Analyzing Wireshark Traffic
Wireshark allows you to break apart communication protocols across a LAN or WLAN. For starters, you will need your network driver in promiscuous mode, to sniff all traffic. Then just select your listening interface, and you will start logging data.
Using a standard Wireshark install, here are some interesting color-coded protocols to note:
ARP protocols are sent in a baby blue box. These are used to match an IP address to a physicall MAC address, and often only contain the sender's IP and MAC, and the target's IP and MAC. These are often subject to gratuitous ARP attacks, or ARP spoofing attacks. Most of these typical broadcasts look like "Who has IP xx.xx.xx.xx. ". Where as an ARP cache poisoning attack would be the same MAC address being associated with many of these response calls.
HTTP data will show up in a light green box. This is normal internet traffic, ridding over port 80: Here you can see the HTTP, TCP, IP, Ethernet, and Frame protocols.
SMB data will show up in a light yellow box. These are smb, nbss, nbns, nbipx, ipxsap, and netbios transmissions. These transmission provide much shared traffic between network utilities, such as shared files, printers, and ports. Also provides authentication on legacy windows systems, such as "Microsoft Windows Network".
TCP protocols are send in light purple box. These can include typical Transmission Control Protocol data, such as SYN or ACK flags, as well as everything else below it, IP, ether, frame protocols. But sometimes it includes an extra layer when our transmissions are TLSv1, this extra protocol is the Secure Socket Layer, which provides application layer encryption.
UDP protocols are sent in a sky blue box. This protocol uses stateless transmission, so here you won't see any transmission flags at all, although it is interesting to note, the source and destination ports, as well as the type of application protocol traveling over your UDP connection.
ICMP protocols or Internet Control Message Protocols, are core internet layer protocols used by operating systems of networked computers. These will appear in purple boxes for typical messages such as 'Pings', or black boxes with green text for ICMP error messages, alerting the system a remote host was unreachable. Streams of such replies, is the system reporting on closed ports, and could indicate your machine is under port scanning. They are rarely called by end user applications, and are used more for synchronization of communications, although not in the ways TCP or UDP are used.
TCP SYN/FIN protocol flags show up in a dark grey box. This is used when a host wants to end an established connection. If too many of these flood the Wireshark logs, it could indicate you are under attack of a port scanning operation.
TCP RST protocol flags show up in a red box, with bright yellow text. This indicates an established connection should be restarted, and when your logs are flooded, this is another strong indication you are under port scanning operations.
This list will be updated as I continue to analyze interesting Wireshark packets over the next week or so!! Be sure to comment with your findings, and check back regularly for updates!!
Using a standard Wireshark install, here are some interesting color-coded protocols to note:
ARP protocols are sent in a baby blue box. These are used to match an IP address to a physicall MAC address, and often only contain the sender's IP and MAC, and the target's IP and MAC. These are often subject to gratuitous ARP attacks, or ARP spoofing attacks. Most of these typical broadcasts look like "Who has IP xx.xx.xx.xx. ". Where as an ARP cache poisoning attack would be the same MAC address being associated with many of these response calls.
HTTP data will show up in a light green box. This is normal internet traffic, ridding over port 80: Here you can see the HTTP, TCP, IP, Ethernet, and Frame protocols.
SMB data will show up in a light yellow box. These are smb, nbss, nbns, nbipx, ipxsap, and netbios transmissions. These transmission provide much shared traffic between network utilities, such as shared files, printers, and ports. Also provides authentication on legacy windows systems, such as "Microsoft Windows Network".
TCP protocols are send in light purple box. These can include typical Transmission Control Protocol data, such as SYN or ACK flags, as well as everything else below it, IP, ether, frame protocols. But sometimes it includes an extra layer when our transmissions are TLSv1, this extra protocol is the Secure Socket Layer, which provides application layer encryption.
UDP protocols are sent in a sky blue box. This protocol uses stateless transmission, so here you won't see any transmission flags at all, although it is interesting to note, the source and destination ports, as well as the type of application protocol traveling over your UDP connection.
ICMP protocols or Internet Control Message Protocols, are core internet layer protocols used by operating systems of networked computers. These will appear in purple boxes for typical messages such as 'Pings', or black boxes with green text for ICMP error messages, alerting the system a remote host was unreachable. Streams of such replies, is the system reporting on closed ports, and could indicate your machine is under port scanning. They are rarely called by end user applications, and are used more for synchronization of communications, although not in the ways TCP or UDP are used.
TCP SYN/FIN protocol flags show up in a dark grey box. This is used when a host wants to end an established connection. If too many of these flood the Wireshark logs, it could indicate you are under attack of a port scanning operation.
TCP RST protocol flags show up in a red box, with bright yellow text. This indicates an established connection should be restarted, and when your logs are flooded, this is another strong indication you are under port scanning operations.
This list will be updated as I continue to analyze interesting Wireshark packets over the next week or so!! Be sure to comment with your findings, and check back regularly for updates!!