Beruflich Dokumente
Kultur Dokumente
In this example I will install Wireshark using Ubuntu -16.04 LTS, Xenial -.
First:open terminal and write the following command sudo apt-get install wireshark-gtk -to install a
Wiresharks graphical interface-, hit enter, and enter your password -you must be in the sudo list to
be able to use the sudo command-.
Second:Launch Wireshark-gtk, you can press the window button, then search for Wireshark-gtk and double click it
or just open your terminal and write Wireshark-gtk -You can write only wi then Press the tab button to
autocomplete the command, if there are more than one program or file starting with the name wi, then you
need to press the tab button twice to show you all the available items having this name-
Third:You need to allow non super-users to capture data via adding the user to Wireshark group -which is created
automatically- with this command sudo gpasswd -a allamoox Wireshark -Assuming that Im using the user
name allamoox-
Fourth:- Determine which interface you will capture. You can run ifconfig command to see which interface
You are using to have access to the Internet.
Kill any connection you have, and run this simple ping command to ashellz.com
as we can see only packets from and to 192.168.1.15 is captured - As I Applied the Ip.src filter on
Wireshark, to show only connections with my local host Source IP -. I will right click in the first packet and
choose Follow UDP - User Datagram Protocol - stream , to analyze it.
In the
first
line, we
can see
my
local
host
-192.168.1.15 - requested from the DNS server -192.168.1.6 - the IP address of ashellz.com.
In the second line my DNS replied to my host with the ashellz.com - A record/IPV4- 192.185.16.67.
Then the host start to send ICMP - Internet Control Message Protocol requests and receive replies
normally.
In the following picture we can see only request, we cant see any reply because we applied the filter
ip.src=192.168.1.15.
If we
want to
see both
requests and replies, we should add this filter ip.addr==192.168.1.15 - as it will capture all the data from
this IP regardless its a source or a destination -.
P.S:- The display filter ip.src eq 192.168.1.15- is shown at the top of the protocol hierarchy window. You
you can add a new filter, for example right click in the the User Datagram Protocol and choose it to be
applied as a filter, it will be beside the ip.src, as shown below.
NTI.SE
I will Open a terminal and Ping nti.se to know its IP address. 31.216.35.44
Then to make it easier I will apply this filter ip.addr== 31.216.35.44 - Which is the same as ip.add eq
31.216.35.44, which is the same as ip.dst == 31.216.35.44 or ip.src == 31.216.35.44 - so I can see only the
traffic captured from this website. I will put www.nti.se in my address bar and hit enter.
Data link layer: This is the layer where my host send the data Via its MAC - Media Access Control address - 50:7b:9d:8d:78:06 - to the router MAC address - 9c:97:26:cb:29:90 -
The Network layer: This is the layer where the IP added to the