Wireshark CheatSheet (and nslookup/aircrack at end)
#wireshark #networking #ip #tcp #udp #arp #http #dns #aircrack #nslookup #cheatsheet #UofTBootCamp
General
!(arp or icmp or dns) filter out whatever
udp contains xx:xx:xx filter for certain HEX values at any offset
Search by string/regex/hex value: Edit > Find Next > Select your Filter/Search Input
802.11
Wireshark Beacon Filter: wlan.fc.type_subtype = 0x08
Wireshark broadcast filter: eth.dst == ff:ff:ff:ff:ff:ff
Wireshark multicast filter: (eth.dst[0] & 1)
ARP
arp.opcode == 1 for requests
arp.opcode == 2 for responses
Operation code params: https://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml#arp-parameters-1
DNS
queries: dns.flags.response == 0
responses: dns.flags.response == 1
errors:
dns.flags.rcode == 0 no error
dns.flags.rcode != 0 dns requests couldn't be correctly resolved.
dns.flags.rcode == 3 no such name
examples
dns.a
dns.cname
dns.qry.name == example.com
dns.resp.name == example.com
dns.resp.name == example.com and dns.time > 0.01
HTTP
http.request.method==GET
http.request.method==POST.
ip.addr==93.184.216.34 and http.request.method==GET
IP
ip.addr == < ip >
ip.dest == < ip >
ip.src == < ip >
!(ip.addr == <ip>)
range: ip.addr >= 10.10.50.1 and ip.addr <= 10.10.50.100
multiple: ip.addr == <ip> and ip.addr == <ip>
subnet: ip.addr == 10.10.50.1/24
port: tcp.port == 25 or tcp.dstport == 23
ip and port: ip.addr == <ip> and Tcp.port == 25
TCP
handshake: SYN, SYN/ACK, ACK
tcp.flags.syn ==1 && tcp.flags.ack == 0 to view only SYN
tcp.flags.syn ==1 && tcp.flags.ack == 1 to view only SYN/ACK requests
tcp.flags.syn == 0 && tcp.flags.ack == 1 to view only ACK
termination packets:
tcp.flags.fin == 1
look for open port: (since it will respond with SYN/ACK)
tcp.flags.syn == 1 && tcp.flags.ack == 1
display all TCP resets: (connection killed)
tcp.flags.reset==1
packets that contain a certain term in packet: tcp contains xxx
Follow a tcp stream:
tcp.stream eq X
Filter by seq num: tcp.seq == x
Detects push events for troubleshooting: tcp.flags.push == 1
nslookup
Syntax: nslookup -type=[NS record type] [domain] look up name server records
nslookup Option Description
-domain=[domain-name] Change the default DNS name.
-debug Show debugging information.
-port=[port-number] Specify the port for queries. The default port number is 53.
-timeout=[seconds] Specify the time allowed for the server to respond.
-type=a View information about the DNS A address records.
-type=any View all available records.
-type=hinfo View hardware-related information about the host.
-type=mx View Mail Exchange server information.
-type=ns View Name Server records.
-type=ptr View Pointer records. Used in reverse DNS lookups.
-type=soa View Start of Authority records.
nslookup -type=txt <domain> for spf records
Aircrack-ng
- syntax:
Aircrack-ng [.pcap file name] - Note: the Wireless Toolbar no longer exists in view > it is now in: Wireshark > Preferences > Protocols > IEEE 802.11 for putting in relevant key
Word lists for WPA
https://www.aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists