I’ll start building a query that looks like !ssl & !http & !dns & !(tcp.port = 80), adding each filter to the list one at a time.
To accomplish this, I’ll start by viewing all packets, then filtering out the protocols that account for the majority–typically HTTP, SSL, and DNS. Wireshark does allow you to view statistics about what protocols were used, but I often find that it’s helpful to manually filter out traffic protocol-by-protocol this gives me a chance to look at a selection of packets from each protocol to get a sense of what might be relevant to the challenge. For example, if you’re after a document that someone printed, it could be using LPT, IPP, or something else entirely. If you’re not sure exactly what protocol you’re after, you may have to narrow down the list manually. However, you should start your search with a reasonable set of assumptions, then broaden your search if you’re not able to find the answers you need. Of course, you may find down the line that these assumptions are incorrect perhaps there’s a web server running on port 8080. If the questions simply ask about which websites someone visited, you would have to broaden your search a bit you may need to include DNS (port 53) and HTTPS (port 443). For example, if the challenge pertains to an individual’s specific interactions with a specific website, you can be pretty certain you’re only looking for HTTP traffic on port 80–in this scenario, it wouldn’t make sense to include encrypted traffic, since you wouldn’t be able to read it. In an ideal scenario, you can start with some assumptions about what traffic you’re after. Usually there will be some hint as to what sort of traffic you’re after your first step should always be to filter out anything that’s irrelevant. Harder challenges tend to contain realistic packet captures, meaning that most of the packets will be unrelated to your task. If you don’t yet meet these prerequisites, check out John’s guide for newcomers. You should understand the client-server model.You should understand how routing and IP addresses work.You should have at least some experience with Wireshark–enough to know the basic UI.This guide is aimed at players who have some networking experience. Improving your analysis techniques can mean the difference between wasting hours on a challenge and solving it in five minutes. Even with a solid foundation, it’s not unusual for a packet capture to contain so much data that it’s difficult to get a sense for what’s going on. Network traffic analysis can be overwhelming.
0 kommentar(er)
