Posted: . At: 12:01 PM. This was 1 year ago. Post ID: 17288
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.


How to list all web browsers with Wireshark.

by

Listing all Internet Browsers with Wireshark is very easy.

Start Wireshark and open a capture file or start a live capture. In the “Protocol” column of the packet list, look for packets with a “Hypertext Transfer Protocol (HTTP)” value. These packets are typically associated with web browsing activity. To see the user agent string for a particular packet, expand the “Hypertext Transfer Protocol” section in the packet details pane and look for the “User-Agent” field. The user agent string identifies the browser and operating system being used by the client that sent the request. You can also use Wireshark’s filtering capabilities to narrow down the packets of interest. For example, you can use the “http.user_agent” filter to only show packets with a specific user agent string. For example, to show only packets from Internet Explorer, you could use the filter “http.user_agent contains “MSIE”” (without the quotes).

Just like this example below.

http.user_agent contains "Mozilla"

Listing all network packets from the Mozilla browser.

Find all instances of the Microsoft Edge browser.

http.user_agent contains "Edg"

This also finds a lot of other packets as Edge is integrated into Windows 11 and it runs all of the time.

Detect Steam In-Home Streaming Discovery Protocol.

steam_ihs_discovery

This does work very well.

Use this filter to detect BitTorrent traffic.

bittorrent

Easy way to detect torrenting.

List all packets with the BitTorrent protocol name.

bittorrent.protocol.name

List all BitTorrent peers.

bittorrent.peer_id

This allows the user to list the IP addresses of BitTorrent peers.

The FTP File Transfer Protocol does not use an encrypted connection. This can be listed with Wireshark easily. Use the example below to list a connection session.

ftp.current-working-directory

Very useful to view the actual change in working directory transactions.

0000   c8 14 51 5f a9 47 fc 34 97 a5 bc 7e 08 00 45 00   ..Q_.G.4...~..E.
0010   00 35 3a 8b 40 00 80 06 00 00 c0 a8 01 05 60 f1   .5:.@.........`.
0020   77 75 df c3 00 15 58 95 0a ca af ba ec 3d 50 18   wu....X......=P.
0030   1b ab 9a 3b 00 00 43 57 44 20 69 64 67 61 6d 65   ...;..CWD idgame
0040   73 0d 0a                                          s..

Another very useful Wireshark tip.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.