This is part 2 about Wireshark. In this section, we will cover some advanced uses with Wireshark. Project developers have included a variety of capabilities ranging from spying on TCP conversations to wireless credential cracking.
I. The Statistics and Analyze Tabs
The Statistics and Analyze tabs can give us insight into the data we are examining. From these points, we can use many of the built-in plugins that Wireshark provides. The plugins here can give us detailed reports on the network traffic being used. It can show us everything from the top talkers in the environment to specific conversations and even breakdown by IP and protocol.
A. Statistics Tab
Each menu item will display a new window showing specific statistics.
B. Analyze Tab
From the Analyze tab we can use plugins that allow us to do things like monitor TCP streams, filter conversation types, prepare new packet filters, and examine the information Wireshark generates about traffic. Here are a few examples of how to use these plugins.
1. TCP Streams
Wireshark can stitch together TCP packets to reconstruct the entire stream in a readable format. This capability also allows us to get data (images, files, etc.) out of the capture process. This works with almost any protocol that uses TCP as the transport mechanism.
2. Extract Files From The GUI
Another cool way to get data from a pcap file comes from FTP. The file transfer protocol moves data between the server and the server to get that data out of the raw bytes and reconstruct the file. (images, text documents, etc) FTP uses TCP as transport protocol and uses ports 20 & 21 to function. TCP port 20 is used to transfer data between host and server, while port 21 is used as FTP control port. Any commands like login, list files, and release downloads or uploads happen through this port. To do so, we need to look at the various FTP display filters in Wireshark.
II. Filter
Filters are also used by other features like statistics generation and packet list coloring (the latter is only available for Wireshark). A comprehensive reference to filter fields can be found in Wireshark and in the display filter reference at https://www.wireshark.org/docs/dfref/ .
Here I have a ctf misc of LACTF about RFC 3514 related to this part. misc/EBE
When we don’t use the filter, we see in the Follow UDP Stream section that a flag is jammed and in case we don’t know about the jamming rule.
So the first step to solve this problem, we need to compare the correct character with the disturbed character!
With the sample flag we get from the issuer is lactf{123456}. So we will compare lactf with other characters.
So Header Checksum of correct character is 0x64c1 and false is 0xe4c0 .
=> The filter formula of this section is ip.checksum == 0x64c1
Then we get the flag as: lactf{3V1L_817_3xf1l7R4710N_4_7H3_W1N_51D43c8000034d0c}