Packet Sniffing Lab - Made easy.

-

 Wireshark

Wireshark is one of the most powerful, widely used, and respected network protocol analyzers in the world. It’s a free, open-source tool that lets you capture, inspect, and analyze data packets as they move through a network in real time kind of like putting a microscope on the traffic flowing through your computer or your entire network.

When data travels over a network, it doesn’t move as one big chunk it’s split into small packets. Each packet contains bits of data (like parts of an email, a file, or a web request) and metadata (like source and destination IP addresses, protocols used, etc.).

Wireshark lets you capture these packets and view their contents in an extremely detailed and structured way.
You can see:

  • The source and destination of every packet

  • Which protocol it used (HTTP, TCP, UDP, ARP, DNS, etc.)

  • The exact data payload being transferred

  • The timing of each packet (latency, retransmissions, etc.)

  • And even reconstruct entire conversations (like following a TCP stream or viewing full HTTP requests and responses)

Wireshark uses a packet capture library (like libpcap on Linux or WinPcap/Npcap on Windows) to intercept traffic from your network interface card (NIC).
Once it captures those packets, it:

  1. Decodes them according to known protocol structures (e.g., Ethernet → IP → TCP → HTTP).

  2. Displays them in a human-readable form.

  3. Allows filtering, searching, and color-coding based on protocol or traffic type.

You can view live captures or analyze previously saved captures (.pcap files). These files are the standard format for sharing and analyzing network data.

Wireshark in Cybersecurity

In security operations and ethical hacking, Wireshark is invaluable:

  • You can spot malicious packets like ARP spoofing attempts, SYN floods, DNS exfiltration, or beaconing from infected hosts.

  • In incident response, it helps determine how a breach occurred, what data was exfiltrated, or what command-and-control (C2) traffic looks like.

  • During penetration testing, it can confirm if your payloads or attacks are reaching the target correctly or being blocked by a firewall.

Demo

As always, if we don't have the tool installed, we will need to get it.


You might receive a window asking you if you would like to install Dumpcap, which is a command-line packet capture tool that comes bundled with Wireshark. Think of it as the engine under the hood of Wireshark. it’s the actual program that performs packet capturing while Wireshark handles the display, decoding, and analysis.

and It's used to create a wireshark group on your host so other users, that are not superusers, be able to capture traffic on the network. 


For me i am okay with running wireshark with root privilege so i am going to click no.



We are going to make use of the hackeme lab, where we run it using docker. We will also need to access it on the loopback address simply because the other network interfaces would be too chaotic with so many traffic being generated.

On the login portal, after running packet capture on the loopback, we inserted dummy data to make a login post request. On the Wireshark window we are able to catch it and follow up through the http stream. The wireshark here is smart enough to grab all the packets generated and put them into one window to show us a single timeline.


After looking into the http stream and choosing a host -> target traffic for the sake of cleaning up the output. We can see the username value with the password that we have put. 




Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more