Wireshark 101: Expressions; Haktip 118 Video Lecture | Start Using Wireshark: Do Hacking like a Pro - Back-End Programming

this episode of hack tip is brought to
you by citrix gotoassist the number one
global market leader in remote support
welcome to HEC tip the show where we
break down concepts tools and techniques
for hackers gurus and IT ninjas I'm
Shannon Morse and today we are checking
out Wireshark and expressions but first
a tip or two from our YouTube viewers
when discussing the OSI model from a
couple of weeks ago several YouTube fans
said that they memorized it in really
fun ways such as crossover he memorized
it by saying please do not throw sausage
pizza away mega pads used Princess Diana
never tried shagging Prince Andrew and
for the data type on each layer he used
but Fergie proclaims she did did did
four bits frames packets segments data
data and data Rama used all that all
people seem to need data processing and
Ben uses pew dead ninja turtles smelled
particularly awful I really liked the
last one the most okay now moving on
today we are totally focusing on
expressions so first let's go ahead and
break down the syntax all right so we
have a syntax each syntax is called an
expression and the expression has a
whole bunch of different parts to it if
we look at my example over here I have a
really really long expression by the way
it starts with this WLAN address equals
a MAC address ampersand ampersand double
you'll an FC type subtype equals equals
0 times 0 4 and then I use two of these
lines which means pipe pipe and at the
end we say CW LAN MC type subtype equals
equals 0 X 0 5 now I have a couple of
parts to this the first parts are called
primitives and primitives are divided up
by operators so if we take another
second look at this I'll highlight the
primitives so this would be a primitive
right here W land subtype equals equals
0 X 0 5 and then the pipe lines the two
lines in the middle that would be the
operators now each primitive can also
have a qualifier in it as well as an eye
now this probably makes a little bit
more sense than operators and whatnot up
at the top we have our qualifiers so
this can be whatever is qualifying at
the beginning and then your ID the I
agree ID can be a MAC address it could
be an IP address things like that now
operators can be either ampersand
ampersand pipe pipe or just an
exclamation mark and these mean
respectively and four ampersand
ampersand or four pipe pipe and
exclamation mark just means not so it
does not equal whatever thing that
you're putting in now qualifiers can
either be type which would be like host
net or port these identify what the ID
refers to dir which would be a direction
so this would be either the source s RC
or DST for destination direction just
tells you whether the transfer is going
to or from the ID and then proto which
basically means protocol this could be a
30 CP UDP HTTP FTP this is a particular
protocol specifically that the ID is
also repeating back to you now I have
also printed out a nice little cheat
sheet that I'll show you this is from
packet life dotnet it's a two-part cheat
sheet that basically goes over all the
different expressions that you can use
for everything from I PV ipv6 to TCP
there's frame relays on here VT P which
I don't know if I'll use that HTTP on
here that can be pretty useful UDP and
then they also list a whole bunch of
operators and logics as well so this can
be really really helpful for anybody
that needs these specific information
because you can't memorize all these
really if anybody's out there that has
memorized all of these please let me
know
now this cheat sheet is of course
available for free but since there are
so many display filters that you can use
it's pretty common to find posters just
like this one on the internet everywhere
now right after the break I'll have a
whole bunch more information for you but
we will be right back with go to assist
remote support you can provide live and
unattended remote support to any
computer or mobile device so you can
screen share with employees to diagnose
their support problems faster and more
effectively giving you more time to get
back to whatever you're doing and you
can use go to assist apps to deliver
support anytime anywhere go to super
easy to use and it sets up in less than
a minute so go ahead sign up today for
go to assist and get a free citrix tool
any other one for six months visit go to
assist comm and get started but don't
wait because the special offer ends
October 10th again visit go to assist
comm and sign up to receive this special
offer today we're back and now it's time
to actually break down our examples so
the first example that I showed you was
from our pro request from last week so I
asked you guys what in the world is
happening with this one so specifically
it had to do with a Wi-Fi pineapple and
a phone so if we take a look at this you
can see that here is a destination
called zone emo B so we we know that
it's a mobile phone that was made by
Sony and then we have this other one
called broadcast so broadcast is a Wi-Fi
pineapple you'll notice that every time
the Wi-Fi pineapple which is also code
orient Pio and then has a short part of
its address is sending Sony mobi any
kind of information it's using the
protocol 802 11 the length of this
packet is 166 and it's a probe response
so it's responding to the Sony Mobile's
probe request so down here we'll see
Sony Mobile is sending the Wi-Fi
pineapple a packet over 802 11 the
length is 267 it's a probe request it's
looking for this SSID called broadcast
so every time it does that the Wi-Fi
pineapple is replying
hey this is SSID broadcast so connect to
me now if you're familiar with the Wi-Fi
pineapple this probably sounds pretty
familiar and I'm very proud of you guys
for getting it right if you did so in
the comments now let's go ahead and take
another look at the expression up at the
top so we can break it down a little bit
farther so first off this is the entire
expression the entire thing is the whole
expression the whole syntax for what I
want to break down and how I want to
find the specific information so first
off we have this part
this is the type W land dot addr
address this is going to equal so equal
equal it must equal this thing and the
MAC address the MAC address is going to
be the ID so this whole part right here
is going to be the primitive and then
the next part right here this is the
operator
so this ampersand ampersand this means
that not only am i looking for anything
with the W land address of this Mac idea
but I'm also looking for this subtype
that equals zero X zero four so this is
another ID right here after that we're
also going to hit pipe so pipe is
another operator and then we're looking
for another primitive so this is going
to be W land FC type subtitles the ID 0
X 0 5 so not only are we looking for
things going to the Wi-Fi pineapple but
we're also looking for things coming
from the Wi-Fi pineapple and back and
forth I have a second example for you as
well pulled up in a second Wireshark
right here now this one's a lot lot
shorter so it's probably a little bit
easier to understand up at the top we
have the type so this is IP and then we
have the direction so the direction
either either the source or the
destination so in this example SRC and
then it equals the IP address 1073 3159
so we're now we know that we're looking
for a source that equals this IP address
ampersand ampersand is telling us that
we're looking for and we're also going
to include this tcp which is the type
the port equals equals the ID 80 so
we're looking for something on port 80
with this IP address as the source now
when I hit enter when I hit apply it's
going to go ahead and break down and
find all of those sources for me so
you'll notice that under source each one
is dot v 9 I can highlight one of these
for example I know that each one's going
to be a protocol of HTTP and then I can
just go through here and check out
different things so for example this
image is one that I have highlighted and
I believe if I look under here
there it is so this one is the reference
is to sephora.com
so I know that whoever was on the
Internet obviously went to sephora.com
so for this example that might be really
useful to you if you're an IT person and
your boss asks you hey make sure all of
our employees are actually not browsing
the internet and buying makeup while
they're at work you could definitely use
this to find out ok so this person on
this destination so this specific IP
address is going to sephora.com
during the workday and you have the time
stamp to follow yeh proof of course
there are easier ways to do that I know
about them trust me I know you do too
but you can always comment below or you
can email us feedback at hak5 org let me
know what you think of everything that
we're doing over here on hack tip and
definitely check out our sister show
hack 5 for more awesome stuff like
Wireshark like drones and SDR radios
it's really fun so I'm Shannon Morse
and I'll see you over there don't forget
to trust your Tecna Leste