As a information
security geek, leaning wireshark is the key to perform day to day
operations in today's world. Wireshark allows to analyze a protocol
or debug a network. What we learn in the theory, it has the
capability to verify by seeing the actual traffic being transmitted
in the wire.
Today, in this tutorial, we will not just learn what is a TCP handshake but we will be capturing a TCP handshake via Wireshark.
So What is TCP?
Today, in this tutorial, we will not just learn what is a TCP handshake but we will be capturing a TCP handshake via Wireshark.
So What is TCP?
TCP stands for
transmission control protocol which is used for sending data over the
internet.
And what is a TCP handshake?
As you can see in
the image, there are two hosts, Tim and Lee. So TCP handshake works
in a way that if Tim wants to talk to Lee, Tim will first send a
SYN(hello) packet to LEE, if LEE is interested in talking back, LEE
will return a SYN ACK packet to TIM. TIM will finally return a ACK
(acknowledgment) packet, meaning a conversation can be started after
a successful TCP handshake has occurred.
We learnt what is TCP handshake, now how to see it via Wireshark?
1- Open wireshark and select a interface from where all your traffic is flowing.
2-You will see that there is humongous amount of packets coming in and from your interface. You will need to filter out some protocols in order to minimize the impact of the packets. To do this, we use !(quic) in the header. You may add other protocols also
We learnt what is TCP handshake, now how to see it via Wireshark?
1- Open wireshark and select a interface from where all your traffic is flowing.
2-You will see that there is humongous amount of packets coming in and from your interface. You will need to filter out some protocols in order to minimize the impact of the packets. To do this, we use !(quic) in the header. You may add other protocols also
3- After this you need to find the handshake. I noticed that tcp [syn,ack] packets were greyed out. As a information security geek, leaning wireshark is the key to perform day to day operations in today's world. Wireshark allows to analyze a protocol or debug a network. What we learn in the theory, it has the capability to verify by seeing the actual traffic being transmitted in the wire.
Right click on the
selected packet, click follow and tcp stream. Bang, you will now able
to see the whole encrypted conversation after the tcp handshake.
As I told earlier
that the actual conversation will start after the third ACK packet
and you can clearly see that.
There are some more useful Wireshark filters which i would love to share it with you.
1- ip.addr == 10.0.0.1
There are some more useful Wireshark filters which i would love to share it with you.
1- ip.addr == 10.0.0.1
Sets
a filter for any packet with 10.0.0.1, as either the source or dest
2.
ip.addr==10.0.0.1
&& ip.addr==10.0.0.2
sets a conversation filter
between the two defined IP addresses
3.
http
or
dns
sets a
filter to display all http and dns
4.
tcp.port==4000
sets a filter for any TCP packet with 4000 as a source or dest
port
5.
tcp.flags.reset==1
displays all TCP resets
6.
http.request
displays all HTTP GET requests
7.
tcp
contains traffic
displays all TCP packets that
contain the word ‘traffic’. Excellent when searching on a
specific string or user ID
8.
!(arp
or icmp or dns)
Masks out arp, icmp, dns, or whatever other protocols may be
background noise. Allowing you to focus on the traffic of interest
9.
udp
contains 33:27:58
sets a filter for the HEX
values of 0x33 0x27 0x58 at any offset
10. tcp.analysis.retransmission
displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss.
This Article is being published with the help of DevOps Engineer "Sameed Shoaib"
0 comments:
Post a Comment