![]() Correlating an IP address with a MAC address.ĭHCP traffic might reveal the hostname using this IP address. Using our basic web filter, we can correlate the IP address at 172.16.138 with its associated MAC address at f8:ff:c2:04:a5:7b, as shown below in Figure 2. This pcap is based on traffic to and from an Ethernet address at f8:ff:c2:04:a5:7b. Our first pcap for this tutorial is Wireshark-tutorial-identifying-hosts-and-users-1-of-5.pcap. Wireshark-tutorial-identifying-hosts-and-users-5-of-5.pcapĪny host generating traffic within a network should have three identifiers: a MAC address, an IP address and a hostname.Wireshark-tutorial-identifying-hosts-and-users-4-of-5.pcap.Wireshark-tutorial-identifying-hosts-and-users-3-of-5.pcap.Wireshark-tutorial-identifying-hosts-and-users-2-of-5.pcap.Wireshark-tutorial-identifying-hosts-and-users-1-of-5.pcap.Use infected as the password and extract the five pcaps, as shown below in Figure 1. Download the file named Wireshark-tutorial-identifying-hosts-and-users-5-pcaps.zip. The pcaps used for this tutorial are in a password-protected ZIP archive located at our GitHub repository. To follow this tutorial, readers should have a basic understanding of network traffic. We strongly recommend using the most recent version of Wireshark available for your operating system (OS). This tutorial features Wireshark version 4.0.8 with a customized column display from our previous tutorials. Requirements also include a recent version of Wireshark, at least version 3.6.2 or later. To fully understand this tutorial, readers should have reviewed the material in our previous tutorials on customizing Wireshark’s column display and using display filter expressions. Identifying Users in an Active Directory (AD) EnvironmentĪdditional Resources Requirements and Supporting Material Host Information from NetBIOS Name Service (NBNS) Trafficĭevice Models and Operating System (OS) from HTTP Traffic Host Information from Dynamic Host Configuration Protocol (DHCP) Traffic This article was first published in March 2019 and is being updated for 2023. This is the third in a series of tutorials that provide tips and tricks to help security professionals more effectively use Wireshark. This tutorial uses Wireshark to identify host and user data in pcaps. In some organizations, this could involve reviewing a packet capture (pcap) of network traffic generated by the affected host. Compress this output file, and sent it to Support with any other requested data.When a host within an organization's network is infected or otherwise compromised, responders need to quickly identify the affected host and user. To stop the network trace, do either a Ctrl-E, or select "Stop" from the "Capture" menu.įinally, use the "File" -> "Export" -> "File" menu to save the output to a file. When using different versions of Wireshark, some menu options might be different. This particular capture was performed using Wireshark 1.6.7 on Windows 2003 Server running a rootDSE search run from the native host to a Windows guest virtual machine. When the operation is completed, you should see packets captured in wireshark like this: ![]() Run what operation it is that needs to be traced. ![]() This will begin tracing network packets with a source or destination port of 389 and only for local box. You can also specify a capture file in the "Capture File(s)" entry field in the same dialog, if you want to save immediately. ![]() in the resulting dialogue, deselect the "Capture packets in promiscuous mode" if it is selected (we only care about traffic coming and going from this host):Īnd in the field next to the "Capture Filter" button, enter a filter, if desired, eg: "port 389":Īnd then start the capturing by selecting the "Start" button from the same dialog. In the "Interfaces" menu, select the "Options" button for the interface the traffic will be coming in on. Once wireshark is installed and the GUI is running, click on the "Capture" menu and select the "Interfaces" submenu. Search via your favorite search engine for "Wireshark" to find out where to download it from, and how to install it. This technote requires Wireshark (formerly known as ethereal) to be installed on your Windows computer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |