Sniffer Cheatsheet [ cheatsheet ]

Wireshark filters

https://www.comparitech.com/net-admin/wireshark-cheat-sheet/ https://www.hackers-arise.com/post/2018/09/27/network-forensics-part-2-detecting-and-analyzing-a-scada-dos-attack

Export file / object

File > Export Object

How many machines involve in the transactions

(Menu) Statistics > Contains

(Menu) Statistics > Ip v4 > Source & Destination

Source of DDOS

# Look for the machine with most packets / Bytes sent
(Menu) Statistics > Contains

(Menu) Statistics > Ip v4 > Source & Destination

How many packets exchanged

(Menu) Statistics > Conversations

Find DOS attack (SYN and ACK)

tcp.flags.syn == 1
tcp.flags.syn == 1 and tcp.flags.ack == 0

During FTP brute force, search for the successful attempt

# First list the ftp requests
tcp.port == 21

# Follow the stream 
# and if overwhelming info
# Only list the successful one
ftp.response.code == 230

Filter by IP address

ip.addr == x.x.x.x

Filter by IP address range

ip.addr >= IP_START_RANGE and ip.addr <= IP_END_RANGE

Display packets captured on the eth0 interface

interface == eth0

Filter by port

tcp.port == 80 or udp.port == 53

Display packets larger than 100 bytes

frame.len > 100

Filter by source or destination MAC address

eth.src == xx or eth.dst == yy

Display packets with a status code of 200

http.response.status_code == 200

Display packets with a GET method (POST, PUT, DELETE)

http.request.method == GET

Display DNS packets that have a domain name containing “example.com”

dns.qry.name contains 'example.com'

Display packets that have a URI containing “example.com”

http.request.uri contains 'example.com'

Display packets with a 404 response code

http.response.code == 404 

Display packets that contain a cookie with the name “sessionid”

http.cookie contains 'sessionid' 

Display packets with the SYN (ACK, RST, FIN, URG, or PSH) flag set

tcp.flags.syn == 1

Display packets with a TLS handshake type

tls.handshake.type == 1