📔
Defense
  • Defense
  • Getting Started
    • Introductory Networking
      • Introduction
      • The OSI Model: An Overview
        • Answers
      • Encapsulation
        • Answers
      • The TCP/IP Model
        • Answers
      • Wireshark
        • Answers
      • Networking Tools - Ping
        • Answers
      • Networking Tools - Traceroute
        • Answers
      • Networking Tools - WHOIS
        • Answers
      • Networking Tools Dig
        • Answers
      • Further Reading
    • Network Services
      • Understanding SMB
        • Answers
      • Enumerating SMB
        • Answers
        • Untitled
      • Exploiting SMB
        • Answers
        • Untitled
      • Understanding Telnet
        • Answers
      • Enumerating Telnet
        • Answers
        • Untitled
      • Exploiting Telnet
        • Answers
        • Untitled
      • Understanding FTP
        • Answers
      • Enumerating FTP
        • Answers
        • Untitled
      • Exploiting FTP
        • Answers
        • Untitled
      • Expanding Your Knowledge
    • Network Services 2
      • Understanding NFS
        • Answers
      • Enumerating NFS
        • Answers
        • Untitled
      • Exploiting NFS
        • Answers
        • Untitled
      • Understanding SMTP
        • Answers
      • Enumerating SMTP
        • Answers
        • Untitled
      • Exploiting SMTP
        • Answers
        • Untitled
      • Understanding MYSQL
        • Answers
      • Enumerating MYSQL
        • Answers
        • Untitled
      • Exploiting MYSQL
        • Answers
        • Untitled
      • Further Learning
    • Wireshark 101
      • Introduction
      • Installation
      • Wireshark Overview
      • Collection Methods
      • Filtering Packets
      • Packet Dissection
      • ARP Traffic
        • Answers
      • ICMP Overview
        • Answers
      • TCP Traffic
      • DNS Traffic
        • Answers
      • HTTP Traffic
        • Answers
      • HTTPS Traffic
        • Answers
      • Analyzing Exploit PCAPS
      • Conclusion
    • !Intro to Windows
    • Active Directory Basics
      • Introduction
      • Physical Active Directory
        • Answers
      • The Forest
        • Answers
      • Users + Groups
        • Answers
      • Trusts + Policies
        • Answers
      • Active Directory Domain Services + Authentication
        • Answers
      • AD in the Cloud
        • Answers
      • Hands-On Lab
        • Answers
        • Untitled
      • Conclusion
    • !Windows Core Processes
    • !SysInternals
  • Threat and Vulnerability Management
    • !Nessus
      • Introduction
      • Installation
      • !Navigation and Scans
        • Answers
      • !Scanning
      • !Scanning a Web Application
    • MITRE
      • Introduction to Mitre
      • Basic Terminology
      • ATT&CK Framework
        • Answers
      • CAR Knowledge Base
        • Answers
      • Shield Active Defense
        • Answers
      • ATT&CK EmulationPlans
        • Answers
      • ATT&CK® and Threat Intelligence
        • Answers
      • Conclusion
    • Yara
      • Introduction
      • What is Yara?
        • Answers
      • Installing Yara (Ubuntu/Debian & Windows)
      • Deploy
      • Introduction to Yara Rules
      • Expanding on Yara Rules
      • Yara Modules
      • Other Tools and Yara
      • Using LOKI and its Yara rule set
        • Answers
        • Untitled
      • Creating Yara rules with yarGen
        • Answers
        • Untitled
      • Valhalla
        • Answers
      • Conclusion
    • Intro to ISAC
      • Introduction
      • Basic Terminology
      • What is Threat Intelligence?
      • What are ISACs?
      • Using Threat Connect to create a Threat Intel dashboard
      • Introduction to AlienVault OTX
      • Using OTX to gather Threat Intelligence
      • Creating IOCs
      • Investigating IOCs
        • Answers
    • Zero Logon
      • The Zero Day Angle
      • Impacket Installation
      • The Proof of Concept
        • Answers
      • Lab it up!
        • Answers
        • Untitled
    • !OpenVAS
    • !MISP
  • Security Operations and Monitoring
    • Splunk
    • Windows Event Logs
    • Sysmon
    • Suricata
    • Osquery
    • Graylog
    • OpenEDR
  • Threat Emulation
    • Attacktive Directory
    • Attacking Kerberos
    • Atomic Red Team
  • Incident Response and Forensics
    • Volatility
    • Forensics
    • Investigating Windows
    • Windows Forensics
    • Redline
    • Autopsy
  • Malware Analysis and Reverse Engineering
    • History of Malware
    • Malware Introductory
    • Researching
    • Strings
    • Basic Malware RE
    • REMnux: The Redux
    • Reversing .NET Apps
Powered by GitBook
On this page

Was this helpful?

  1. Getting Started
  2. Wireshark 101

Collection Methods

PreviousWireshark OverviewNextFiltering Packets

Last updated 4 years ago

Was this helpful?

Before going into detail about how to analyze each protocol in a PCAP we need to understand the ways to gather a PCAP file. The basic steps to gather a PCAP in Wireshark itself can be simple however bringing into traffic can both the hard part as well as the fun part, this can include: taps, port mirroring, MAC floods, ARP Poisoning. This room will not cover how to set up these various strategies of live packet capturing and will only cover the basic theory of each.

Collection Methods Overview

Some things to think about before going headfirst into attempting to collect and monitor live packet captures.

  • Begin by starting with a sample capture to ensure that everything is correctly set up and you are successfully capturing traffic.

  • Ensure that you have enough compute power to handle the number of packets based on the size of the network, this will obviously vary network by network.

  • Ensure enough disk space to store all of the packet captures.

Once you meet all these criteria and have a collection method picked out you can begin to actively monitor and collect packets on a network.

Network Taps

Network taps are a physical implant in which you physically tap between a cable, these techniques are commonly used by Threat Hunting/DFIR teams and red teams in an engagement to sniff and capture packets.

There are two primary means of tapping a wire. The first is by using hardware to tap the wire and intercept the traffic as it comes across, an example of this would be a vampire tap as pictured below.

Another option for planting a network tap would be an inline network tap, which you would plant between or 'inline' two network devices. The tap will replicate packets as they pass the tap. An example of this tap would be the very common Throwing Star LAN Tap

MAC Floods

MAC Floods are a tactic commonly used by red teams as a way of actively sniffing packets. MAC Flooding is intended to stress the switch and fill the CAM table. Once the CAM table is filled the switch will no longer accept new MAC addresses and so in order to keep the network alive, the switch will send out packets to all ports of the switch.

Note: This technique should be used with extreme caution and with explicit prior consent.

ARP Poisoning

ARP Poisoning is another technique used by red teams to actively sniff packets. By ARP Poisoning you can redirect the traffic from the host(s) to the machine you're monitoring from. This technique will not stress network equipment like MAC Flooding however should still be used with caution and only if other techniques like network taps are unavailable.

Combining these methods with your previous knowledge of capturing traffic from the previous task will allow you to proactively monitor and collect live packet captures from scratch.

Read the above and practice collecting captures, as well as understand the various capture techniques available.