/ _ \
\_\(_)/_/
 _//"\\_     more on JOHLEM.net
  /   \	                 
   
0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0

+----------------------------------------------------------+
|                         Wireshark                        |
|                                                          |
|        **Product Overview, Functionalities, & Usage**     |
+----------------------------------------------------------+

**Wireshark** is a widely used open-source network protocol analyzer. It captures and analyzes network traffic in real-time, allowing network administrators and security professionals to inspect data packets, troubleshoot network issues, and detect malicious activity. Wireshark supports hundreds of protocols and can be used on various platforms such as Windows, macOS, and Linux.

**Key Functionalities**:
- **Packet Capture**: Captures live traffic on various network interfaces (Ethernet, Wi-Fi, etc.).
- **Protocol Analysis**: Decodes and analyzes network protocols to help identify issues or threats.
- **Filtering**: Offers powerful filters to focus on specific traffic types (IP, TCP, HTTP, DNS, etc.).
- **Export and Save**: Export captured data for future analysis or share in different formats (PCAP, CSV, etc.).
- **Packet Reassembly**: Reconstructs TCP streams or network sessions for easier analysis.
- **Statistics**: Provides statistics like protocol hierarchies, packet lengths, and conversations for network performance insights.

**Usage**: Wireshark is used by network administrators, engineers, and cybersecurity professionals to analyze network traffic, troubleshoot network issues, and investigate suspicious activity. It can be used in real-time or to analyze previously captured traffic.

**Recommendations**:
- Use capture filters to minimize the volume of data collected.
- Apply display filters to focus on relevant packets during analysis.
- Regularly update Wireshark to ensure support for the latest protocols and security features.
- Export specific conversations or streams for detailed analysis in other tools.
- Use Wireshark in combination with other network security tools for comprehensive network monitoring.

+----------------------------------------------------------+
|                 Most Common Tasks (How-To)               |
+----------------------------------------------------------+

[ 1. Capture Network Traffic ]
------------------------------------------------------------
- **Purpose**: To capture live traffic on your network for analysis.
- **Steps**:
   1. Open Wireshark.
   2. Select the appropriate network interface (e.g., Ethernet, Wi-Fi) from the interface list.
   3. Click "Start" to begin capturing packets.
   4. To stop the capture, click "Stop" (red square button).
   5. Save the capture as a PCAP file for further analysis.
   
[ 2. Apply Capture Filters ]
------------------------------------------------------------
- **Purpose**: To limit the traffic captured based on protocols or conditions.
- **Steps**:
   1. Before starting a capture, select the desired interface.
   2. Enter the capture filter in the filter bar. Common examples:
      - `host 192.168.1.1` (capture traffic to/from a specific host)
      - `tcp port 80` (capture HTTP traffic)
      - `icmp` (capture ping requests and replies)
   3. Start the capture. Only packets matching the filter will be captured.
   
[ 3. Apply Display Filters ]
------------------------------------------------------------
- **Purpose**: To filter out unnecessary traffic during analysis and focus on relevant packets.
- **Steps**:
   1. After capturing traffic, enter a display filter in the filter bar. Common examples:
      - `ip.src == 192.168.1.100` (packets from a specific IP address)
      - `tcp.port == 443` (filter HTTPS traffic)
      - `dns` (only show DNS packets)
   2. Click "Apply" to filter the displayed packets according to your filter.
   3. Combine multiple filters using logical operators (e.g., `&&`, `||`).
   
[ 4. Analyze HTTP/HTTPS Traffic ]
------------------------------------------------------------
- **Purpose**: To inspect HTTP or HTTPS requests and responses for troubleshooting or security analysis.
- **Steps**:
   1. Capture traffic using Wireshark (use filters to narrow down results).
   2. Apply a display filter: `http` (for HTTP) or `ssl`/`tls` (for encrypted HTTPS).
   3. Select a packet and navigate to the "Packet Details" pane.
   4. Expand the HTTP/TLS layer to inspect headers, requests, and responses.
   5. Use "Follow TCP Stream" (right-click on a packet) to view the full conversation.
   
[ 5. Export Captured Packets ]
------------------------------------------------------------
- **Purpose**: To save or export packets for sharing or further analysis.
- **Steps**:
   1. After capturing traffic, go to: `File > Export Specified Packets`.
   2. Choose the range of packets to export (e.g., all packets, selected packets).
   3. Select the export format (PCAP, CSV, JSON, etc.).
   4. Save the file for future analysis or sharing with other tools.
   
[ 6. Follow TCP Streams ]
------------------------------------------------------------
- **Purpose**: To reconstruct and analyze complete TCP conversations (e.g., HTTP sessions).
- **Steps**:
   1. Capture traffic and apply any relevant filters.
   2. Right-click on a TCP packet and select "Follow > TCP Stream".
   3. Wireshark will reconstruct the entire TCP conversation (e.g., HTTP request-response).
   4. You can switch between client/server traffic in the stream window.
   5. Use the "Save As" button to export the stream as a text file for further analysis.
   
[ 7. View Protocol Statistics ]
------------------------------------------------------------
- **Purpose**: To get insights into the protocols and traffic patterns in a capture.
- **Steps**:
   1. After capturing traffic, go to: `Statistics > Protocol Hierarchy`.
   2. Review the breakdown of protocols used in the captured traffic.
   3. You can also view conversations, endpoint details, and I/O graphs under the `Statistics` menu.
   
[ 8. Capture Passwords and Credentials ]
------------------------------------------------------------
- **Purpose**: To investigate clear-text protocols that might expose sensitive information.
- **Steps**:
   1. Capture network traffic and apply relevant filters (e.g., `http`, `ftp`, `telnet`).
   2. Use "Follow TCP Stream" to reassemble the conversation.
   3. Look for sensitive information like HTTP basic authentication, FTP passwords, etc.
   4. Always handle sensitive data ethically and within legal constraints.
   
+----------------------------------------------------------+
|                    Wireshark Administration              |
+----------------------------------------------------------+

[ Basic Commands ]
------------------------------------------------------------
1. Start a capture:
   Command: `wireshark -i <interface> -k`
   
2. Start capture with filters:
   Command: `wireshark -i <interface> -f "<capture filter>" -k`
   - Example: `wireshark -i eth0 -f "tcp port 80" -k`
   
3. Save capture as a file:
   - Click `File > Save As` in the Wireshark GUI.
   - Use the `-w` option with the CLI:
   Command: `wireshark -i <interface> -w /path/to/file.pcap`
   
4. Display statistics:
   Command: `wireshark -q -z io,stat,1` (shows stats every second)
   
5. Apply display filters via CLI:
   Command: `wireshark -r <file.pcap> -Y "<display filter>"` 
   - Example: `wireshark -r capture.pcap -Y "http"`
   
[ Capture Filters (CLI and GUI) ]
------------------------------------------------------------
1. Capture only traffic to/from a specific IP:
   Capture Filter: `host 192.168.1.1`
   
2. Capture only HTTP traffic (TCP port 80):
   Capture Filter: `tcp port 80`
   
3. Capture ICMP (ping) traffic:
   Capture Filter: `icmp`
   
4. Capture all traffic on a specific subnet:
   Capture Filter: `net 192.168.1.0/24`
   
[ Display Filters (For Packet Analysis) ]
------------------------------------------------------------
1. Filter for packets from a specific IP:
   Display Filter: `ip.src == 192.168.1.1`
   
2. Filter for HTTP packets:
   Display Filter: `http`
   
3. Filter for DNS requests:
   Display Filter: `dns`
   
4. Filter for TCP packets with errors:
   Display Filter: `tcp.flags.syn == 1 && tcp.flags.ack == 0`
   
[ Log Management and Export ]
------------------------------------------------------------
1. Export captured packets:
   Command: `wireshark -r /path/to/file.pcap -w /path/to/export.pcap`
   
2. Export packets in JSON format:
   Command: `tshark -r /path/to/file.pcap -T json > output.json`
   
3. View packet statistics (protocol hierarchy, conversations, etc.):
   Command: `wireshark -z proto,colinfo -r /path/to/file.pcap`
   
4. Generate packet capture reports:
   Use the `Statistics` menu in the Wireshark GUI or `tshark` in the CLI to create reports.
   
+----------------------------------------------------------+

Most Common Tasks (How-To) Summary:

   •	Capture Network Traffic: Start capturing live network packets on the desired interface.
   •	Apply Capture Filters: Limit the traffic captured during analysis by defining capture filters (e.g., IP, ports, protocols).
   •	Apply Display Filters: Focus on relevant packets after capture by applying display filters in the Wireshark interface.
   •	Analyze HTTP/HTTPS Traffic: Inspect web traffic for security analysis or troubleshooting.
   •	Export Captured Packets: Save packets for further analysis or sharing with other tools.
   •	Follow TCP Streams: Reassemble and analyze TCP conversations (e.g., HTTP sessions).
   •	View Protocol Statistics: Analyze protocol distribution and traffic patterns.
   •	Capture Passwords and Credentials: Investigate clear-text protocols for security research (always handle ethically).