Promiscuous mode
Part 1 – Wireshark and traffic capture basics
Promiscuous mode:
It is a network mode in which the network interface card reads all network packets which is passing through it. In Wireshark it is performing the same functionality like network interface card. It records all the network packets.
The Capture > Options dialog allows the Name Resolution of Network Layer names. It means the it shows the IP address of the DNS address which will help to capture and identify a particular network packets.
Switch and hub
Switch operates in 2nd layer of the OSI model which is data link layer and hub works in 1st layer of the OSI model which is physical layer. Switch have many functionalities like port security, VLANs, also it allows multiple ports for connect all network devices. But hub does not have these functionalities. Hub sends data in bits or electronic signal form but switch sends data in frame and packets form. Hub has 4/12 ports and switch has multiport bridge which is 24/48. Switch is a active device and hub is a passive device.
Switch keeps the MAC address of every devices that’s are connected with it. Therefore, switch keeps all details of those devices and it decries the response time and also reduce the network traffic.
Port Number
|
Protocol |
Port number |
|
FTP Data |
20 |
|
FTP Control |
21 |
|
HTTP |
80 |
|
NTP |
123 |
|
SSH |
22 |
SMTP utilized port 25 for exchanging mail. It is a basic mail exchange convention.
HTTPS utilize pot 443. It is playing out an indistinguishable usefulness from HTTP with more secure association by including SSL or TTL.
POP3 utilize port 110 for recover mail from server.
SNMP utilize port 161/162. SNMP is basic network administration convention for utilizing networking regulatory reason.
IMAP utilize port 143 for recover mail from server.
DHCP utilized port 67/68. DCHP is utilized to assign IP address to a network progressively.
Part 2 capture filters
BPF qualifiers
Type – This is use for number or ID.
Dir – This use for a particular transfer direction from and to.
Proto – This BPF qualifiers use to limit the match to a specific protocol.
Documenting the 3 logical operators for combining primitives
|
Operation Name |
Description |
Example |
|
And (&&) |
Logical AND |
ip.data-src==10.0.0.5 and tcp.flags.fin |
|
Or (||) |
Logical OR |
ip.scr==10.0.0.5 or ip.data-src==192.1.1.1 |
|
Xor (^^) |
Logical XOR |
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 |
Capturing traffic from/to another machine
Capture Traffic between two computer
ip.addr == 192.168.1.11 && ip.addr == 192.168.2.21Using MAC address
ip.addr == 192.168.1.11 && eth.dst == 08:00:27:01:54:56Capture packets from remote Ip address
ip.addr == 192.168.2.21 Capture only ICMPThe above picture shows all the ICMP packets those are capture.
Excluding particular network traffic
Capture Broadcast traffic only – bmc.broadcast_address
Exclude Broadcast traffic only – !( bmc.broadcast_address)
Capture all traffic from a range of network addresses but exclude broadcast traffic
net ipaddress/netmusk and !bmc.broadcast_address
Using port numbers in capture filters
DNS traffic – port 53
DNS traffic being sent from your machine – host ip address port 53
DHCP traffic in either direction – port 67 or port 68.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
