Wireshark: Information Gathering + Helpful Tools

 Introduction

Hello and welcome to my second post about Wireshark. In this post I’m going to go over some more tips that will come in handy in your packet capture analysis and I will also demonstrate finding malware with Wireshark.

Weather you are doing network troubleshooting or doing some security analysis it is important to know your network protocols. The reason is that each protocol holds different and important information about the systems in the capture. This information will not only tell you what is going on in the network it will also include hostnames, usernames, the domain they belong to, and what the device is. Captures can also have thousands of packets and having a good grasp on these protocols will make it easier to sort through captures to find the information you need, locate network problems and even attacks.

Starting out I’ll show you some protocols that holds that important information and by the end I’ll take all these methods and apply them to find malicious activity within a capture. 

Information Gathering

DHCP

The first protocol that I will show is DHCP. Filtering your Wireshark to only show DHCP packets can be easily done by typing dhcp into the filter bar.

Filtering for DHCP packets

Next select the DHCP request packet and start digging for some of those details.  Without going any further we can find the MAC address of the client machine. In this instance you can see that Wireshark has already identified that I am using a virtual machine. Two other things we can find in a DHCP packet is the client hostname  “saw” and that it belongs to the domain “dean.alexander”. You will find this in the host name option and the client fully qualified domain name option.

Gathering info from DHCP

Kerberos

Another surprising thing that you can find in packet captures are things like who is logged into the system. A way to find this is through Kerberos. Kerberos is a network authentication protocol that secures connections between clients and servers. For instance, Kerberos would be used when a user logs into a client system that it part of a domain. Finding a username can take some digging with Kerberos, there can be tons of request tickets that don’t hold that information that you want. This is where creating columns from my last blog post can really help out.

To make the username easier to find we are going to create a column in our preferences. 

Steps to add column

1   Click the plus button for a new column

2.  Add a name you want for the column. Click custom. Under “Fields” we are going to enter kerberos.CNameString.

3.  Click the box to have column displayed

4.  Then select ok

    Entering “kerberos.CNameString” will have Wireshark pull out that client name variable from the packet.

Column added for Kerberos Client Name

Now instead of going to each packet and searching through the packet details like the image below. We can just scroll through the capture to find that detail. It is also important to note that the “internal$” is not an actual username it is the name of the system. If you wanted to remove that from your column, just use “Kerberos.CNameString && !(Kerberos.CNameString contains $)”.  

DHCP and Kerberos are two ways to find important information. Other places you can find this is with NetBIOS, SMB and many more network protocols. Don’t afraid to dive into different protocols, you will be surprised what you will discover.

Now that we have some reconnaissance methods where we can learn what machines are making connections, and who is using the systems. We can go over some of the Wireshark statistic tools that will make life a little easier for you when analyzing a capture.

Wireshark Statistic Tools

Statistic tools are sets off data that Wireshark gathers from the capture and presents in a way that can be useful for you. Two that I have found the most useful so far, especially when it comes to malicious activity are the I/O graphs, and endpoints.

Statistics Tab

I/O Graph

I/O graphs provides you with a timeline of the capture that points out how many packets were sent at that time. This is extremely useful because the chart is customizable, it is very similar to adding a column. One example of how to use the graph is setting it to show all the packets that Wireshark has marked for analysis. Wireshark has a feature that it will analyze packets and flag any that could be a potential problem. These problems can identify a three-way TCP connection that never completes or even packets that are retransmitted with very little time in between. Both instances can be very useful when either troubleshooting or doing a security analysis. There are many other reasons why Wireshark would flag a packet, if you would like more you can visit https://www.wireshark.org/docs/wsug_html_chunked/ChAdvTCPAnalysis.html.

I/O Statics Graph

As you can see from the chart that is easy to identify when a lot of these flags happened. Knowing that timeline can help you locate an issue on your network. It can also be evidence that there was some malicious activity.

Endpoints

Endpoints will take every IP address and provide a count on things like the number of packets, and total bytes.  What makes that so great is that you don’t need to sort through every packet to find every possible system on the capture and it comes with detail that give you an idea of the amount activity they were up to. If you look at the screenshot below you can see what the endpoints looks like. You can also see there that there are three IP address that are sending a lot more than others. Those are three places I would look first when doing a security analysis.

Endpoints stats

Demo

So far in my post I have shown some ways that you can derive information from a capture and also use Wireshark’s statistics to help you locate events. Below is a video where I will demonstrate what I have outlined so far. For fun I will also locate malicious activity in a packet capture.


For the demonstration I am using a packet capture called “2022-02-23-traffic-analysis-exercise” from https://www.malware-traffic-analysis.net/2022/02/23/index.html I believe that it is extremely important to inform you to use caution when downloading and opening captures. Some packet captures hold all the data that was sent across a network and in instances where there was malicious activity there will be virus files that can damage your system. I highly recommend using a sandbox environment like VirtualBox and VMware to analyze packet captures.



Summary

In this blog post I have point out ways you can retrieve information like computer names and usernames from a packet capture. My video had a short introduction on finding some malicious activity. I hope you enjoyed everything so far and good luck in your Wireshark adventures!


Comments

Post a Comment

Popular posts from this blog

Wireshark: Beginner Tips & Tutorial

Image
Introduction For those of you that are unfamiliar with Wireshark. It is an open-source application that be used to capture packets that are being transferred across a local network to be analyzed. What sets Wireshark apart from the rest is the ability it gives its users to sort through the thousands of packets to find specific network activity. Because of this Wireshark is widely used in the IT industry. Some cases that Wireshark is used is for are network troubleshooting, monitoring, securing networks and even as a learning tool. A common misconception of Wireshark is that it will alert users of any malicious activity. Wireshark only captures packets, and then filters are applied to make it more understandable for users. That doesn’t mean that users can’t use it to identify that activity. With the right filters and user customizations users can easily identify what is going on in the network. My goal for this first Wireshark blog is that you as a reader will understand more on what Wi...
Read more