There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks.
This post will be updated as time goes on.
Understanding the Packet Capture
Before diving too deep, it’s always a good idea to get an idea of what type of traffic was captured so you know which filters to apply.
Viewing Protocol Statistics:In the Menu, click on Statistics and select Protocol Hierarchy.
Filtering HTTP
If non-encrypted HTTP traffic was captured, we may be able to extract juicy details.
View all plaintext HTTP GET requests:http.request.method == "GET"
View all plaintext HTTP POST requests:http.request.method == "POST"
Filtering by specific redirect location:http.location == login_success.php
To export HTTP objects (such as images or pages):Select File. Click on Export Objects, and then HTTP.
Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.
Filtering FTP
FTP is pretty simple, since all traffic is sent in plaintext.
To view all FTP related traffic:ftp
To export FTP objects (such as transferred files):Select File. Click on Export Objects, and then TFTP.
Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.
Filtering SMB
SMB is a favorite to capture, as it is usually not encrypted and you may be able to exfiltrate files over the wire.
To view packets related to SMB files:smb.file
To export SMB objects (such as transferred files):Select File. Click on Export Objects, and then SMB.