Embed Size (px)
Citation preview
Mobile Malware threats and detection mechanism
Rakib AminMehedee ZamanTazrian Siddiqui
Supervisor
Dr. M Shohrab Hossain
// Special Note
This is an implementation based tutorial on Display Filters only (You should be familiar with Wireshark
already). Most slides will be containing
screenshots.For documentation, visit
http://wiki.wireshark.org
Module 1
Understanding Captures
Screenshot of a .pcap file inside Wireshark showing a capture
All packets following http protocol are listed for “http”
background becomes red when a non-existent filter string is entered
Module 2.1
Creating Filter strings forDisplay Filters
Display filters let you compare the fields within a protocol against a specific value, compare fields against fields, and check the existence of specified fields or protocols.
Comparison operators: Fields can also be compared against values. The comparison operators can be expressed either through English-like abbreviations or through C-like symbols.
eq, == Equal
ne, != Not Equal
gt, > Greater than
lt, < Less than
ge, >= Greater than or Equal to
le, <= Less than or Equal to
All packets with frame length equal to 100
All packets with http “GET” request
Logical expressions:Tests can be combined using logical expressions. These too are expressible in C-like syntax or with English-like abbreviations:
and, && Logical AND
or, || Logical OR
not, ! Logical NOT
Example : tcp.port == 80 and ip.src == 192.168.2.1
All packets with TCP Port No 80 and from 50.16.247.204
/* Complete reference for creating filter strings */
In the Menu bar Help -> ManualPages -> Wireshark Filter
or,https://www.wireshark.org/docs/dfref/
A list of Frequently Used Display Filter Strings is given in the FUDF slide
Module 2.2
Creating a new Display Filter inside Wireshark
In the menu bar: Analyze -> Display Filters...
New button <*> type in Filter name and string (using syntax from previous slides), hit Enter.
In the Filter bar -> Expression…Check for expressions.
Select a field-relation-value, hit OK.
The filter is in the Filter window as a filter string.
Module 3
Advanced Display Filters
Just select a packet, Right ClickAnd you can use that value as a filter (ip.src==10.128.223.139) Other options provide ANDing, ORing, ANDNOTing etc. with existing filter strings.
Conversation Filter takes the selected addresses and filter out only their conversation packets.
Bonus
Advanced Conversation
Another interesting thing you can do is right-click a packet and select Follow TCP Stream.
You’ll see the full conversation between the client and the server and in the capture window only those packets.
TCP Conversation:It is useful when we are looking for passwords in a
Telnet stream, or are trying to make sense of a data stream. Wireshark will set an appropriate display filter and pop up a dialog box with all the data from the TCP stream laid out in order.
The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue.
Bonus
Add as a Column
Select a parameter from a packet description, Right Click, Apply as column to take it as a column in the packet list.
Bonus
I/O and Flow Graphs
Menu bar: Statistics -> I/O Graph
Statistics -> Flow Graph…Filter: A<->B or A<->C
A/B/C ip addresses
// Summary
We discussed –
Understanding Captures Creating Filter strings for Display Filters Creating a new Display Filter inside Wireshark Advanced Display Filters
// Reference
I am indebted to –
CBT Nuggets Wireshark with Keith Barker http://wiki.wireshark.org How-to-geeks community.
Frequently Used Display Filters:
Filter Strings Description
ip.src==8.8.8.8 Look for specific source through IP
http or tcp Only HTTP/TCP packets
tcp.port==80 Look for packets through port 80
http.request.method == “GET”
Only GET request packets
http.response.phrase contains “contacts”
Packets containing word “contacts”
ip.opt.ohc < 10 Outbound hopcounts < 10
bgp.nexthop ==8.8.8.8 Border Gateway Protocol Next Hop search
ftp.active.port Only active FTP Client PORT
wlan.addr == 8.8.8.8 Checks Hardware Address (IEEE 802.11)
dns.resp.type DNS Response Type
udp.destport UDP Destination PORT
tcp.stream All conversations
Frequently Used Display Filters:
Filter Strings Description
arp.dst.hw_mac ARP Target MAC Address
udp.length == 37 Check UDP packet Length
frame.time == "Aug 17, 2014 00:56:14.935620000"
Check Frame Arrival Time
dns.flags == 0x8180 DNS Flag Check (Std. Query Response)
dns.resp.addr == 54.241.179.41
DNS Response Address
ip.proto == 17/”udp” UDP/TCP protocol check (17=UDP)
icmp.type == 3 Internet Control Message Protocol type (3 = dst. unreachable )
ssl.handshake.type == 1 Secure Socket Layer Handshake type (1 = Client Hello, 11 )
Thank you.
