top of page
Writer's pictureThe Oldcommguy

Know Your Network Wireshark Passive Discovery - Part 2 Protocols and Applications


In the previous part of this blog set, we opened skill-passivediscovery1.pcapng, and focused on the Endpoints window to build the following diagram using passive discovery. [You can learn how to download the file on which I will be working (and hundreds of other public trace files) by visiting https://www.chappell-university.com/traces.]

So far, we have created the following view of a network based on the trace file traffic.

Network diagram 1

That was Step 1. Now we will continue filling in more information in our diagram.

Examine the Protocol Hierarchy Window

It’s always a good idea to check out the protocols and applications listed in the Statistics | Protocol Hierarchy window, regardless of the port list which you’ve already obtained. In this case, we see some protocols and applications that may yield additional information about the hosts communicating in the trace file.

Protocol Hierarchy Window

We will examine the following areas within the Protocol Hierarchy window:

  • NetBIOS Name Service - may yield computer names

  • Domain Name System - may yield host names

  • Data - always worth looking through when Wireshark doesn’t recognize the application

  • Transport Layer Security - if we have a Client Hello, we may see a target Server name

  • ARP - will yield local MAC address information

You may notice that I didn’t examine the Ethernet information in the Endpoints window in Step 1. ARP is more informative than the Endpoints window because it correlates a MAC address to a network address on the local network, as you will see in Part 3 of this blog set.

Examine NetBIOS Name Service Traffic

Right click on the NetBIOS Name Service line in the Protocol Hierarchy and selecting Apply as Filter | Selected. Alternately, you can apply an nbns display filter to the trace file.

Since we only see name queries and no responses, there is no additional information can be gained from this NetBIOS traffic.

NetBIOS Traffic

Examine Domain Name System Resolutions

We can either right click on the Domain Name System line in the Protocol Hierarchy window and select Apply as Filter | Selected.

If you are working with a lot of DNS traffic, consider using the filter dns.count.answers > 0 to see only DNS responses.

DNS Responses

These three DNS responses that provide use the following information:

172.217.195.189 - cello.client-channel.google.com

172.217.6.174 - play.google.com

2607:f8b0:4003:c08::bd - cello.client-channel.google.com

We don’t see those hosts listed in the Endpoints window, however. We will make a note of them.

Now our view of the network is a bit more detailed.

Passive Discovery Diagram 2

In Part 3 of this blog set, we will continue examining Wireshark’s Protocol Hierarchy window and the information contained within application and protocol traffic to fill in our picture of the network.

Cheers!

612 views

Recent Posts

See All
bottom of page