Hi! Today, we’re beginning to go deep by using Wireshark which is very useful and powerful tool . For network forensic by using wireshark, first we’ll learn how to use capture filter commands.
Capture filter commands provide you to catch spesific packets. For an instance you can search only udp ports or only specific source host etc. Capture filters are set before starting a packet capture and cannot be modified during the capture.
Let’s see what we have.
For spesific hosts:
- host <IP_ADDRESS or http://www.example.com>, src host <IP_ADDRESS>, dst host <IP_ADDRESS>
IMPORTANT NOTE : YOU CAN USE “AND,OR,NOT” TO LINK YOUR FILTERS!!!
- net <IP_ADDRESS_RANGE>
You don’t have to give a range. You can aslo give just a part of ip address. For an instance: src net 192.168, dst net <IP_RANGE>
- You can capture only specific ports. For an instance : port 53, udp etc.
- You can capture data by applying port ranges. For an instance: tcp portrange 1-443.
- vlan
We can reproduce the samples and filters. For more, you can find it here. Peace be with you!!
fosonecy.home.blog 