ip.addr == x.x.x.x
ip.src_host == domain.any
ip.src_host >= x.x.x.x && ip.src_host <= x.x.x.x
!(ip.addr == x.x.x.x) // filter out address
ip.dst == x.x.x.x
ip.src == x.x.x.x
tcp.port = xxx
tcp.dstport = xxx
http.request.method == "GET"
http.host contains ".com"
icmp
arp
dns
kerberos
udp
https
http
http2
smb
smb2
dhcp
tls
tls.app_data
tls.handshake- Analyze → Follow TCP Stream
- Analyze → Expert Information
- Statistics → HTTP Requests
- File → Export Objects → HTTP
- File → Export Objects → SMB
- Statistics → Resolved Addresses → (choose Hosts from dropdown)
- Ctrl + m (mark packet)
- Ctrl + g (go to packet)
Everything you need to know is explained thoroughly in TLS Wireshark Wiki and Using SSL key log file Wireshark.
Check for ICMP Flood Attack "icmp.type == 8"
Check out Wireshark GOAT
Example of pyshark:
import time
import os
import nest_asyncio
import pyshark
nest_asyncio.apply()
def live_capture(interface, timeout=60):
"""
Live capture packets from given interface.
Print tls packets.
Args:
interface (string): Network interface.
timeout (int, optional): Defaults to 60.
"""
start = time.time()
try:
capture = pyshark.LiveCapture(
interface=interface, output_file="output.log")
except:
print("Error: Cannot capture packets with Pyshark.")
for item in capture.sniff_continuously():
try:
item.tls
print(f"Item: {item.tls}")
print(f"Record length: {item.tls.record_length}")
print(f"Source: {item.ip.src} | Destination: {item.ip.dst}")
print("\n")
except:
pass
if timeout and time.time() - start > timeout:
print("Error: Timeout occured.")
break