Kullanıcı1233
Kıdemli Üye
- 19 Tem 2011
- 4,371
- 12
Hello, In
In this article, we will give general information about the Network, we will understand the structure and working logic of various protocols, and will recognize and use Wireshark software.
WHAT IS WIRESHARK? WHAT IS IT USED FOR?
Wireshark is used to analyze the transmission speed of the network, problems on the network, and packets. With Wireshark software, we can perform the following operations;
Real-time control of the transferred data traffic,
Analyze network traffic
Capture every packet on the network and analyze those packets that have been captured or previously captured
Ability to edit a captured package
Saving captured packets and combining them with other packets
Filtering network traffic with various commands
Detecting VoIP calls on the network and converting them to voice
Increasing the number of protocols with the help of various plugins
You can download Wireshark software from the official site below;
[url]https://www.wireshark.org/download.html[/url]
Now let's talk about network and general terms related to Network
WHAT IS NETWORK?
We call the system Network, which is created by connecting the devices, whether wireless or wired. Thanks to networks, computers, and users can communicate with each other. The network created by the computers in the same environment is called LAN, the local network, and the network created by the computers in different environments is called WAN, the wide-area network. In this article, we will perform network traffic, also known as network traffic analysis.
TCP / IP MODEL STRUCTURE
The TCP / IP model consists of two parts, the Top and the Bottom. The upper part is called the TCP protocol and the lower part is called the IP protocol. The TCP protocol allows the data to be separated into packets before being transmitted, and to unbundle packets that have been transmitted after transmission. The IP part allows the packets to be managed to the corresponding network address. In this model, new protocols can easily be placed between existing layers when needed. However, it is more inefficient compared to OSI model since it is a model without strict rules. TCP / IP model consists of 4 layers.
OSI MODEL STRUCTURE
It consists of 7 layers. The OSI model sets the protocols between Computers. Unlike the TCP / IP model, the tasks of the layers and their relationships with each other are strictly defined. Layers that are not required are not used in this model. Therefore, it is more efficient to work with the OSI model. However, there are also cons as well as its pros and cons that the OSI model makes it difficult to develop new protocols with this feature.
PROTOCOLS USED IN TCP / IP MODEL
ARP PROTOCOL
It is the protocol that allows IP addresses to be converted to MAC addresses. It enables computers to communicate with each other in local networks. For example; When computer A wants to communicate with computer B, it looks at the ARP table of computer B. If there are IP and MAC addresses of computer B in this table, communication takes place. However, if there is no MAC address of computer B in this ARP table, computer A collects its IP and MAC address and IP address of computer B in the ARP package and sends the package to all computers on the local network as broadcast. We call this request "Request". All computers receiving the request compare the IP address that came with the package with its own IP address. If IP addresses do not match, the request is not answered. Since the IP address included in the package is the IP address of the computer B, computer B approves this request and collects the IP and MAC addresses of the computer A in the ARP package, then sends this package to the computer A uncostly. The response to this incoming request is called "Reply". In this way, A and B computers have each other's IP and MAC addresses in their ARP tables.
DHCP PROTOCOL
It is the protocol that enables the assignment of dynamic IP addresses to computers on a local network. In addition to distributing IP addresses, this protocol is responsible for sending DNS addresses, Submask addresses, Gateway addresses and windows server addresses to the devices. For example; The computer that wants to connect to the local network sends the package we call DHCP Discover to all the computers on the network in order to check the existence of the DHCP server. When the DHCP server receives this packet, it sends the packet called DHCP Offer, which contains IP information and the IP address's lifetime. And it asks if the computer has approved this package. If this packet is approved by the computer, the computer sends the DHCP Request request as a broadcast. The DHCP server receives this request and IP, DNS, Submask, It sends the gateway and windows server address to the computer with the package we call DHCP ACK. In this way, the computer sending the request becomes included in the network.
DNS PROTOCOL
It is the protocol that names IP addresses. Thanks to this protocol, the domain address to be connected to is sent to the Local DNS server by the computer. If the local DNS Server has previously interacted with the sent internet address, it sends the IP information of this website to the computer sending the request and provides communication with the computer domain address. If the local DNS server does not host this information, it sends a request to the DNS server that contains all the domain addresses and the IP addresses corresponding to those domain addresses, that is to the Root DNS server. Here, the Local DNS server redirects to the TLD DNS server that contains the domain address that you want to connect to. Here, too, the Local DNS server is directed to the original server address of the domain address, the SLD DNS server.
FTP PROTOCOL
It is the protocol that enables file transfer between the server and the client. A triple handshake is created between the server and the client. Then, it is checked through port 21 whether the client is defined on the server. If the client is defined on the server, data communication takes place on the 20th port in line with the requests of the client.
[IMG] http PROTOCOL
This protocol determines the data exchange rules between the server and the client. The client requests the server to access data from an address. This request is called "Request". The server checks whether it contains this incoming address, and if it does, it sends the data about the address to the client as the answer we call "Response". In this way, the client shows this incoming data to the user through various browsers.
RECOGNIZING THE WIRESHARK MENU
Let's run our Wireshark software. When we run the software, a screen like the one below will meet us. Here, we can do the process of selecting the ethernet interface that we want to capture network traffic and seeing the network traffic in the section called "Capture" and we can select the interfaces that we want to be shown in the section that says "All interfaces shown". enough.
[IMG] https://i.resimyukle.xyz/bC0TUU..png
We can adjust the Capture Settings to ourselves by going to Capture> Options from the upper panel. Here we can select the ethernet interfaces partially or completely and to filter the captured network packets.
In the section that says "Capture Filter For Selected Interfaces", we can filter the packages we want to capture. When we click on the green button on the left of the box, it offers us various filtering options (Capturing TCP connections only, Capturing UDP connections only, etc.)
With the "Manage Interface" on the right, we can manage the network interfaces.
Let's go back to the Capture Options window and go to the "Output" section from the top panel. Here, the "File" section at the top offers the opportunity to transfer the captured traffic to the computer. Similarly, we can select the type of this file as "pcapng" or "pcap" at the bottom. Also, in this section, we can ensure that the process of capturing network traffic stops automatically when the packages reach the size we have previously set.
When we get to the "Options" section from the top panel, there are also several options here. By adjusting these options according to ourselves, we can make our traffic more understandable. We can ensure that the process is stopped automatically.
You can open files in the formats supported by the wireshark software with the "Open" option in the "File" menu. You can also operate on these files if you wish. With the "Open Recent" option, you can reopen the files you previously opened on wireshark.
You can combine the previously recorded traffic flows with the new traffic flows with the "Merge" option in the "File" menu.
In the "Go" menu, you can
switch between the packages. In the "Telephony" menu, you can find the options where you can listen to the packages.
In the "Statistics" menu, you can access the statistical data of traffic flows.
Let's look at the "edit" section from our menu on the top panel. Here you can click on "Preferences" at the bottom and set preferences (You can change the view, browse the statistics)
WIRESHARK COLORING SETTINGS There
are coloring settings on wireshark to make the analysis graphic more meaningful and faster to analyze. The colorings adjusted in this way will provide us convenience during the analysis. Let's look at these settings. We press the "View" menu on the top panel. We find and click the "Coloring Rules" option from the drop-down menu. And we come across coloring settings. The colors shown here are standard colors, they can be changed.
When we press the "+" icon at the bottom of the window, we can add a new coloring filter. By right clicking on this new filter we added, we can select the package we want to filter by saying "display filter expression".
If we exemplify, let's assume that we examine packages with zero size. Let's choose our package as below and say "OK";
Our package appeared in the filter section as seen below.
Let's set the background color and font color of this package. We press the "Background" button on the bottom panel and select our color
After doing the same for "ForgeGround", that is, the text color, let's check our colors and press "OK" to save.
TIME DISPLAY FORMAT FEATURE
Tıme Display format enables packages to be selected according to the timing structure. In the "View" menu, we find and click the "Time Display Format" option. A pop-up menu appears. In this drop-down menu, we can view the packages according to the time period we want. For example, it is possible to view packages based on date and time or only on time.
NAME RESOLUTION FEATURE
You can access the Name Resolution options from the "view" drop-down menu by finding "Name Resolution" and clicking on it. This feature allows you to convert MAC addresses to computer names. It also allows us to see the protocol structure used by the Transport layer, the domain address corresponding to IP addresses, the name of a remote network structure.
FILTERING COMMANDS OF TRAFFIC PACKAGES We
can use various filters in order to use Wireshark suitable and more convenient for our purpose. In this title, I will talk about where we can access these filters,
first, right click on the "Filter" box at the top of the Wireshark software and press "Display Filter Expression" in the menu that opens,
Here are all the filters we can use on wireshark. By using these filters, you can make your wireshark easier to use,
You can also get information about the filters and what they do when we click the "blue" icon on the left side of the "Filter" box,
CAPTING THE NETWORK TRAFFIC USING WIRESHARK
First, we find the network interface we want to listen from "Capture" and start it by double-clicking it.
As seen in the picture above, our packages started to be listed with the start button. There are 3 different sections here. The top section shows us the packages listed and all transactions on network traffic.
The middle area shows detailed information about each captured packet (MAC address information of the receiver and sender, IP information, Protocol structure used, etc.). To reach the details of the given information, it will be enough to double click on it.
The bottom section shows the position of the selected line from the start. The network package is shown as hexadecimal in the block on the left, and in ASCII format in the block on the right.
To stop the flowing traffic, it will be enough to press the red "stop" button from the top menu. To restart the traffic, you can press the green button next to it. Operations such as saving the capture file, closing it, going to the selected package quickly, closing the coloring settings and enlarging the text in the window can also be done on the same menu.
CREATING A WIRESHARK PROFILE AND COLUMN By
creating a profile in Wireshark, we can have the opportunity to define coloring settings, filtering settings and column structures that we will use in the analysis process according to our own preferences. First, we select the interface that we want to track network traffic. And we start the traffic flow
We don't need to pay attention to the traffic flow here. Right click the "Profile" text at the bottom of the window and click "New" in the menu that opens.
We don't need to pay attention to the traffic flow here. Right click the "Profile" text at the bottom of the window and click "New" in the menu that opens.
Then we will name our profile in the window that opens, I named it "profile 1" and I press OK and save it.
You can manage this profile structure as you wish. After that, all the changes you make are saved in this profile, even if you close the wireshark software, the settings you previously made will retain themselves when you open the software again.
In addition to profiling under this title, I will show you how to create a column or edit existing columns. Firstly, to give examples to the columns, "No", "Time", "Source", "Destination", "Protocol", "Lenght", "Info" sections are columns in our software. There. Let's create our own column in addition to these columns. We place our cursor on the row with the columns and right click.
We click on the "Column Preferences" option from this drop-down menu and a window like below opens.
As you can see, he writes the columns and their descriptions. Here you can edit existing columns, delete them or add new columns. Let's create a column that will show us the source port on wireshark. For this, let's press the "+" button at the bottom of the window. Let's name the new column that is created and choose which values to show. Then, press the "OK" button and save it.
As you can see below, our column was formed at the very end of the column line.
WIRESHARK STATISTICS MENU
Wireshark generates statistical data on the recorded traffic flow. In this title, we will examine these statistics as well,
SUMMARY FEATURE
This feature can be learned about the general structure of network traffic (time to capture the first packet, time to capture the last packet, etc.). To use this feature, you can open the "Statistics" menu and click on "Capture File Properties" from the drop-down menu. You can also add your own comments and notes to the "Capture File Comments" section at the bottom of the window.
ADRESS RESOLUTİON FEATURE
This feature is the feature that shows the Domain addresses of IP addresses in traffic. Can be accessed by clicking "Resolved Adresses" from the "Statistics" menu
PROTOCOL HIERARCHY FEATURE
This feature shows detailed information about packets in traffic such as percentage interactions of packets with TCP / IP Model structure, structure of incoming and outgoing packets, amount of incoming data. It can be viewed by clicking the "Protocol hierarchy" option from the "Statistics" section.
CONVERSATION FEATURE
This feature shows the user who communicates in traffic and which protocol structure they use. It can be accessed by clicking "Conversation" from the "Statistics" section
ENDPOINTS FEATURE
This feature shows the machines most recently contacted. And various statistics about communication data can be displayed here. It can be viewed by clicking "Endpoints" from the "Statistics" section
I / O GRAPHS FEATURE
This feature is the feature that shows the structure of the traffic to the user in the form of a graph. It can be viewed by clicking the "IO Graphs" option from the "Statistics" menu,
FLOW GRAPHS FEATURE
This feature shows the flow of packets sent and received. Thanks to this feature, we can learn how each transaction in the traffic flow is realized. Access to this feature can be accessed by clicking "Flow Graphs" from the "Statistics" menu.
http PROTOCOL STATISTICS With
this feature, we can view statistics about the processes using the [IMG] http protocol. By clicking the "[IMG] http" drop-down menu from the "Statistics" menu, it is possible to view the statistics of the transactions that we want to view the statistics.
[IMG]https://i.resimyukle.xyz/TNzP21..png
SEEING A TRIPLE HANDSHIP STRUCTURE ON WIRESHARK We
have already mentioned the triple handshake structure in our previous titles. Now we will try to see this structure on wireshark. I will explain this process on the .pcap file that I downloaded to my computer. First, we open the "File" menu from the panel. And we select our .pcap file from our computer by clicking the "Open" text from the drop-down menu. After choosing our pcap file, the traffic flow of the file is reflected on our monitor.
Now, since we will observe the triple handshake structure here, we will only examine the traffic using the TCP protocol structure. For this, let's look at the three lines below and the transactions that have taken place,
When two machines want to communicate with each other, the source machine that wants to communicate sends SYN packet to the target machine and specifies the SEQ value as "0".
Sending the SYN packet, the target machine sends the SYK ACK packet to the other party, indicating that it approves the communication request and specifies the ACK value as "1".
The source machine receiving the SYN ACK packet verifies the communication and sends the ACK packet to the other party, in which case it states that the SEQ and ACK values are "1".
In this way, triple handshake occurs and data communication starts between the two machines. When the communication
connection is wanted to terminate, the machine that wants to terminate the connection sends the FIN package to the opposite machine.
The machine that receives the FIN package completes the connection termination by sending the ACK package.
Connection termination is done in this way.
ANALYSIS OF ARP PROTOCOL PACKET
First of all, let us remember that it is the protocol that converts the IP address of the ARP protocol to the MAC address. Then let's take a look at our ARP table by opening our cmd screen. To access the ARP table, we enter the following command in our command line,
Code:barley
After entering the command, we can see IP addresses and MAC addresses.
Let's examine this process on Wireshark. I select my interface from the Capture section and start it. Then I write "arp" in the filtering section and only the traffic flow for the ARP protocol is listed on wireshark.
As you can see, the first broadcast here is "Broadcast". Along with the broadcast broadcast, the server requests the MAC address of the IP address defined in the information section. As we recall from the previous titles, we call this the "Request" transaction. We can confirm this in the section below,
Now let's examine the desired answer. The owner of the IP address that our server asks for the MAC address specifies the MAC address with the process we call "Reply". We can see this in the INFO column. It is also available in more detail (IP and MAC address of the sender and recipient, Protocol Type etc.) in our section below. Let's examine it immediately.
ANALYSIS OF THE DHCP PROTOCOL PACK
We remember that this protocol structure is a protocol that automatically gives various addresses to the machine connected to the network. In this title, we will examine the DHCP protocol package. First, by entering the following command, we learn our IP address,
Code:
ipconfig
Then we select and start our interface on wireshark. And the traffic flow is listed.
Let's reset our IP address. For this, we enter the following command on our cmd screen,
Code:
ipconfig / release
Now let's request a new IP address, we enter the command below,
Code:ipconfig / renew
After getting our IP address, we return to our wireshark software, write "bootp" in the filter section and start to examine our traffic flow,
When we cancel our IP address in the first place, we can see the traffic flow. Below we can see that it received the request from port 68 and sent data from port 67,
Looking at the second row, the client requested IP by sending the DHCP discover packet. The DHCP server that received this incoming package has sent the DHCP Offer package. As you remember, the DHCP Offer package offered the client several addresses. Let's examine this package and see the offered addresses. We click on the line where the DHCP Offer package was sent and details are listed below,
as you can see below, it offered submask address, router address, DHCP server time restriction, IP address as below.
Now let's move on to the bottom line and DHCP Request package has been sent in this stream. This package indicates that the client accepts the offers in the package sent by the DHCP server. Then, DHCP ACK packet, the information offered with this packet was assigned to the client by the server. You can check this again from the section below. As you can see, the information sent with the Offer package is assigned to the client.
ANALYSIS OF THE DNS PROTOCOL PACKAGE
Let's remember this protocol again. DNS protocol is the protocol that converts site names to IP addresses. Now we will examine this protocol on wireshark. Now we enter the following command in our command line and the sites we have connected to before are listed as a table on the command line. Here we can see the IP information of "www.turkhackteam.org" site.
Code:
ipconfig / displaydns
Let's delete our browser cache in this DNS table. We can do this with the following command,
Code:
ipconfig / flushdns
Now let's look at our DNS table again. We enter the command below,
Code:
ipconfig / displaydns
After sending this command, we can no longer see the IP information of "www.turkhackteam.org". Let's start our wireshark interface connection. And again, let's send a request to the website www.turkhackteam.org on the cmd screen . We enter the command below,
Code:
ping www.turkhackteam.org
As you can see in the picture, we sent our request to our site. Let's examine this on wireshark. Let's write "dns" to our Wireshark filter and enter it. As you can see, the query process took place. then the server performed the response process and changed the domain address to IP address. We can reach the details of the transactions from the section below.
ANALYSIS OF THE http PROTOCOL PACK
As we remember, this protocol runs on the application layer and uses the TCP protocol on the transport layer.
For example, when we want to visit a website, the TCP protocol runs first. Triple handshake occurs when the protocol is triggered. Upon successful completion of the triple handshake, the connection is established and the visit request is sent to the server via the [IMG] http protocol. The server then starts sending data. We can see this on Wireshark,
[IMG]https://i.resimyukle.xyz/6PUxP4..png
FOLLOW TCP / UDP STREAM FEATURE
Follow TCP / UDP Stream feature is the wireshark feature that allows you to follow the TCP / UDP flow in Turkish. This feature makes it possible to make the traffic flowing on wireshar more meaningful. Based on the information we have learned so far, we can say that the traffic flowing on wireshark will be very complex to a user who is not familiar with the TCP / IP Protocol structure. Especially when we want to control the traffic flowing without making a packet filter, we can count how difficult it will be, even if we are familiar with the TCP / IP protocol structure. As I mentioned above, this title, which I will explain step by step, will make the flowing traffic more meaningful and will show us this traffic visually. Let's move on to our transactions,
I opened a pcap file with wireshark, as I explained it, and right click on any traffic using the TCP protocol in traffic flow and clicked "Follow TCP / UDP Stream"
After that, a page like the one below will open. On this page, you can view the TCP traffic flow in different formats. It is also possible to access the html codes of the site you are visiting. You can save this traffic by clicking the "save as" button below.
EXPORT OBJECT FEATURE
This feature allows us to detect and save all formats of any file in the traffic stream on wireshark.
In order to benefit from this feature, after the traffic flow occurs, we select the "Export Object" option from the "File" menu on the top panel and select the " http" option from the new menu that opens.
[IMG]https://i.resimyukle.xyz/Hab49N..png
Then a window will open where we can view and save the actual formats of the files in the traffic stream. The appearance of this window is as follows.
SOLVING THE SSL TRAFFIC In
this topic, we will try to decode a network traffic encrypted with SSL protocol with SSL password on Wireshark. For this, we need to have a network traffic encrypted with SSL protocol and an SSL key that can solve this traffic. I obtained these files from the internet in order to tell the subject in pcap and key format. Let's open the .pcap file we have on wireshark and list our traffic flow,
Then we open the "Edit" menu from the top panel and click on "Preferences",
In the preferences page that opens, we select the "RSA Key" option on the left side and select our .key file by clicking the "Add New Key File" button,
After saying OK, we can view and save the encrypted data in the new window that opens by clicking "Export Object" from the "File" menu and clicking " http" from the drop-down menu.
[IMG]https://i.resimyukle.xyz/RILU2K..png
VIEWING THE SSL CERTIFICATE WITHIN SSL PACKAGES
Now we will obtain the site's SSL certificate based on the SSL packages we view on wireshark. For this, I filter the traffic flow by typing "ssl" in the "filter" section on wireshark
Next, let's click on any of the packages and look at the "Certificate" information below.
Right click on the part that says "Certificate: .." and press "Export Packet Bytes" button.
Then, in any ******** that will ask us to save this certificate, let us save it with the extension ".crt" or ".cer". And let's find and open the file we saved on our computer. As you can see below, we have reached the details about the certificate
VOIP PACKET VOICE DIALING
first let's talk about VoIP and advanced amateur from RTP protocol before beginning the process.
The RTP Protocol is used for end-to-end transmissions in communications with media exchange. VoIP is the IP structure used for voice calls over the internet. In this protocol, voices are transmitted to the other party in packets. In this title, we will perform the process of converting VoIP packages into sound.
First, we view the packages with RTP protocol structure on wireshark. In order to explain the subject, I opened the pcap file on the wireshark, which contains packets with RTP protocol structure over the internet.
Then click "Telephony" in the top panel, find and click "RTP" option from the drop-down menu, and then click "RTP Streams" from the drop-down menu
In the window that opens, we can see two different voice traffic
We select one of the two traffic and press the "analyze" button at the bottom,
Then a window like this will open. In this window, we press the "Play Streams" button at the bottom,
In the new window that was opened, the package was turned into sound, and we can listen to this sound by pressing the "Play" button. We can also see in which time period the sound is sent.
EXPERT INFO FEATURE The
Expert Info feature is a feature that displays data such as warnings and information notes of the packages captured on the network traffic to the user. In order to take advantage of this feature, the traffic flow must first take place. After the flow, if warning, information messages, etc. If it occurs, we will be able to view these messages and their source in the expert info window. My traffic flow has occurred, now I click on the circular button on the bottom left of the Wireshark window,
After pressing the button, a new window appeared. This window showed me a warning message, you can see it in the picture below
As you can see in the picture, I was able to see the package number, information summary, column name and protocol used on this window. Likewise, when I click on each error message, it shows me the error package on the traffic flow.
Again, this feature offers the ability to list packages by type of information message in the window. By pressing the "Show" button, we can select which type of information message we want to display from the list,
COMBINING CAPTURED TRAFFIC FLOWS With
this process, we will combine multiple traffic streams captured separately into a single file. First, we open a file in .pcap format that we want to combine with wireshark,
Then, by clicking "Merge" option from the "File" menu, we also select the other file we want to merge in the window that opens,
When we say ok after choosing it, our two packages are united on wireshark.
Let's save the files we have merged as one file. To do this, we click on "Save As" option from the "File" menu and select "********" where we want to save and select the file name. Now we have gathered two different traffic streams in a single pcap file.
In this article, we will give general information about the Network, we will understand the structure and working logic of various protocols, and will recognize and use Wireshark software.
WHAT IS WIRESHARK? WHAT IS IT USED FOR?
Wireshark is used to analyze the transmission speed of the network, problems on the network, and packets. With Wireshark software, we can perform the following operations;
Real-time control of the transferred data traffic,
Analyze network traffic
Capture every packet on the network and analyze those packets that have been captured or previously captured
Ability to edit a captured package
Saving captured packets and combining them with other packets
Filtering network traffic with various commands
Detecting VoIP calls on the network and converting them to voice
Increasing the number of protocols with the help of various plugins
You can download Wireshark software from the official site below;
[url]https://www.wireshark.org/download.html[/url]
Now let's talk about network and general terms related to Network
WHAT IS NETWORK?
We call the system Network, which is created by connecting the devices, whether wireless or wired. Thanks to networks, computers, and users can communicate with each other. The network created by the computers in the same environment is called LAN, the local network, and the network created by the computers in different environments is called WAN, the wide-area network. In this article, we will perform network traffic, also known as network traffic analysis.
TCP / IP MODEL STRUCTURE
The TCP / IP model consists of two parts, the Top and the Bottom. The upper part is called the TCP protocol and the lower part is called the IP protocol. The TCP protocol allows the data to be separated into packets before being transmitted, and to unbundle packets that have been transmitted after transmission. The IP part allows the packets to be managed to the corresponding network address. In this model, new protocols can easily be placed between existing layers when needed. However, it is more inefficient compared to OSI model since it is a model without strict rules. TCP / IP model consists of 4 layers.
OSI MODEL STRUCTURE
It consists of 7 layers. The OSI model sets the protocols between Computers. Unlike the TCP / IP model, the tasks of the layers and their relationships with each other are strictly defined. Layers that are not required are not used in this model. Therefore, it is more efficient to work with the OSI model. However, there are also cons as well as its pros and cons that the OSI model makes it difficult to develop new protocols with this feature.
PROTOCOLS USED IN TCP / IP MODEL
ARP PROTOCOL
It is the protocol that allows IP addresses to be converted to MAC addresses. It enables computers to communicate with each other in local networks. For example; When computer A wants to communicate with computer B, it looks at the ARP table of computer B. If there are IP and MAC addresses of computer B in this table, communication takes place. However, if there is no MAC address of computer B in this ARP table, computer A collects its IP and MAC address and IP address of computer B in the ARP package and sends the package to all computers on the local network as broadcast. We call this request "Request". All computers receiving the request compare the IP address that came with the package with its own IP address. If IP addresses do not match, the request is not answered. Since the IP address included in the package is the IP address of the computer B, computer B approves this request and collects the IP and MAC addresses of the computer A in the ARP package, then sends this package to the computer A uncostly. The response to this incoming request is called "Reply". In this way, A and B computers have each other's IP and MAC addresses in their ARP tables.
DHCP PROTOCOL
It is the protocol that enables the assignment of dynamic IP addresses to computers on a local network. In addition to distributing IP addresses, this protocol is responsible for sending DNS addresses, Submask addresses, Gateway addresses and windows server addresses to the devices. For example; The computer that wants to connect to the local network sends the package we call DHCP Discover to all the computers on the network in order to check the existence of the DHCP server. When the DHCP server receives this packet, it sends the packet called DHCP Offer, which contains IP information and the IP address's lifetime. And it asks if the computer has approved this package. If this packet is approved by the computer, the computer sends the DHCP Request request as a broadcast. The DHCP server receives this request and IP, DNS, Submask, It sends the gateway and windows server address to the computer with the package we call DHCP ACK. In this way, the computer sending the request becomes included in the network.
DNS PROTOCOL
It is the protocol that names IP addresses. Thanks to this protocol, the domain address to be connected to is sent to the Local DNS server by the computer. If the local DNS Server has previously interacted with the sent internet address, it sends the IP information of this website to the computer sending the request and provides communication with the computer domain address. If the local DNS server does not host this information, it sends a request to the DNS server that contains all the domain addresses and the IP addresses corresponding to those domain addresses, that is to the Root DNS server. Here, the Local DNS server redirects to the TLD DNS server that contains the domain address that you want to connect to. Here, too, the Local DNS server is directed to the original server address of the domain address, the SLD DNS server.
FTP PROTOCOL
It is the protocol that enables file transfer between the server and the client. A triple handshake is created between the server and the client. Then, it is checked through port 21 whether the client is defined on the server. If the client is defined on the server, data communication takes place on the 20th port in line with the requests of the client.
[IMG] http PROTOCOL
This protocol determines the data exchange rules between the server and the client. The client requests the server to access data from an address. This request is called "Request". The server checks whether it contains this incoming address, and if it does, it sends the data about the address to the client as the answer we call "Response". In this way, the client shows this incoming data to the user through various browsers.
RECOGNIZING THE WIRESHARK MENU
Let's run our Wireshark software. When we run the software, a screen like the one below will meet us. Here, we can do the process of selecting the ethernet interface that we want to capture network traffic and seeing the network traffic in the section called "Capture" and we can select the interfaces that we want to be shown in the section that says "All interfaces shown". enough.
[IMG] https://i.resimyukle.xyz/bC0TUU..png
We can adjust the Capture Settings to ourselves by going to Capture> Options from the upper panel. Here we can select the ethernet interfaces partially or completely and to filter the captured network packets.
In the section that says "Capture Filter For Selected Interfaces", we can filter the packages we want to capture. When we click on the green button on the left of the box, it offers us various filtering options (Capturing TCP connections only, Capturing UDP connections only, etc.)
With the "Manage Interface" on the right, we can manage the network interfaces.
Let's go back to the Capture Options window and go to the "Output" section from the top panel. Here, the "File" section at the top offers the opportunity to transfer the captured traffic to the computer. Similarly, we can select the type of this file as "pcapng" or "pcap" at the bottom. Also, in this section, we can ensure that the process of capturing network traffic stops automatically when the packages reach the size we have previously set.
When we get to the "Options" section from the top panel, there are also several options here. By adjusting these options according to ourselves, we can make our traffic more understandable. We can ensure that the process is stopped automatically.
You can open files in the formats supported by the wireshark software with the "Open" option in the "File" menu. You can also operate on these files if you wish. With the "Open Recent" option, you can reopen the files you previously opened on wireshark.
You can combine the previously recorded traffic flows with the new traffic flows with the "Merge" option in the "File" menu.
In the "Go" menu, you can
switch between the packages. In the "Telephony" menu, you can find the options where you can listen to the packages.
In the "Statistics" menu, you can access the statistical data of traffic flows.
Let's look at the "edit" section from our menu on the top panel. Here you can click on "Preferences" at the bottom and set preferences (You can change the view, browse the statistics)
WIRESHARK COLORING SETTINGS There
are coloring settings on wireshark to make the analysis graphic more meaningful and faster to analyze. The colorings adjusted in this way will provide us convenience during the analysis. Let's look at these settings. We press the "View" menu on the top panel. We find and click the "Coloring Rules" option from the drop-down menu. And we come across coloring settings. The colors shown here are standard colors, they can be changed.
When we press the "+" icon at the bottom of the window, we can add a new coloring filter. By right clicking on this new filter we added, we can select the package we want to filter by saying "display filter expression".
If we exemplify, let's assume that we examine packages with zero size. Let's choose our package as below and say "OK";
Our package appeared in the filter section as seen below.
Let's set the background color and font color of this package. We press the "Background" button on the bottom panel and select our color
After doing the same for "ForgeGround", that is, the text color, let's check our colors and press "OK" to save.
TIME DISPLAY FORMAT FEATURE
Tıme Display format enables packages to be selected according to the timing structure. In the "View" menu, we find and click the "Time Display Format" option. A pop-up menu appears. In this drop-down menu, we can view the packages according to the time period we want. For example, it is possible to view packages based on date and time or only on time.
NAME RESOLUTION FEATURE
You can access the Name Resolution options from the "view" drop-down menu by finding "Name Resolution" and clicking on it. This feature allows you to convert MAC addresses to computer names. It also allows us to see the protocol structure used by the Transport layer, the domain address corresponding to IP addresses, the name of a remote network structure.
FILTERING COMMANDS OF TRAFFIC PACKAGES We
can use various filters in order to use Wireshark suitable and more convenient for our purpose. In this title, I will talk about where we can access these filters,
first, right click on the "Filter" box at the top of the Wireshark software and press "Display Filter Expression" in the menu that opens,
Here are all the filters we can use on wireshark. By using these filters, you can make your wireshark easier to use,
You can also get information about the filters and what they do when we click the "blue" icon on the left side of the "Filter" box,
CAPTING THE NETWORK TRAFFIC USING WIRESHARK
First, we find the network interface we want to listen from "Capture" and start it by double-clicking it.
As seen in the picture above, our packages started to be listed with the start button. There are 3 different sections here. The top section shows us the packages listed and all transactions on network traffic.
The middle area shows detailed information about each captured packet (MAC address information of the receiver and sender, IP information, Protocol structure used, etc.). To reach the details of the given information, it will be enough to double click on it.
The bottom section shows the position of the selected line from the start. The network package is shown as hexadecimal in the block on the left, and in ASCII format in the block on the right.
To stop the flowing traffic, it will be enough to press the red "stop" button from the top menu. To restart the traffic, you can press the green button next to it. Operations such as saving the capture file, closing it, going to the selected package quickly, closing the coloring settings and enlarging the text in the window can also be done on the same menu.
CREATING A WIRESHARK PROFILE AND COLUMN By
creating a profile in Wireshark, we can have the opportunity to define coloring settings, filtering settings and column structures that we will use in the analysis process according to our own preferences. First, we select the interface that we want to track network traffic. And we start the traffic flow
We don't need to pay attention to the traffic flow here. Right click the "Profile" text at the bottom of the window and click "New" in the menu that opens.
We don't need to pay attention to the traffic flow here. Right click the "Profile" text at the bottom of the window and click "New" in the menu that opens.
Then we will name our profile in the window that opens, I named it "profile 1" and I press OK and save it.
You can manage this profile structure as you wish. After that, all the changes you make are saved in this profile, even if you close the wireshark software, the settings you previously made will retain themselves when you open the software again.
In addition to profiling under this title, I will show you how to create a column or edit existing columns. Firstly, to give examples to the columns, "No", "Time", "Source", "Destination", "Protocol", "Lenght", "Info" sections are columns in our software. There. Let's create our own column in addition to these columns. We place our cursor on the row with the columns and right click.
We click on the "Column Preferences" option from this drop-down menu and a window like below opens.
As you can see, he writes the columns and their descriptions. Here you can edit existing columns, delete them or add new columns. Let's create a column that will show us the source port on wireshark. For this, let's press the "+" button at the bottom of the window. Let's name the new column that is created and choose which values to show. Then, press the "OK" button and save it.
As you can see below, our column was formed at the very end of the column line.
WIRESHARK STATISTICS MENU
Wireshark generates statistical data on the recorded traffic flow. In this title, we will examine these statistics as well,
SUMMARY FEATURE
This feature can be learned about the general structure of network traffic (time to capture the first packet, time to capture the last packet, etc.). To use this feature, you can open the "Statistics" menu and click on "Capture File Properties" from the drop-down menu. You can also add your own comments and notes to the "Capture File Comments" section at the bottom of the window.
ADRESS RESOLUTİON FEATURE
This feature is the feature that shows the Domain addresses of IP addresses in traffic. Can be accessed by clicking "Resolved Adresses" from the "Statistics" menu
PROTOCOL HIERARCHY FEATURE
This feature shows detailed information about packets in traffic such as percentage interactions of packets with TCP / IP Model structure, structure of incoming and outgoing packets, amount of incoming data. It can be viewed by clicking the "Protocol hierarchy" option from the "Statistics" section.
CONVERSATION FEATURE
This feature shows the user who communicates in traffic and which protocol structure they use. It can be accessed by clicking "Conversation" from the "Statistics" section
ENDPOINTS FEATURE
This feature shows the machines most recently contacted. And various statistics about communication data can be displayed here. It can be viewed by clicking "Endpoints" from the "Statistics" section
I / O GRAPHS FEATURE
This feature is the feature that shows the structure of the traffic to the user in the form of a graph. It can be viewed by clicking the "IO Graphs" option from the "Statistics" menu,
FLOW GRAPHS FEATURE
This feature shows the flow of packets sent and received. Thanks to this feature, we can learn how each transaction in the traffic flow is realized. Access to this feature can be accessed by clicking "Flow Graphs" from the "Statistics" menu.
http PROTOCOL STATISTICS With
this feature, we can view statistics about the processes using the [IMG] http protocol. By clicking the "[IMG] http" drop-down menu from the "Statistics" menu, it is possible to view the statistics of the transactions that we want to view the statistics.
[IMG]https://i.resimyukle.xyz/TNzP21..png
SEEING A TRIPLE HANDSHIP STRUCTURE ON WIRESHARK We
have already mentioned the triple handshake structure in our previous titles. Now we will try to see this structure on wireshark. I will explain this process on the .pcap file that I downloaded to my computer. First, we open the "File" menu from the panel. And we select our .pcap file from our computer by clicking the "Open" text from the drop-down menu. After choosing our pcap file, the traffic flow of the file is reflected on our monitor.
Now, since we will observe the triple handshake structure here, we will only examine the traffic using the TCP protocol structure. For this, let's look at the three lines below and the transactions that have taken place,
When two machines want to communicate with each other, the source machine that wants to communicate sends SYN packet to the target machine and specifies the SEQ value as "0".
Sending the SYN packet, the target machine sends the SYK ACK packet to the other party, indicating that it approves the communication request and specifies the ACK value as "1".
The source machine receiving the SYN ACK packet verifies the communication and sends the ACK packet to the other party, in which case it states that the SEQ and ACK values are "1".
In this way, triple handshake occurs and data communication starts between the two machines. When the communication
connection is wanted to terminate, the machine that wants to terminate the connection sends the FIN package to the opposite machine.
The machine that receives the FIN package completes the connection termination by sending the ACK package.
Connection termination is done in this way.
ANALYSIS OF ARP PROTOCOL PACKET
First of all, let us remember that it is the protocol that converts the IP address of the ARP protocol to the MAC address. Then let's take a look at our ARP table by opening our cmd screen. To access the ARP table, we enter the following command in our command line,
Code:barley
After entering the command, we can see IP addresses and MAC addresses.
Let's examine this process on Wireshark. I select my interface from the Capture section and start it. Then I write "arp" in the filtering section and only the traffic flow for the ARP protocol is listed on wireshark.
As you can see, the first broadcast here is "Broadcast". Along with the broadcast broadcast, the server requests the MAC address of the IP address defined in the information section. As we recall from the previous titles, we call this the "Request" transaction. We can confirm this in the section below,
Now let's examine the desired answer. The owner of the IP address that our server asks for the MAC address specifies the MAC address with the process we call "Reply". We can see this in the INFO column. It is also available in more detail (IP and MAC address of the sender and recipient, Protocol Type etc.) in our section below. Let's examine it immediately.
ANALYSIS OF THE DHCP PROTOCOL PACK
We remember that this protocol structure is a protocol that automatically gives various addresses to the machine connected to the network. In this title, we will examine the DHCP protocol package. First, by entering the following command, we learn our IP address,
Code:
ipconfig
Then we select and start our interface on wireshark. And the traffic flow is listed.
Let's reset our IP address. For this, we enter the following command on our cmd screen,
Code:
ipconfig / release
Now let's request a new IP address, we enter the command below,
Code:ipconfig / renew
After getting our IP address, we return to our wireshark software, write "bootp" in the filter section and start to examine our traffic flow,
When we cancel our IP address in the first place, we can see the traffic flow. Below we can see that it received the request from port 68 and sent data from port 67,
Looking at the second row, the client requested IP by sending the DHCP discover packet. The DHCP server that received this incoming package has sent the DHCP Offer package. As you remember, the DHCP Offer package offered the client several addresses. Let's examine this package and see the offered addresses. We click on the line where the DHCP Offer package was sent and details are listed below,
as you can see below, it offered submask address, router address, DHCP server time restriction, IP address as below.
Now let's move on to the bottom line and DHCP Request package has been sent in this stream. This package indicates that the client accepts the offers in the package sent by the DHCP server. Then, DHCP ACK packet, the information offered with this packet was assigned to the client by the server. You can check this again from the section below. As you can see, the information sent with the Offer package is assigned to the client.
ANALYSIS OF THE DNS PROTOCOL PACKAGE
Let's remember this protocol again. DNS protocol is the protocol that converts site names to IP addresses. Now we will examine this protocol on wireshark. Now we enter the following command in our command line and the sites we have connected to before are listed as a table on the command line. Here we can see the IP information of "www.turkhackteam.org" site.
Code:
ipconfig / displaydns
Let's delete our browser cache in this DNS table. We can do this with the following command,
Code:
ipconfig / flushdns
Now let's look at our DNS table again. We enter the command below,
Code:
ipconfig / displaydns
After sending this command, we can no longer see the IP information of "www.turkhackteam.org". Let's start our wireshark interface connection. And again, let's send a request to the website www.turkhackteam.org on the cmd screen . We enter the command below,
Code:
ping www.turkhackteam.org
As you can see in the picture, we sent our request to our site. Let's examine this on wireshark. Let's write "dns" to our Wireshark filter and enter it. As you can see, the query process took place. then the server performed the response process and changed the domain address to IP address. We can reach the details of the transactions from the section below.
ANALYSIS OF THE http PROTOCOL PACK
As we remember, this protocol runs on the application layer and uses the TCP protocol on the transport layer.
For example, when we want to visit a website, the TCP protocol runs first. Triple handshake occurs when the protocol is triggered. Upon successful completion of the triple handshake, the connection is established and the visit request is sent to the server via the [IMG] http protocol. The server then starts sending data. We can see this on Wireshark,
[IMG]https://i.resimyukle.xyz/6PUxP4..png
FOLLOW TCP / UDP STREAM FEATURE
Follow TCP / UDP Stream feature is the wireshark feature that allows you to follow the TCP / UDP flow in Turkish. This feature makes it possible to make the traffic flowing on wireshar more meaningful. Based on the information we have learned so far, we can say that the traffic flowing on wireshark will be very complex to a user who is not familiar with the TCP / IP Protocol structure. Especially when we want to control the traffic flowing without making a packet filter, we can count how difficult it will be, even if we are familiar with the TCP / IP protocol structure. As I mentioned above, this title, which I will explain step by step, will make the flowing traffic more meaningful and will show us this traffic visually. Let's move on to our transactions,
I opened a pcap file with wireshark, as I explained it, and right click on any traffic using the TCP protocol in traffic flow and clicked "Follow TCP / UDP Stream"
After that, a page like the one below will open. On this page, you can view the TCP traffic flow in different formats. It is also possible to access the html codes of the site you are visiting. You can save this traffic by clicking the "save as" button below.
EXPORT OBJECT FEATURE
This feature allows us to detect and save all formats of any file in the traffic stream on wireshark.
In order to benefit from this feature, after the traffic flow occurs, we select the "Export Object" option from the "File" menu on the top panel and select the " http" option from the new menu that opens.
[IMG]https://i.resimyukle.xyz/Hab49N..png
Then a window will open where we can view and save the actual formats of the files in the traffic stream. The appearance of this window is as follows.
SOLVING THE SSL TRAFFIC In
this topic, we will try to decode a network traffic encrypted with SSL protocol with SSL password on Wireshark. For this, we need to have a network traffic encrypted with SSL protocol and an SSL key that can solve this traffic. I obtained these files from the internet in order to tell the subject in pcap and key format. Let's open the .pcap file we have on wireshark and list our traffic flow,
Then we open the "Edit" menu from the top panel and click on "Preferences",
In the preferences page that opens, we select the "RSA Key" option on the left side and select our .key file by clicking the "Add New Key File" button,
After saying OK, we can view and save the encrypted data in the new window that opens by clicking "Export Object" from the "File" menu and clicking " http" from the drop-down menu.
[IMG]https://i.resimyukle.xyz/RILU2K..png
VIEWING THE SSL CERTIFICATE WITHIN SSL PACKAGES
Now we will obtain the site's SSL certificate based on the SSL packages we view on wireshark. For this, I filter the traffic flow by typing "ssl" in the "filter" section on wireshark
Next, let's click on any of the packages and look at the "Certificate" information below.
Right click on the part that says "Certificate: .." and press "Export Packet Bytes" button.
Then, in any ******** that will ask us to save this certificate, let us save it with the extension ".crt" or ".cer". And let's find and open the file we saved on our computer. As you can see below, we have reached the details about the certificate
VOIP PACKET VOICE DIALING
first let's talk about VoIP and advanced amateur from RTP protocol before beginning the process.
The RTP Protocol is used for end-to-end transmissions in communications with media exchange. VoIP is the IP structure used for voice calls over the internet. In this protocol, voices are transmitted to the other party in packets. In this title, we will perform the process of converting VoIP packages into sound.
First, we view the packages with RTP protocol structure on wireshark. In order to explain the subject, I opened the pcap file on the wireshark, which contains packets with RTP protocol structure over the internet.
Then click "Telephony" in the top panel, find and click "RTP" option from the drop-down menu, and then click "RTP Streams" from the drop-down menu
In the window that opens, we can see two different voice traffic
We select one of the two traffic and press the "analyze" button at the bottom,
Then a window like this will open. In this window, we press the "Play Streams" button at the bottom,
In the new window that was opened, the package was turned into sound, and we can listen to this sound by pressing the "Play" button. We can also see in which time period the sound is sent.
EXPERT INFO FEATURE The
Expert Info feature is a feature that displays data such as warnings and information notes of the packages captured on the network traffic to the user. In order to take advantage of this feature, the traffic flow must first take place. After the flow, if warning, information messages, etc. If it occurs, we will be able to view these messages and their source in the expert info window. My traffic flow has occurred, now I click on the circular button on the bottom left of the Wireshark window,
After pressing the button, a new window appeared. This window showed me a warning message, you can see it in the picture below
As you can see in the picture, I was able to see the package number, information summary, column name and protocol used on this window. Likewise, when I click on each error message, it shows me the error package on the traffic flow.
Again, this feature offers the ability to list packages by type of information message in the window. By pressing the "Show" button, we can select which type of information message we want to display from the list,
COMBINING CAPTURED TRAFFIC FLOWS With
this process, we will combine multiple traffic streams captured separately into a single file. First, we open a file in .pcap format that we want to combine with wireshark,
Then, by clicking "Merge" option from the "File" menu, we also select the other file we want to merge in the window that opens,
When we say ok after choosing it, our two packages are united on wireshark.
Let's save the files we have merged as one file. To do this, we click on "Save As" option from the "File" menu and select "********" where we want to save and select the file name. Now we have gathered two different traffic streams in a single pcap file.
