Skip to content

For every Network Warrior this Wireshark profile aims to help making troubleshooting a little easier.

License

Notifications You must be signed in to change notification settings

akamura/wireshark-profile

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Wireshark Packet Drilldown Profile

Screenshot

I spent many years around Wireshark and finally I decided to publish for every Network Warrior a profile that aims to help making troubleshooting a little easier.

published

The profile have some useful filters, packet list column addons as well as color categorisation including:

  1. Network Vlan ID's
  2. Autonomous System number and organisation this helps you understand where the traffic is coming from/to public networks
  3. Three-way Handshake filters
  4. TCP retransmission analyse filters
  5. L2 and L3 network filters
  6. Miscellaneous filters to help you speed out investigation

Install

  1. You need Wireshark version 4 and above.
  2. Download the profile and import it in your Wireshark environment.

Usage

To access informations such as AS numbers resolution you need to download updated MaxMind Database. You can sign up for free at MaxMind and tell Wireshark where to get the mmdb files.

Install MaxMind DB GeoIP Autoupdate in UBUNTU

If you run on Ubuntu you can install the useful MaxMind autoupdate tool to keep the DB's at the latest version.

$ sudo add-apt-repository ppa:maxmind/ppa
$ sudo apt update
$ sudo apt install geoipupdate

Then edit the GeoIP.conf file with your account information and include the GeoLite2-ASN database like below.

$ sudo nano /etc/GeoIP.conf

# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account
# ID and license key combination associated with your MaxMind account. These
# are available from https://www.maxmind.com/en/my_license_key.
AccountID YOUR_ACCOUNT_ID_HERE
LicenseKey YOUR_LICENSE_KEY_HERE

# Enter the edition IDs of the databases you would like to update.
# Multiple edition IDs are separated by spaces.
EditionIDs GeoLite2-Country GeoLite2-City GeoLite2-ASN

Now it's time to get the DB's

$ sudo geoipupdate

Check that you have the files there

$ ls -lh /usr/share/GeoIP/
total 82M
-rw-r--r-- 1 root root 7,9M giu 17 13:28 GeoLite2-ASN.mmdb
-rw-r--r-- 1 root root  68M giu 17 12:58 GeoLite2-City.mmdb
-rw-r--r-- 1 root root 5,7M giu 17 12:58 GeoLite2-Country.mmdb

Now you should have all DB's in mmdb format in /usr/share/GeoIP folder, you should open Wireshark Preferences and update the MaxMind Database Directories Paths under Name Resolution menu.

Happy troubleshooting!

About

For every Network Warrior this Wireshark profile aims to help making troubleshooting a little easier.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published