This week I want to talk about how we can use Wireshark for forensic purposes. I'm currently taking a class called Network Analysis that talks about this very subject! In this blog post, I will share what I learned in this class so it will be very basic information, but important to know!
In Wireshark, you can filter packets by port numbers. When doing so, you have to specify if its either UDP or TCP. Here is are examples of what the commands may look like:
udp.srcport == 2000 - Find UDP source with a port number of 2000
udp.dstport == 2000 - Find UDP destination with a port number of 200
tcp.srcport == 2000 - Find TCP source with a port number of 2000
tcp.dstport == 200 - Find TCP destination with a port number of 2000
You can also apply these filters without the port numbers, I use the number 2000 as just an example.
Another great feature of Wireshark is that you can filter by IP addresses, which is important in network forensics since it will make the job easier. Here are some examples:
ip.addr == 192.168.70.1 - Find packet with specified IP address
ip.host == 192.168.80.1 - Find host with specified IP
ip.src == 192.168.90.1 - Find packets with specified IP as the source
ip.dst == 192.168.100.1 - Find packets with specified IP as the destination
ip.src_host == 192.168.110.1 - Find packets from host with specified source IP
ip.dst_host == 192.168.120.1 - Find packets from host with specified destination IP
This is just a very basic overview on the sorts of things you can do on Wireshark. I will definitely be sharing more of what you can do in the future! Thank you so much for reading!