Wireshark

Wireshark is a widely-used, free, and open-source network protocol analyzer (packet sniffer) that allows users to capture and interactively browse the traffic running on a computer network.

Key Features:

Deep packet inspection

Real-time packet capture

Supports hundreds of network protocols

Powerful filtering and search capabilities

Ability to save and export captured data

Colorful, user-friendly interface

Wireshark is an essential tool for network administrators, security professionals, software developers, and network engineers.

Official download link here -> https://www.wireshark.org/download.html

Official documentation -> https://www.wireshark.org/docs/

 Useful Wireshark filters

ip.addr == 10.0.0.1 --> Show all traffic with 10.0.0.1 as either source or destination

ip.addr == 10.0.0.0/24 --> Show all traffic to and from any addresses in 10.0.0.0/24

ip.src == 10.0.0.1 && ip.dst == 10.0.0.2 --> Show all traffic from 10.0.0.1 to 10.0.0.2

!(ip.addr == 10.0.0.1) --> Exclude all traffic to or from 10.0.0.1

icmp.type == 3 --> Show ICMP "destination unreachable" packets (ICMP types below)

tcp or udp --> Show TCP or UDP traffic

tcp.port == 80 --> Show TCP traffic with port 80

tcp.srcport < 1000 --> Show TCP traffic with source port range

http or dns --> Show all HTTP or DNS traffic

tcp.flags.syn == 1 --> Show TCP packets with SYN flag set

tcp.flags == 0x012 --> Show TCP packets with both SYN and ACK flag set

tcp.analysis.retransmission --> Show all retransmitted TCP packets

http.request.method == "GET" --> Show TCP packets associated with HTTP GET

http.response.code == 404 --> Show packets associated with HTTP 404 response

http.host == "www.abc.com" --> Show HTTP traffic matching the Host header field

tls.handshake --> Show only TLS handshake packets

tls.handshake.type == 1 --> Show client Hello packet during TLS handshake

dhcp and ip.addr == 10.0.0.0/24 --> Show DHCP traffic for 10.0.0.0/24 subnet

dhcp.hw.mac_addr == 00:11:22:33:44:55 --> Show DHCP packets for client MAC address

dns.resp.name == cnn.com --> Show DNS responses with name field of "cnn.com"

frame contains keyword --> Show all packets that contain the word "keyword"

frame.len > 1000 --> Show all packets with total length larger than 1000 bytes

eth.addr == 00:11:22:33:44:55 --> Show all traffic to or from the specified MAC address

eth[0x47:2] == 01:80 --> Match Ethernet frames with 2 bytes at offset 0x47 == 01:80

!(arp or icmp or stp) --> Filter out background traffic from ARP, ICMP, and STP

vlan.id == 100 --> Show packets with VLAN ID 100

Common ICMP Types and their Meanings:

• Type 0: Echo Reply (used in ping).
• Type 3: Destination Unreachable (indicates a packet couldn't reach its destination).
• Type 5: Redirect (used by routers to inform hosts of a better path to a destination).
• Type 8: Echo Request (used in ping).
• Type 9: Router Advertisement.
• Type 10: Router Solicitation.
• Type 13: Timestamp Request.
• Type 14: Timestamp Reply. 

Common TCP ports and their uses:

• 80 (HTTP): Used for standard web browsing traffic.
• 443 (HTTPS): Used for secure web browsing traffic, which encrypts the data transmitted.
• 21 (FTP): Used for the File Transfer Protocol, which allows for transferring files between computers.
• 22 (SSH): Used for the Secure Shell protocol, enabling secure remote access to computers.
• 25 (SMTP): Used for the Simple Mail Transfer Protocol, which is used for sending email.
• 110 (POP3): Used for the Post Office Protocol version 3, which is used for receiving email.
• 143 (IMAP4): Used for the Internet Message Access Protocol version 4, which is used for accessing email on a server.
• 389 (LDAP): Used for the Lightweight Directory Access Protocol, which is used for accessing directory services.
• 53 (DNS): Used for the Domain Name System, which translates domain names into IP addresses.
• 69 (TFTP): Used for the Trivial File Transfer Protocol, which is used for transferring files.
• 123 (NTP): Used for the Network Time Protocol, which synchronizes time across a network.
• 6881-6889 (BitTorrent): Used for BitTorrent, a peer-to-peer file sharing protocol.