issuhub.com

CEH

(Jeff_L) #1

216 Chapter 9 ■ Sniffers


You have several options for generating traffic. Remember that a wireless connection

(802.11) works as a hub-like environment, meaning you can capture all traffic floating

in the network. Connecting to your home wireless and selecting the appropriate NIC in

your sniffer will pull ample traffic for this exercise.


  1. Once you have a good number of packets captured (or those specific packets you are
    looking for), you can stop the capture and save it for later review. Saving a capture
    for later investigation is a good habit to get into. It’s the same as saving any other file:
    Choose File ➢ Save As, and then name the file and save it to the appropriate location.

  2. Next, open your saved capture and use search strings and filtering to find what you
    want. Opening a saved capture is just like opening any document: Choose File ➢ Open
    and then select the file.


In Exercise 9.1, you used Telnet but the exam will focus on your under-

standing of traffic flow and packet dissection. I chose client OSs at random

for this exercise. Specific operating system vulnerabilities and unique iden-

tifying actions are covered in Chapter 6, “Enumeration of Services.”

Search strings in Wireshark are testable items—you will definitely see

questions regarding their syntax and use. For a good resource, check out

http://www.wireshark.org/docs.

As you can see from the live capture and saved capture, there’s a lot going on! One

powerful feature of Wireshark is its search string and filtering capabilities. In a real-world

capture, it is likely to be sniffing a connection that has a large number of attached clients.

This is when search strings and filtering become a pen tester’s best friend. Table 9.1 shows

common search string options for Wireshark. The CEH exam tests whether you can apply

your understanding of this tool and its options.

TA B LE 9.1 Wireshark filters

Operator Function Example

== Equal ip.addr == 192.168.1.2

eq Equal tcp.port eq 161

!= Not equal ip.addr != 192.168.1.2

ne Not equal ip.src ne 192.168.1.2

contains Contains specified value http contains "http://www.site.com"
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.