You can see all Destination IPs are 128.119.245.12. We use this so we know that our computer is sending to the destination and gets rid of all the other information that we do not need. Now to use source and destination filters, we would type in “ ip.src = Your IP ” for the source IP and “ ip.dst = IP destination ” for the destination IP (Left picture). This can make the information easier to read and understand. The first and most important filters are Source filters and Destination filters. Since the IP of Gaia is 128.119.254.12 we can start using Filters. This can make it easier for us to make sure that we are talking to the right server.Īfter confirming the IP address, we would like to lookup IP and the best way to do is with Filters. This will give you, your IP and Gaia’s IP. If we use the command prompt and type in “NSlookup gaia.cs. “(Figure 6). To confirm we are getting the right address. IP is an internet protocol that is assigned to every device and server. The first thing we want to know is, if we are connected with Gaia and how can we do that if we are getting all numbers in Wireshark? We look for the IP. We will then stop capturing packets(step 3) to see what we have done so far. Click on any of the tabs, afterward close the Gaia tab on chrome. Since we are testing how to connect to the server and how to read packages. We will want to start capturing packets, so click the start button from step 3 and then enter gaia.cs. to any internet search engine, like Google Chrome. We will use gaia.cs. as our example case. This would allow you to digest the information much better. Thank you Brad.To break down the process a bit more, we would want to read packets with filters. I have been inspired by Brad Duncan’s work at Malware-Traffic-Analysis over the past 6 years and recommend you follow him on Twitter I have borrowed heavily from his Wireshark setup. The next section looks at configuring Wireshark to show the key fields in http, https, dns, windows smb and authentication traffic. Quickly finding the http response and the content-type are key. For example in http traffic the host and user-agent fields and the request itself are important. Network flows can be best understood by looking at particular fields. There are hundreds of Alerts to investigate, so … Analysts need to be quick! Typically you have 30 seconds to decide whether the Alert is a true positive (investigate further) or a false positive (something has been flagged as malicious when it’s not). When investigating network traffic, you need to be able to find suspicious / malicious indicators very quickly. Because of the many plates Analysts have to keep spinning, they are only able to spend 25% of their time (on average) on real-time monitoring and triage. Analysts spend their time on 12 broad activities. I have worked in different Security Operation Centres (SOC) in different industries and I see Wireshark being used all the time but … the default Wireshark layout and view is not efficient for Cyber investigations!īased on the interesting, and in my opinion accurate, “ Voice of the Analyst Study” report by the Cyentia Institute in 2017. Wireshark is heavily used by Security Analysts and Information Security professionals on a regular basis. Simply, Wireshark is a great tool for network analysis and it is used by IT professionals all around the world. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.” “Wireshark is the world’s foremost and widely-used network protocol analyzer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |