From c3363c2f7c55c639f2bacf3c01cd7d2046c02de9 Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Wed, 5 Jun 2024 18:29:27 +0200
Subject: [PATCH] added more info

---
 Forensics/Wireshark.md | 33 ++++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/Forensics/Wireshark.md b/Forensics/Wireshark.md
index c647b26..f14507a 100644
--- a/Forensics/Wireshark.md
+++ b/Forensics/Wireshark.md
@@ -1,20 +1,42 @@
 # Wireshark
 
+## Information about Pcap Files
+
+Get information about a given PCAP file in the following way.
+
+```sh
+capinfos example.pcap
+```
+
+Show verbose package information and bytes inside the package.
+
+```sh
+tshark -r example.pcapng -V -x
+```
+
+Autostop `-a` and ringbuffer `-b` arguments may  be set to stop or split files
+at defined duration `duration:10`, sizes `filesize:100`, and count of files
+`files:5`.
+
 ## Extracting USB Keystrokes
 
-* Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way
+Data between USB devices and the host can be filtered via tshark in order to
+display just the payload, e.g. keystrokes in the following way
+
 ```sh
 tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
 ```
 
-* A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5) 
-```
+A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5) 
+
+```sh
 python keystrokedecoder.py output.txt
 ```
 
 ## Extracting Payload sent in DNS Request
 
-Search for the DNS requests containing the specific top level domain. 
+Search for the DNS requests containing the specific top level domain.
+
 ```sh
 tshark -r capture.pcapng  -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out
 ```
@@ -36,4 +58,5 @@ The `NTLM Server Challenge` can be found inside the `Security Blob` of the
 request from the server.
 `User name`, `Domain name` and `NTLMv2 Response` can be found inside the
 `Security Blob` inside the response sent by the client. `NTProofStr` is the
-first part of the `NTLM Response`. Set a `:` between `NTProofStr` and the rest of the `NTLMv2 Response`.
+first part of the `NTLM Response`. Set a `:` between `NTProofStr` and the rest
+of the `NTLMv2 Response`.