WireShark - ArtTHEbard/SYS255FA19-Notes GitHub Wiki

WireShark Traffic Capture: An Overview

1. Protocols and colors: All of the traffic in Wireshark is color coded. A few exxamples of this are: *DNS = blue *TCP ACK= light purple *TCP RST = red *TCP SYN = grey & green *ARP = tan *ICMP = pink *these settings can be customized using this tutorial : https://www.wireshark.org/docs/wsug_html_chunked/ChCustColorizationSection.html

2. Display Filters: Display Filters can be used to isolate traffic within your search, both live and stopped. Enter the data you want into the filter bar and select the option that shows up. Examples of filterable data are : ip address, port number, protocol, length, source and destination ip, Number, Size, and many more.

3. Setting up a search: When Wireshark is opened, the current data traffic interfaces are shown. Any of the connected data ports are able to be selected to be monitored. The scan can be started by clicking the blue shark fin in the taskbar, and stopped with the red square.

4. Analysis Menus: Once a packet is selected for analysis, there are many options available to learn more about that packet. There is a selection of drop down menus available to look through for each packet. The first menu gives you the various "physical" data regarding the packet (frame, amount of byter on wire/bytes captured, arrival time, frame length, and more). The second drop down tells about the destination and source MAC addresses involved in the sending of the packet, as well as the type of IP addressing used. The third drop down tells about the IPv4/IPv6 info (header length, total length, protocol, header checksum, and the source and destination IP.). The next drop down gives more info about the specific protocol used by the packet, and the last few menus give more relevant info regarding what the packet was doing (DNS, HTTP , etc)