[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

Start from 1 Wireshark

2023.02.01

Osaka office

table of contents

1 What is Wireshark?
2 Download and install
3 How to view captured data on Windows
4 All about filters
5 Packet capture on Linux machine

Hello.
Carelessly echo "" > /etc/passwd This is Kawa from the System Solutions Department.

This time, I would like to write about Wireshark, which I introduced in a previous article on
network tools By the way, my favorite shark movie Deep Blue .

What is Wireshark?

It is a famous tool that can be said to be a must-have for network engineers.
It is compatible with Windows and macOS, and basically allows you to capture packets on the installed PC and visualize them extremely easily.
It is often used for network investigations such as troubleshooting.

Download and install

Click on the file name of the corresponding OS from "Download" on
the official website ( https://www.wireshark.org/

Once downloaded, open the executable file and press "Next" according to the installer instructions.

(The items above are basically OK by default)

Once the installation is complete, open Wireshark and if the following screen is displayed, it is complete.

Double-click the network adapter that has a waveform and take a look at the capture of the main connected interface.

How to view captured data on Windows

When you select an interface, the captured inbound/outbound packets will immediately flow (information such as IP is blurred) ⬇.

What the hell is this?

Try sending a ping to our website (beyondjapan.com) from the command prompt.

> ping beyondjapan.com

Type "icmp" in the search window at the top and press enter.

Only the ping results will be sorted, and you will be able to check the ICMP packets destined for our homepage.

You can check the contents of the packet by right-clicking on the string at the bottom and selecting "Expand all".

Orange part : Source/destination address, router model and MAC address, etc.
Green part : IP version (in this case v4 and header length)
Pink part : Flags, TTL and protocols
Red part : ICMP type and checksum

This time it's ICMP, so it can't be said that there is a lot of information, but as long as the packet is not encrypted, you can see detailed data such as payload (misuse is strictly prohibited).

By the way, if you look at the http site of the famous Hiroshi Abe, you will see Morobarrel.

Orange part : Request method and HTTP version
Green part : Host information, browser user agent information, language, referrer, etc.
Pink part : Access URL, frame number related to a series of accesses

What you need to be especially careful about with http sites the information you enter in the form .
If you send a password etc. to the form in an unencrypted state, the password string will be visible from the packet capture.
(This is why it is not a good idea to connect to stray Wi-Fi)

All about filters

Use Wireshark description for search.
This time I will introduce the notation that is often used. Since it can be written in various ways such as regular expressions, it can also be used for troubleshooting interactions with APIs.

・Filter by IP address

ip.addr == xx.xx.xx.xx !(ip.addr==xx.xx.xx.xx) #Exclude specific IP

Try sending a ping to "1.1.1.1" and search for the results.

You can check the exchange of ping request → reply.

・Filter by port number

tcp.port == xx udp.port == xx tcp.port == xx || udp.port == xx #Multiple search with or !(tcp.port == xx) #Exclude specific ports !(tcp.port ==xx) && ip.addr==xx.xx.xx.xx #and condition

Let's try checking TCP/443 communication.

If you check the IP, you can check the flow when performing a Google search.
If you look at the explanation in the "Info" part and the flag part, you can see the TCP handshake exchange (ACK, FIN, etc.).

Packet capture on Linux machine

If you have a PC with Wireshark installed, you can view packet capture files obtained on a Linux machine.

This time, we will use
tcpdump, which was introduced previously (Please install tcpdump in advance using yum or apt)

In this article, we will use Ubuntu to create an arbitrary file and output the captured data.
Write it to a file called "test.pcap" (pcap is the extension for packet capture files).
*Check and specify the interface name that is missing from the Internet using ifconfig, etc.

> tcpdump -i ens33 -w test.pcap

Capturing will continue until you cancel it, so any communication you want to check will occur while it is being captured (browser access, etc.).
Terminate tcpdump with "Ctl+C" and move the output file to your Windows/macOS machine.
Open the extracted pcap file with Wireshark to visualize the captured data.

↑I was able to visualize a beautiful Christmas scan packet (please don't imitate it if you are a good girl).

Wireshark's strength is that anyone can easily capture the flow of packets if they know how to read it.

In addition to the PC you are using, if you set up a switch and prepare a mirror port, you can capture all the packets flowing within the local network, so this software is often used in the field.
Please try installing it as it will help you learn about TCP/IP.

If you found this article helpful , please give it a like!