Port Ranges
• Ports 0 to 1023 are Well-Known Ports.
• Ports 1024 to 49151 are Registered Ports (often registered by a software developer to
designate a particular port for their application)
• Ports 49152 to 65535 are Public Ports.
Traffic Analysis - Wireshark
Configure Name Resolution
- Make a new profile
- Make a “hosts” file with format “ip hostname”
- Place that “hosts” file in the ~/.config/wireshark/configprofilename/ folder
- open pcap file, select your configuration profile, and ensure “view>>name
resolution>>resolve network/transport address names” is checked
Configure Ports
- Go to “Edit>>preferences>>columns” and add src and dst ports to the display
Figuring out what multi-cast goes too
- Fill out “hosts” and “services” file if you can
- Click on various multi-cast products – generally the parameters will identify what the
application is with a version or the company that made it.
Query for Common Ports
• tcp.dstport >= 0 and tcp.dstport <= 10000 || tftp || dns
Saving off filters to make capture smaller
• tcp.dstport >= 0 and tcp.dstport <= 10000 || tftp || dns
Saving off filters to make capture smaller
- Apply a filter
- Click “File>> Export Specified Packets” then save them to a file
Search for Strings
• Edit >> find packet
Extracting files
• file >> export objects
• Edit >> find packet
Extracting files
• file >> export objects
You must reply in thread to view hidden text or upgrade your account to always see hidden content.