TryHackMe - Wireshark: The Basics - Task 1 Introduction & Task 2 Tool Overview

TryHackMe - Wireshark: The Basics - Task 1 Introduction & Task 2 Tool Overview

 

The VM Started

Starting at Task 1, you will see the green Start Machine button. Click this button to get the VM started.

 

Once the VM loads, click the View in Full Screen icon in the buttom left of the VM and A new browser tab should open with the VM in it.

 

Task 1 Introduction

Wireshark is an open-source, cross-platform network packet analyser tool capable of sniffing and investigating live traffic and inspecting packet captures (PCAP). It is commonly used as one of the best packet analysis tools. In this room, we will look at the basics of Wireshark and use it to perform fundamental packet analysis.

 

Note: A VM is attached to this room. You don't need SSH or RDP; the room provides a "Split View" feature. We suggest completing the Network Fundamentals module before starting working in this room. 

There are two capture files given in the VM. You can use the "http1.pcapng" file to simulate the actions shown in the screenshots. Please note that you need to use the "Exercise.pcapng" file to answer the questions.

 

Q1. Which file is used to simulate the screenshots?

http1.pcapng

 

Q2. Which file is used to answer the questions?

Exercise.pcapng

 

---

 

Task 2 Tool Overview

Use Cases

Wireshark is one of the most potent traffic analyser tools available in the *wild. There are multiple purposes for its use:

# wild : 실제 환경

• *Detecting and troubleshooting network problems, such as network load failure points and congestion.
• Detecting security anomalies, such as *rogue hosts, abnormal port usage, and suspicious traffic.
• *Investigating and learning protocol details, such as response codes and payload data. 

# Detecting : 감지 / rogue hosts : 악성 호스트 / Investigating : 조사 

Note: Wireshark is not an Intrusion Detection System (IDS). It only allows analysts to discover and investigate the packets in depth. It also doesn't modify packets; it reads them. *Hence, detecting any anomaly or network problem highly relies on the analyst's knowledge and investigation skills.

 

# Hence : 따라서

GUI and Data

Wireshark GUI opens with a single all-in-one page, which helps users investigate the traffic in multiple ways. *At first glance, five sections stand out.

 

# At first glance : 처음 보았을 때

 

Toolbar	The main toolbar contains multiple menus and *shortcuts for packet sniffing and processing, including filtering, sorting, summarising, exporting and merging.
Display Filter Bar	The main query and filtering section.
Recent Files	List of the recently investigated files. You can recall listed files with a double-click.
Capture Filter and Interfaces	Capture filters and available sniffing points (network interfaces).  The network interface is the connection point between a computer and a network. The software connection (e.g., lo, eth0 and ens33) enables networking hardware.
Status Bar	Tool status, profile and numeric packet information.

# Shortcuts : 바로가기

The below picture shows Wireshark's main window. The sections explained in the table are highlighted. Now open the Wireshark and go through the walkthrough.

Loading PCAP Files

The above picture shows Wireshark's empty interface. The only available information is the recently processed  "http1.cap" file. Let's load that file and see Wireshark's detailed packet presentation. Note that you can also use the "File" menu, dragging and dropping the file, or double-clicking on the file to load a pcap.

 

Now, we can see the processed filename, detailed number of packets and packet details. Packet details are shown in three different panes, which allow us to discover them in different formats. 

 

Packet List Pane	Summary of each packet (source and destination addresses, protocol, and packet info). You can click on the list to choose a packet for further investigation. Once you select a packet, the details will appear in the other panels.
Packet Details Pane	Detailed protocol breakdown of the selected packet.
Packet Bytes Pane	Hex and decoded ASCII representation of the selected packet. It highlights the packet field depending on the clicked section in the details pane.

 

Colouring Packets

Along with quick packet information, Wireshark also colour packets in order of different conditions and the protocol to spot anomalies and protocols in captures quickly (this explains why almost everything is green in the given screenshots). This glance at packet information can help track down exactly what you're looking for during analysis. You can create custom colour rules to spot events of interest by using display filters, and we will cover them in the next room. Now let's focus on the defaults and understand how to view and use the represented data details.

 

Wireshark has two types of packet colouring methods: temporary rules that are only available during a program session and permanent rules that are saved under the preference file (profile) and available for the next program session. You can use the "right-click menu" or "View --> Coloring Rules" menu to create permanent colouring rules. The "Colourise Packet List" menu activates/deactivates the colouring rules. Temporary packet colouring is done with the "right-click menu" or "View --> Conversation Filter" menu, which is covered in TASK-5.

 

The default permanent colouring is shown below.

 

 

Traffic Sniffing

You can use the blue "shark button" to start network sniffing (capturing traffic), the red button will stop the sniffing, and the green button will restart the sniffing process. The status bar will also provide the used sniffing interface and the number of collected packets.

 

 

Merge PCAP Files

Wireshark can combine two pcap files into one single file. You can use the "File --> Merge" menu path to merge a pcap with the processed one. When you choose the second file, Wireshark will show the total number of packets in the selected file. Once you click "open", it will merge the existing pcap file with the chosen one and create a new pcap file. Note that you need to save the "merged" pcap file before working on it.

 

View File Details

Knowing the file details is helpful. Especially when working with multiple pcap files, sometimes you will need to know and *recall the file details (File hash, capture time, capture file comments, interface and statistics) to identify the file, classify and prioritise it. You can view the details by following "Statistics → Capture File Properties" or by clicking the "pcap icon located on the left bottom" of the window.

 

# recall : 기억하다

 

Q. Read the "capture file comments". What is the flag?

 

At the top of Wireshark, go to 'Statistics --> Capture File Properties' or click the 'pcap icon located on the bottom left' of the window. 

 

Then the "Wireshark - Capture File Properties" window will appear. At the bottom of this window, check the Capture File Comments section.

TryHackMe_Wireshark_Demo 

 

Q. What is the total number of packets?

 

You can check it in the "Packets" section of the information bar at the bottom of the main page in Wireshark, or in the Statistics section of the Capture File Properties.

58620

 

Q. What is the SHA256 hash value of the capture file?

 

You can check the details of the Hash (SHA256) in the Capture File Properties section, just like in issues 1 and 2.

f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb