake
    http.request or ssl.handshake.type == 1

To inspect traffic in TLS packets you have to preform the following

  • Create User Variable in Windows
    SSLKEYLOGFILE
    %USERPROFILE%\AppData\Local\Temp\sslkeylog.log
  • Create User Variable in Linux
    vi ~/.bashrc
    export SSLKEYLOGFILE=~/ssl-key.log
    source ~/.bashrc
    touch ~/ssl-key.log
    echo $SSLKEYLOGFILE
    start firefox from cli and all other browsers should be closed.

Load the SSL key log file in Wireshark

  • Open Wireshark on your client system
    Go to Edit > Preferences > Protocols > TLS.
    For the (Pre)-Master-Secret log filename, select Browse and locate the SSL log file you created (ssl-key.log) and Select OK

Changing Your Column Display

  • Hiding Columns
    Right-click on any of the column headers to bring up the column header menu.
    No. and Length columns unchecked and hidden.
  • Removing Columns
    To remove columns, right-click on the column headers you want to remove.
    Then select "Remove this Column..." from the column header menu.
  • Adding Columns
    Right-click on any of the column headers, then select "Column Preferences...
    Left-click on the plus sign. An entry titled "New Column" should appear at the bottom of the column list.
    Double-click on the "New Column" and rename it as "Source Port."
    Double-click on "Number" to bring up a menu, then scroll to "Src port (unresolved)" and select that for the column type.
    After the source port has been, add another column titled "Destination Port" with the column type "Dest port (unresolved)."
    Now we have in order from top to bottom: Time, Source, Source Port, Destiantion, Destination Port, Info
    After adding the source and destination port columns, click the "OK" button to apply the changes. These new columns are automatically aligned to the right, so right-click on each column header to align them to the left, so they match the other columns.
  • Changing Time to UTC
    Go to the "View" menu, maneuver to "Time Display Format," and change the value from "Seconds Since Beginning of Capture" to "UTC Date and Time of Day." Use the same menu path to change the resolution from "Automatic" to "Seconds."
    wireshark
  • Adding Custom Columns
    To quickly find domains used in HTTP traffic, use the Wireshark filter http.request and examine the frame details window.
    In the frame details window, expand the line titled "Hypertext Transfer Protocol" by left clicking on the arrow that looks like a greater than sign to make it point down.
    croll down to the line starting with "Host:" to see the HTTP host name.
     Left click on this line to select it. Right click on the line to bring up a menu. Near the top of this menu, select "Apply as Column." This should create a new column with the HTTP host name.
    To find domains used in encrypted HTTPS traffic, use the Wireshark filter ssl.handshake.type == 1 and examine the frame details window.
    In the frame details window, expand the line titled "Secure Sockets Layer." Then expand the line for the TLS Record Layer. Below that expand another line titled "Handshake Protocol: Client Hello."
    Below the "Handshake Protocol: Client Hello" line, expand the line that starts with "Extension: server_name."
    Under that is "Server Name Indication extension" which contains several Server Name value types when expanded. Select the line that starts with "Server Name:" and apply it as a column.
    With this customization, we can filter on http.request or ssl.handshake.type == 1
  • Wireshark Cheet sheet
    Cheetsheet
    wireshark