In the previous part of this blog set, we opened skill-passivediscovery1.pcapng, and focused on the Endpoints window to build the following diagram using passive discovery. [You can learn how to download the file on which I will be working (and hundreds of other public trace files) by visiting https://www.chappell-university.com/traces.]
So far, we have created the following view of a network based on the trace file traffic.
That was Step 1. Now we will continue filling in more information in our diagram.
Examine the Protocol Hierarchy Window
It’s always a good idea to check out the protocols and applications listed in the Statistics | Protocol Hierarchy window, regardless of the port list which you’ve already obtained. In this case, we see some protocols and applications that may yield additional information about the hosts communicating in the trace file.
We will examine the following areas within the Protocol Hierarchy window:
NetBIOS Name Service - may yield computer names
Domain Name System - may yield host names
Data - always worth looking through when Wireshark doesn’t recognize the application
Transport Layer Security - if we have a Client Hello, we may see a target Server name
ARP - will yield local MAC address information
You may notice that I didn’t examine the Ethernet information in the Endpoints window in Step 1. ARP is more informative than the Endpoints window because it correlates a MAC address to a network address on the local network, as you will see in Part 3 of this blog set.
Examine NetBIOS Name Service Traffic
Right click on the NetBIOS Name Service line in the Protocol Hierarchy and selecting Apply as Filter | Selected. Alternately, you can apply an nbns display filter to the trace file.
Since we only see name queries and no responses, there is no additional information can be gained from this NetBIOS traffic.
Examine Domain Name System Resolutions
We can either right click on the Domain Name System line in the Protocol Hierarchy window and select Apply as Filter | Selected.
If you are working with a lot of DNS traffic, consider using the filter dns.count.answers > 0 to see only DNS responses.
These three DNS responses that provide use the following information:
172.217.195.189 - cello.client-channel.google.com
172.217.6.174 - play.google.com
2607:f8b0:4003:c08::bd - cello.client-channel.google.com
We don’t see those hosts listed in the Endpoints window, however. We will make a note of them.
Now our view of the network is a bit more detailed.
In Part 3 of this blog set, we will continue examining Wireshark’s Protocol Hierarchy window and the information contained within application and protocol traffic to fill in our picture of the network.
Cheers!