Tshark

To use the help menu

tshark -u | more

To check the interface we can interact with

tshark -D

To use a pcap file

tshark -r abeg.pcap

To do protocol hierachy

tshark -r abeg.pcap -z io,phs -q

To read the first 100 packets

tshark -r abeg.pcap -c 100-e

FIltering Basics

To filter out http

tshark -r abegg.pcap -Y 'http' | more

Also, to get source ip address and the uri they are going out to

tshark -r abegg.pcap -Y 'http.request.method==GET' -Tfields -e frame.time -e ip.src -e http.request.full_uri | more

Checking http post requests for login creds

tshark -r abegg.pcap -Y 'http contains password'

Narrowing it down to a specific site

tshark -r abegg.pcap -Y 'http.request.method==GET && http.post==www.nytimes.com' -Tfields -e ip.dst | more

To check the browser that is being used

tshark -r abegg.pcap -Y 'ip.src==10.10.10.10 && http' -Tfields -e http_user_agent | more

ARP Poisoning

Arp poisoning attack

echo 1 > /proc/sys/net/ipv4/ip_forward

To spoof

arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36

capture this on wireshark

Wifi Traffic Analysis

wlan.fc.type_subtype== 0x0008) && !(wlan.wfa.ie.wpaversion === 1)&& !(wlan.tag.number==48)

wlan contains Home_Network //check under ds parameter

wlan contains LazyArtists

(wlan.ssid contains Amazon)&&(wlan.fc.type_subtype == 0x008)

(wlan.ta == e8:de:27:16:87:18) || (wlan.ra == e8:de:27:16:87:18)

((wlan.bssid == e8:de;27:16:87:18) && (wlan.fc.type_subtype== 0x0020))

(((wlan.bssid == e8:de;27:16:87:18)) && (wlan.addr == 5c:51:88:31:a0:3b)) && (wlan.fc.type_subtype== 0x0001)