HakTip 141 – Wireshark 101: Feedback and Tips

Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.wpengine.com
Contact Us: http://www.twitter.com/hak5
Today on Haktip we’re checking out your feedback and tips for Wireshark.

Øyvind Nesland writes: I have a tip for how I’ve used Wireshark in my job as a network admin. We had a problem with IP-phones and our DHCP-server, and ended up with address-conflicts because two phones would use the same IP. To solve this and identify the phones, I used Wireshak and filtered on arp.duplicate-address-detected. This will give you all the duplicate addresses on your network, and helped me solve my problem.

You can find all the other filters related to address resolution protocol at this link: https://www.wireshark.org/docs/dfref/a/arp.html

Michael writes: At one of our branch offices, users were having issues with Internet connectivity. Sometimes okay…most of the time horrible. After verifying cabling and then settings on the router and work stations, I used WireShark to see what was going on. Bingo! I found a rouge wireless router that was using it’s external IP address (which was on the office’s internal network) that conflicted with the office’s default gateway. The packet capture session showed the ARP transactions between different MAC addresses with the same IP. Found the rouge router and cut the Ethernet cable leading to the area it was located. Without a doubt, fixed the issue.

Taylor asks: Does adding “Client FQDN” as a column mean a way to read names people offer out?

Philippe writes: Hi Shannon,
In wireshark’s filter bar, the expression :”ip.dst !=″ can generate issues (that’s why it’s hilighted in yellow ). You may write something like : “not (ip.dst ==” or “!(ip.addr == bla.bla)” (appears then in green in the filter bar.) As said here : (sorry for the broken line) https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html in section 6.4.4. A common mistake. Best regards, and tons of kisses from France to all the team.

Crazy52: I found a page with some examples to connect to wireshark over SSH
http://www.commandlinefu.com/commands/view/4373/analyze-traffic-remotely-over-ssh-w-wireshark . I have a raspbarry pi with a lan tap monitoring my internet traffic over eth0 and a usb ethernet adapter connecting it back into my network. Using windows with putty + wireshark i managed to get it to work with a command line.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>