Sniffing with Wireshark

You can use Wireshark the same way you did for the other lab.

2. Make sure Wireshark is running on your PC.
4. Choose Capture Interfaces to open the window to pick an interface. This step is identical on Linux, Mac OSX, and Windows versions. Now with version 3.4.4 it asks you to select an interface while your opening the program. Choose either your WiFi or wired adapter depending how you access network.
6. Once you have successfully begun the capture, you are all set to start sending your test packets. For this exercise I want you to use Telnet to send TCP traffic from a computer. If using a Windows 10 client you need to enable the Telnet application for Linux clients it may be already installed. Use this command to get data flowing from the Netherlands (telnet towel.blinkenlights.nl )
8. Once you have a good number of packets captured (or those specific packets you are looking for), you can stop the capture and save it. Saving a capture for later investigation is a good habit to get into. It is the same as saving any other file: Choose File Save As, and then name the file and save it to the appropriate location.
10. Next, open you're saved capture and use search strings and filtering to find some words from the Star Wars movie. Opening a saved capture is just like opening any document: Choose File Open and then select the file. What were you able to find?

Step 2 Understanding packet analysis

2. From your Wireshark installation, you are going to pull up the saved capture from Step 1. Open the file using the Wireshark File menu and select the file you had saved.
4. Check the two bottom panes of the Wireshark display, where all the packet details are available for review. Notice the highlighted portion in the bottom pane when you select an item from the middle pane.
6. Select the TCP portion of the packet in the middle pane.
8. Now take this one-step further and apply your knowledge of hexadecimal while taking advantage of Wireshark's packet breakdown display. In the following graphic, I have expanded the IP portion of the packet. Looking at the bottom pane of the Wire- shark display, notice that the hex number highlighted (c0 a8 01 02) is the same as the decimal highlighted source IP (192.168.1.2) in the middle pane. Pretty cool, huh? So what have you accomplished here?

Step 3 Sniffing with tcpdump

1. First, get your sniffing client ready by launching tcpdump on Kali. If you run tcpdump without any switches or options, you can use the first or lowest numbered NIC and begin to catch traffic from that interface. This exercise works fine with the defaults. The following image shows the application up and running.

2. Next, you need to create some traffic. There are a few ways you can do this. In this exercise you can use your Telnet client again and make a connection to (telnet towel.blinkenlights.nl ). Once the Telnet clients are talking and traffic is flowing, you can see what's coming across the wire.

3. The tcpdump output in the terminal window view is fairly clear, but it's still a little clunky to work with. Go ahead and perform the same sniffing session again, but this time save the output to a file for future reference. Note the command syntax in the following graphic; this command takes the traffic captured by tcpdump and writes it to a file named tel_capture.log

4. There are a couple of ways to read the captured log file. One is with tcpdump, but it can also be opened with Wireshark.

5. From your Wireshark - File menu and select tel_capture.log . The log should look familiar, tell me what is shows.