Difficulty level : Beginner
In this lab i will show you how can we analyse network traffic in wireshark in linux system. You will learn to capture, inspect, and understand data packets moving across a network. Using Wireshark also learn to analyse traffic and find malicious things. Here, I designed some exercises to help beginner to learn step by step and clear basics of web traffic analysis. please go throgh each lab exercise and pratice them.
- basics understanding of ip addresses and protocols.
- knowledge of cammandline interface.
- understanding of OSI or TCP/IP layers.
- curiosity to learn and understand 😉 working.
- A computer running a Linux distribution(eg: kali linux,Ubuntu)
- internet to download neccessary files.
- Wireshark tool to be installed on linux machine.
- Update package list
sudo apt update- install Wireshark GUI tool.
sudo apt install wireshark- Add your user to the wireshark group to capture packets without root privileges
sudo usermod -aG wireshark $(whoami)- Log-out and log-in back in for the changes to take reflect.
Objective: Learn to capture live network traffic using Wireshark.
- Open Wireshark.
- Select the network interface to capture traffic from (e.g.,
eth0orwlan0). - Click the "Start Capturing Packets" button (blue shark fin).
- Perform some network activities (e.g., browsing the web).
- Stop the capture after a few minutes.
- Observe the captured packets in Wireshark’s main window.
Output: A list of captured packets with details such as source/destination IP, protocol, and length.
Objective: Use Wireshark filters to narrow down and focus on specific types of traffic.
- Start a new packet capture in Wireshark.
- In the filter bar, type
httpto display only HTTP traffic. - Click "Apply" to filter the results.
- Experiment with other filters like
tcp,ip.addr == <your_ip>, anddns. - Observe how the displayed packets change based on the applied filters.
Output: Filtered list of packets that match the criteria specified in the filter bar.
Objective: Examine HTTP packets to understand web traffic.
- Start a new packet capture in Wireshark.
- Open a web browser and visit a website.
- Stop the packet capture.
- Apply the
httpfilter to display only HTTP traffic. - Select an HTTP GET request packet and inspect its details in the packet details pane.
- Analyze the packet to understand the HTTP request headers and content.
Output: Detailed view of an HTTP GET request with headers and content.
Objective: Detect and analyze potential malicious traffic in a network capture.
- Download a sample pcap file containing malicious traffic from a reputable source (e.g., Wireshark sample captures).
- Open the pcap file in Wireshark.
- Apply filters to identify suspicious activities, such as
tcp.port == 4444(commonly used by malware). - Investigate the packets to determine the nature of the malicious activity.
- Document your findings and the indicators of compromise (IOCs).
Output: Identification of malicious packets and an understanding of their characteristics.
Objective: Extract and analyze files transferred over the network.
- Start a new packet capture in Wireshark.
- Download a file from the internet during the capture.
- Stop the packet capture.
- Apply the
httpfilter and locate the packets related to the file download. - Right-click on one of the packets and select "Follow" > "TCP Stream".
- Save the file from the TCP stream for further analysis.
Output: The extracted file from the network capture saved on your system.
These lab exercises are design to practice for beginners those who new to cybersecurity. i am sure that these exercises help you to understand wireshark basics in better way. If you find this lab useful, please star this repo and keep practicing. Your journey into network security starts here!🎉🎉🎉