Course Notes - Day 3 https://blog.packet-foo.com/2019/04/wireless-capture-on-windows/ NOTE: Lunch at 12:00pm CET The Interplanetary Internet Please say "hi" when you arrive. Helps with the roster. Security World Start - Endpoint - End Baseline Endpoint capture Investigate iPerf Start Lab 3 and 4 and Question Set How many packet in this trace file have the TCP Push bit set to 1? Bundle Protocol RFC 5050 Interplanetary Overlay Network software (ION) tcp.flags.syn==1 || tcp.flags.fin==1 || tcp.flags.reset==1 SYN/ACK packets only tcp.flags.syn==1 && tcp.flags.ack==1 SYN packets only tcp.flags.syn==1 && tcp.flags.ack==0 tcp.window_size < 1000 != problem ip.addr == 10.2.2.2 this means... ip.src==10.2.2.2 || ip.dst==10.2.2.2 ip.addr is a COMBO FIELD - do not use != with COMBO FIELDS Incorrect: ip.addr != 10.2.2.2 ip.src != 10.2.2.2 || ip.dst != 10.2.2.2 10.2.2.2 ---> 10.9.9.9 10.9.9.9 ---> 10.2.2.2 Correct: !ip.addr == 10.2.2.2 !(ip.src==10.2.2.2 || ip.dst==10.2.2.2) ******************************* COMBO FIELDS - DO NOT USE != !ip.addr==10.1.1.1 !tcp.port==24 !udp.port==161 ******************************* [Network Miner is much better at website reassembly than Wireshark] CHAIN OF CUSTODY 1. get file 2. run capinfos on the original 3. make a copy 4. annotate on the copy only Keep the capinfos separate from the original, but also protected. ip.addr==10.2.3.4 && tcp.port==80 !arp && !icmp INCORRECT: !arp || !icmp bootp || dns (DHCP in 2.x Wireshark - use bootp) dhcp || dns tcp contains PASS dns.count.answers > 2 Q1: How many SYN packets are in this trace file (not SYN/ACKs... just SYN packets)? (tcp.flags.syn == 1) && (tcp.flags.ack == 0) 121 packets Q2: How many HTTP GET requests are in this trace file? http.request.method == "GET" 255 packets Q3: How many times is the TCP Window Size (Calculated Window Size) value greater than 60,000? tcp.window_size > 60000 21,832 packets Q4: How many frames contain the letters "com"? frame contains "com" 683 packets Q5: How many times is the TCP Delta time greater than 1 second? tcp.time_delta > 1 130 times You can also do.... tcp udp ip icmp || icmpv6 Q6: How many DNS, ARP, SNMP, and UDP packets total are in this trace file? dns && arp && snmp & udp arp || snmp || udp || dns 547 packets Q6: How many DNS, ARP, SNMP, and UDP packets that do not have "com" in them? (arp || snmp || udp || dns) && (!frame contains "com") Q7: What is wrong with this filter? arp || dns && ip.addr==10.1.1.1 (arp || dns) && ip.addr==10.1.1.1 arp || (dns && ip.addr==10.1.1.1) a || b && c 1. (a || b) && c 2. a || (b && c) by order? precedence chart - "and" first? Q8: How many packet are sent to or from hosts EXCEPT 208.111.173.156? !ip.addr==208.111.173.156 HOMEWORK Learn Regular Expressions regular-expressions.info <--- Regex Buddy Regex Magic regex101.com TAKE THESE LESSONS!!! https://regexone.com/ frame matches "he..o" hello heLLo he87o he&@o Really looking for "he..o?" frame matches "he\.\.o" signature: probandoprobandoprobando frame matches "probando" ---- probendo? or prob-ndo? frame matches "prob[-ae]ndo" ---- or "margarita" frame matches "(prob[-ae]ndo|margarita)" http.host "\.(ru|cn|kp)" support.runnersworld.com? http.host "\.(ru|cn|kp)$" $=end of line or field! ^=beginning of line or field Wireshark is non-compliant with PCRE now because PCRE: frame contains "(?i)word" Wireshark: frame contains "word" No (?i) needed for U/L case... Ugh.... QUICK LAB 1. Make a button for SYN packets only. 2. Make a button for SYN/ACK packets. dfilters_button 3. TCP Delta Delays over 1 second (copy from your coloring rule) tcp.time_delta > 1 && tcp.flags.fin==0 && tcp.flags.reset==0 Name: TCP>1 4. HTTP Command "HEAD" http contains "HEAD" Comment: Not seen very often - why is someone using this command? Suspicious. http.request.method == "HEAD" (now we only see actual HEAD commands in the trace file - lab-gentraffic.pcapng) http.request.method != "HEAD" I'm looking for packets that contain the "http.request.method" field and I only want to see packets when that field is not equal to HEAD. !http.request.method == "HEAD" Any packets that do not contain "http.request.method with HEAD" ARP, DNS, DHCP, SMB, SIP, ... as well as HTTP without that field. ! at the start IS REALLY USED FOR COMBO FIELDS MOST OF THE TIME... NOT HERE... HOMEWORK: Lab 5 (page 132) and answer the end-of-chapter questions