udp

Wireshark CheatSheet (and `nslookup`/aircrack at end)

February 21, 2022

#wireshark #networking #ip #tcp #udp #arp #http #dns #aircrack #nslookup #cheatsheet #UofTBootCamp

General

!(arp or icmp or dns) filter out whatever udp contains xx:xx:xx filter for certain HEX values at any offset

Search by string/regex/hex value: Edit > Find Next > Select your Filter/Search Input

802.11

Wireshark Beacon Filter: wlan.fc.type_subtype = 0x08 Wireshark broadcast filter: eth.dst == ff:ff:ff:ff:ff:ff Wireshark multicast filter: (eth.dst[0] & 1)

ARP

arp.opcode == 1 for requests arp.opcode == 2 for responses

Operation code params: https://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml#arp-parameters-1

DNS

queries: dns.flags.response == 0 responses: dns.flags.response == 1

errors: dns.flags.rcode == 0 no error dns.flags.rcode != 0 dns requests couldn't be correctly resolved. dns.flags.rcode == 3 no such name

examples dns.a dns.cname dns.qry.name == example.com dns.resp.name == example.com dns.resp.name == example.com and dns.time > 0.01

HTTP

http.request.method==GET http.request.method==POST. ip.addr==93.184.216.34 and http.request.method==GET

IP

ip.addr == < ip > ip.dest == < ip > ip.src == < ip > !(ip.addr == <ip>) range: ip.addr >= 10.10.50.1 and ip.addr <= 10.10.50.100 multiple: ip.addr == <ip> and ip.addr == <ip> subnet: ip.addr == 10.10.50.1/24 port: tcp.port == 25 or tcp.dstport == 23 ip and port: ip.addr == <ip> and Tcp.port == 25

TCP

handshake: SYN, SYN/ACK, ACK tcp.flags.syn ==1 && tcp.flags.ack == 0 to view only SYN tcp.flags.syn ==1 && tcp.flags.ack == 1 to view only SYN/ACK requests tcp.flags.syn == 0 && tcp.flags.ack == 1 to view only ACK

termination packets: tcp.flags.fin == 1

look for open port: (since it will respond with SYN/ACK) tcp.flags.syn == 1 && tcp.flags.ack == 1

display all TCP resets: (connection killed) tcp.flags.reset==1

packets that contain a certain term in packet: tcp contains xxx

Follow a tcp stream: tcp.stream eq X

Filter by seq num: tcp.seq == x

Detects push events for troubleshooting: tcp.flags.push == 1

`nslookup`

Syntax: nslookup -type=[NS record type] [domain] look up name server records

nslookup Option Description -domain=[domain-name] Change the default DNS name. -debug Show debugging information. -port=[port-number] Specify the port for queries. The default port number is 53. -timeout=[seconds] Specify the time allowed for the server to respond. -type=a View information about the DNS A address records. -type=any View all available records. -type=hinfo View hardware-related information about the host. -type=mx View Mail Exchange server information. -type=ns View Name Server records. -type=ptr View Pointer records. Used in reverse DNS lookups. -type=soa View Start of Authority records.

nslookup -type=txt <domain> for spf records

`Aircrack-ng`

syntax: Aircrack-ng [.pcap file name]
Note: the Wireless Toolbar no longer exists in view > it is now in: Wireshark > Preferences > Protocols > IEEE 802.11 for putting in relevant key

Word lists for WPA https://www.aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists

Wireshark CheatSheet (and nslookup/aircrack at end)