Using Wireshark filters

If you're not familiar with Wireshark, then you'll soon find out how powerful and effective this tool can be. Wireshark is a packet analyzer software that's open source and free to use. It can be used to troubleshoot networking issues and hunt down malicious activities. Basically, every bit (literally) of information that flows in and out of a network can be captured and dumped into a single location. Then we can take our time analyzing this information, using filters to narrow down our search. As of writing this book, the current version of Wireshark is 2.2.2, but always make sure that yours is up-to-date:

1. When you launch Wireshark, you should see the following screen. You will need to select the interface you want to scan on, depending on whether you use an Ethernet or a wireless connection. I am connected via Wi-Fi, so that is what I choose. Yours may be named differently, but for now go ahead and select the one with the most traffic, which you can see from the line next to the interface selection. The more traffic there is, the more peaks the line will have:

1. Once selected, go ahead and click on the blue shark fin button at the top left corner. You should then see something like this:

As you can see, there is a lot of information to decipher, but Wireshark organizes it so that you don't waste time searching. Let's inspect the source IP address of the selected packet. We can see that it has an address of 192.168.0.123; in binary this is 11000000 10101000 00000000 01111011 because an IP address is 32 bits. Use the following chart to help:

-------------------------------------------------------

0 0 0 0 0 0 0 0

-------------------------------------------------------

128 --- 64 --- 32 --- 16 --- 8 --- 4 --- 2 --- 1

-------------------------------------------------------

1 1 0 0 0 0 0 0 = 192

1 0 1 0 1 0 0 0 = 168

0 0 0 0 0 0 0 0 = 0

0 1 1 1 1 0 1 0 = 123

-------------------------------------------------------

The source is address is 192.168.0.123

In the following table the middle column at the bottom displays the hexadecimal of each packet, and the bottom right column shows its ASCII conversions. You can use the following chart to understand HEX conversion:

A = 10 | B = 11 | C = 12 | D = 13 | E = 14 | F = 15

ASCII is essentially clear text data, so when you send messages or data that's not encrypted, you will be able to read what the message contains. One unique feature that I like to mention about Wireshark is that, when you select a portion of the HEX, the correlating ASCII is also highlighted. This is a very handy and useful feature when performing packet dissection paired with filtering options.