Overview

Introduction

The Wireshark Understanding Traffic Capture module provides you with the instructions and devices to develop your hands-on skills in the following topics.

  • Capturing Traffic
  • Capture Filters
  • Display Filters
  • Colorizing Traffic

Lab time: It will take approximately 1 hour to complete this lab.

Exercise 1 - Capturing Traffic

Traffic capture is performed via two methods; a connection tap, which views only authorized traffic, or promiscuous mode, which can view all passing network traffic. Wireshark will detect all Ethernet adapters present on the system, it's then up to the user to select the correct adapter. This might be a standard Ethernet connection, WIFI, virtual adapters and even USB.

In this exercise you will complete the following tasks:

  • Capture Traffic for One Device

Exercise 2 - Capture Filters

In some circumstances, you may need to limit the traffic that you want to capture; to do this, you would use capture filters. However, is important to note that if the capture filter doesn’t pick up the traffic, the packets will be lost and you can’t recover them.

For example, if you have a problem browsing the internet you may be tempted to use a filter to specifically look for port traffic and nothing else. The main use is to narrow down all the traffic to only what is needed; this also helps to reduce the log files in size.

Note: Applying the correct syntax spelling and structure is essential however If a rule is syntactically valid this does not imply that the rule is logically meaningful!!

In this exercise you will complete the following tasks:

  • Exploring the default Filters
  • Building Capture Filters

Exercise 3 - Display Filters

Display filters help us analyze the traffic by displaying only the interesting traffic and solve the famous ‘’needle in the haystack” problem. They can be applied while you are capturing or after the capture is finished. Their syntax is used for Columns definition and coloring rules as well.

Wireshark comes already with a predefined list of filters that can be used as starting points to constructing more advanced filters.

Alert: Display Filters as the Capture Filters are case sensitive! HTTP is not the same of http when writing the syntax into Wireshark.

Fortunately, when you type filters in the filter field you can use Intellisense, which is a system that tries to predict the syntax you are writing and produces those options for selection into the filter.

In this exercise, you will complete the following tasks.

  • Build MAC/IP Filters
  • Filter by Application
  • Combine Filters

Exercise 4 - Colorizing Traffic

Coloring traffic strongly assists with analysis time; the reality is of trace file information is that there is simply too much to process. You will already have noticed that Wireshark uses colors to identify information of interest or to highlight particular characteristics of that information.

In this exercise you will complete the following tasks:

  • Differentiate Traffic Types
  • Disable Coloring Rules
  • Coloring Rule Management
  • Identify Packet Colors
  • HTTP Rule
  • Colors and Conversations

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.