WireShark

In this example I will install Wireshark using Ubuntu -16.04 LTS, Xenial -.
First:open terminal and write the following command sudo apt-get install wireshark-gtk -to install a
Wiresharks graphical interface-, hit enter, and enter your password -you must be in the sudo list to
be able to use the sudo command-.

Second:Launch Wireshark-gtk, you can press the window button, then search for Wireshark-gtk and double click it
or just open your terminal and write Wireshark-gtk -You can write only wi then Press the tab button to
autocomplete the command, if there are more than one program or file starting with the name wi, then you
need to press the tab button twice to show you all the available items having this name-

Third:You need to allow non super-users to capture data via adding the user to Wireshark group -which is created
automatically- with this command sudo gpasswd -a allamoox Wireshark -Assuming that Im using the user
name allamoox-

Fourth:- Determine which interface you will capture. You can run ifconfig command to see which interface
You are using to have access to the Internet.

Here enp3s0 - for wired connection -.

Press ctrl+I and choose the tick the enp3s0 interface, then click start.

Kill any connection you have, and run this simple ping command to ashellz.com
as we can see only packets from and to 192.168.1.15 is captured - As I Applied the Ip.src filter on
Wireshark, to show only connections with my local host Source IP -. I will right click in the first packet and
choose Follow UDP - User Datagram Protocol - stream , to analyze it.

In the
first
line, we
can see
my
local
host
-192.168.1.15 - requested from the DNS server -192.168.1.6 - the IP address of ashellz.com.
In the second line my DNS replied to my host with the ashellz.com - A record/IPV4- 192.185.16.67.
Then the host start to send ICMP - Internet Control Message Protocol requests and receive replies
normally.
In the following picture we can see only request, we cant see any reply because we applied the filter
ip.src=192.168.1.15.
If we
want to
see both
requests and replies, we should add this filter ip.addr==192.168.1.15 - as it will capture all the data from
this IP regardless its a source or a destination -.

We have a massive list to control our captures

for example we can open the Protocol Hierarchy window from the statics menu and we will get the the
protocol hierarchy of the captured packets, as in the following picture.

Analyzing Is Explained Below

100% of my captured packets was via IPV4. 7% of my packets were via the ICMP and 23% were via the
UDP - which are the DNS request and the DNS reply -. Then we can see how many bytes been sent and
rceived in this ping command.

P.S:- The display filter ip.src eq 192.168.1.15- is shown at the top of the protocol hierarchy window. You
you can add a new filter, for example right click in the the User Datagram Protocol and choose it to be
applied as a filter, it will be beside the ip.src, as shown below.

NTI.SE
I will Open a terminal and Ping nti.se to know its IP address. 31.216.35.44

Then to make it easier I will apply this filter ip.addr== 31.216.35.44 - Which is the same as ip.add eq
31.216.35.44, which is the same as ip.dst == 31.216.35.44 or ip.src == 31.216.35.44 - so I can see only the
traffic captured from this website. I will put www.nti.se in my address bar and hit enter, and I will look at
my captured traffics.

As we can see, the first three lines are representing the TCP-handshake - three message handshake-.
SYNchronize, SYN-ACKnowledgment and ACKnowledgment.
My host send a TCP synchronize packet to nti.se
192.168.1.15 >- - - - -SYN- - - - - > 31.216.35.44
Nti.se sends a synchronize-acknowledgement to my host
31.216.35.44 >- - - - -SYN-ACK- - - - - > 192.168.1.15
My host send Acknowledgment to nti.se
192.168.1.15 >- - - - -ACK- - - - - > 31.216.35.44
Then we have an established HTTP - Hyper Text Transfer Protocol - connection.
We will analyze the HTTP pcket

We have 5 Packets which are, Frames, Ethernet, Internet Protocol, TCP and HTTP. According to the OSI Open System Interconnection - model.
The Physical layer:Which is frame #51, 4 bytes - *8 = 592 bits has been transferred from my host to the nti.se, when my data
is presented as bits - zeros and ones - and moving through the cables - Copper/Fiber wires, Wireless, etc.
note the word 74 bytes on wire-

The Data link layer:This is the layer where my host send the data Via its MAC - Media Access Control - address 50:7b:9d:8d:78:06 - to the router MAC address - 9c:97:26:cb:29:90 -.

The Network layer:This is the layer where the IP get added to the frame, as we can see the source IP 192.1192.168.1.15 and the
destination IP 31.216.35.44.

The Transportation layer:This is the layer where is the data is transferred, as we can see here it is transfered via the TCP.
Follow Stream
Choose the first GET / HTTP request, right click and choose follow stream.
In the bottom I can chooce which the packet source to display and in which format, in this example I
choosed to display packets from the server to my local host and choosed to display the data in ASCII
- American Standard Code for Information Interchange format.

In the under screenshoot, I will show only data from my host to the server. Now we had the Three
handshake connection is completed, and the next step is to Request the home page of the nti.se via the GET
request via the HTTP, and this will be done via the request header. The Request header consist of
the following.
Get/HTTP1:- The request method & protocol version.
Host:- is the server im trying to request the page from.
User-Agent:- Is the client web browser & OS.
Accept:- accepted format, for example HTML
- Hyper Text Mark Up Language Accept-language:- Client default language
Accept-Encoding:- Encoding format
Cookie:- My saved cookie for this website
Connection:- Connection should stay alive
It could be more fields or less depending on the server.

The following screen shoot is the webserver answer, with 200, which means that the requested
page is found, if the web page is not found, we will have the most famous error code which is 404.
The date, the server type which is Apache and so on, Then its the HTML code for the web page,
starting from the HTML start tag <!DOCTYPE html>

In the other side when I try to sniff the connection from a secure connection via https://nti.se, the
information will be decrypted as in the following screenshoot. And in the protocol coulmn we can
see the TLSv1.2 which stand for Transport Layer Security version 1.2.

Sending an Email via telnet. The shown protocol here is TCP, it doesnt show as SMTP as Im not
using the standard port for SMTP - Simple Mail Transfer Protocol - ,how ever I can just right click
in any packet and choose Decode As SMTP, or just connect to the server in a standard SMTP port
like in the following Screenshoot.

As we can see the DESport is 587 and the protocol is SMTP.

In the following screen, Packets have been captured during a SSH connection. Note the Protocl
changed to SSH version 2

It has no doubt that Wireshark is the monster of packets capturing and analyzing, It can be used for
different reasons, like
* Troubleshooting your network.
* Testing your network security, for example you can sniff your network and try to see if there is
any plain passwords or information that sent in plain text, so you correct it.