wireshark

Question 1

how to find ip address both way source and destination

Answer 1

ip.addr= xx.xx.xx.xx
ip.src == xx.xx.xx.xx
ip.dst=xx.xx.xx.xx

Question 2

how to find subnet

Answer 2

ip == xx.xx.xx.0/24

Question 3

what source and destination network

Answer 3

source is outgoing traffic
destination is incoming traffic

Question 4

how to find required port and in both ways

Answer 4

tcp.port== xx or udp.port ==xx
tcp.srcport==x or udp.srcport ==xx
tcp.dstport==x or udp.dstport==xx

Question 5

type of Application Level Protocol Filters

Answer 5

HTTP,HTTPS,DNS,DHCP,SMTP,POP3,IMAP,SNMP,Telent,SSH,RDP,SIP,BGP,LDAP,NFS,SMB,ICMP,MQTT,Kerberos,bootp,rdp,smb or smb2,websocket

Question 6

HTTP

Answer 6

http

Question 7

Capture HTTP Requests

Answer 7

http.request.method == “XXX”
we can use POST,GET,PUT,DELETE

Question 8

Capture Specific HTTP Response Codes

Answer 8

http.response.code ==XXX

Question 9

how to find hash (sha256,sha1and etc) value of the capture file?

Answer 9

statistics->capture file proprties

Question 10

how to search for specified string in packet examples(shash)

Answer 10

edit -> find packet

Question 11

how to find files within capture packet

Answer 11

file -> export objects (option : http,smp,tftp,DICOM,imf)

Question 12

apply it as a filter in Packet List Pane

Answer 12

select packet -> double click -> apply as filiter

Question 13

Statistics –> Resolved Addresses

Answer 13

hosts,ports,capture file comment information

Question 14

Statistic –> Conversations

Answer 14

ethernet, IPv4, IPv6, TCP and UDP.(show conversations event within capture pcap file)
Conversations focus on interactions between them.

Question 15

Statistics –> Endpoints

Answer 15

Ethernet, IPv4, IPv6, TCP and UDP only endpoints device traffic
Endpoints focus on single devices

Question 16

statistics ->ipv4 statistics

Answer 16

all ip addressess
destinations and ports
IP protocol type
source and destinations addressess traffic info

Question 17

statistics -> dns

Answer 17

all DNS packets from the capture file
DNS service’s overall usage, including rcode, opcode, class, query type, service and query stats

Question 18

statistics -> http

Answer 18

packet counter (count http request,response code)
requests (request by host )
load distribution ()
request sequences

Question 19

Search a value inside packets explane with question find all apache servers

Answer 19

contains
examples :http.server contains “Apache”

Question 20

Search a pattern of a regular expression. and examples Find all .php and .html pages.

Answer 20

matches
http.host matches “.(php|html)”

Question 21

Search a value or field inside of a specific scope and examples :Find all packets that use ports 80, 443 or 8080.

Answer 21

in
tcp.port in {80 443 8080}

Question 22

upper and lower

Answer 22

for uppercase use upper
lowercase use lower

Question 23

Convert a non-string value to a string.
Example Find all frames with odd numbers.

Answer 23

string(frame.number) matches “[13579]$”

output:
1
3
5
7
9
11
13
15
…

Question 24

tcp connect scan in wireshark

Answer 24

tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024

Question 25

SYN Scans

Answer 25

tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024

Question 26

udp scan

Answer 26

icmp.type==3 and icmp.code==3

Question 27

only syn flag only ack flag

Answer 27

tcp.flags==2(only display syn flags) tcp.flags==16(only display ack flags)

Question 28

syn flag is set. The rest of the bits are not important. ACK flag is set. The rest of the bits are not important.

Answer 28

tcp.flags.syn == 1(display include flags like syn,ack.. tcp.flags.ack == 16 (display include flags like ack.rst,syn.ack..

Question 29

Only SYN, ACK flags.

Answer 29

tcp.flags == 18

Question 30

Only RST flag.

Answer 30

tcp.flags == 4

Question 31

RST flag is set. The rest of the bits are not important.

Answer 31

tcp.flags.reset == 1 (rst.ack

Question 32

RST and ACK are set. The rest of the bits are not important.

Answer 32

(tcp.flags.reset == 1) and (tcp.flags.ack == 1)

Question 33

arp requests

Answer 33

arp.opcode==1

Question 34

arp response

Answer 34

arp.opcode==2

Question 35

mac address

Answer 35

eth.addr

Question 36

source MAC and destination MAC address

Answer 36

eth.src eth.dst

Question 37

Possible ARP flooding from detection:

Answer 37

((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == xx:xx:xx:xx:xx:xx)

Question 38

Possible ARP poisoning detection

Answer 38

arp.duplicate-address-detected

Question 39

dhcp

Answer 39

dhcp or bootp help assign Ip address in network

Question 40

dhcp request

Answer 40

dhcp.option.dhcp==3 contain information about hostname

Question 41

dhcp ack

Answer 41

dhcp.option.dhcp==5 accepted requested to assign Ip address

Question 42

dhcp nak

Answer 42

dhcp.option.dhcp==6 denied request to assign ip address

Question 43

to find hostname in dhcp traffic

Answer 43

dhcp.option.hostname contains "host_name "

Question 44

to find domain name in dhcp traffic

Answer 44

dhcp.option.domain_name contains "keyword"

Question 45

ftp response code

Answer 45

tp.response.code ==xxx

Question 46

Information request responses.

Answer 46

211: System status. 212: Directory status. 213: File status

Question 47

x2x series: Connection messages.

Answer 47

220: Service ready. 227: Entering passive mode. 228: Long passive mode. 229: Extended passive mode

Question 48

Authentication messages.

Answer 48

230: User login. 231: User logout. 331: Valid username. 430: Invalid username or password 530: No login, invalid password.

Question 49

to find which use

Answer 49

byb using ftp.request.command== "user" we can use "USER","PASS","CWD",LIST"

Question 50

List target username.

Answer 50

(ftp.response.code == 530) and (ftp.response.arg contains "username")

Question 51

List targets for a static password.

Answer 51

(ftp.request.command == "PASS" ) and (ftp.request.arg == "password")

Question 52

ftp arguments

Question 53

to find user-agent

Answer 53

http.user_agent contains"chrome" chrome,namp and etc

Question 54

how to find Hostname

Answer 54

http.host contains "name"

Question 55

Connection status.

Answer 55

http.connection == "Keep-Alive"