Wireshark is the most popular network protocol analyzer in the world. This tutorial covers how to capture and analyze network traffic, use display filters, and identify suspicious activity during security assessments.
What is Wireshark?
Wireshark is a free, open-source packet analyzer used for network troubleshooting, analysis, and security research. It captures network traffic in real-time and displays it in a human-readable format.
Installing Wireshark
Linux
# Debian/Ubuntu
sudo apt install wireshark
# Allow non-root capture
sudo usermod -aG wireshark $USER
# Log out and back inWindows/macOS
Download the installer from the official Wireshark website and follow the installation wizard.
Capturing Traffic
Selecting an Interface
When you start Wireshark, you will see a list of available network interfaces. Select the interface you want to capture from:
- eth0/ens33: Wired Ethernet
- wlan0: Wireless
- lo: Loopback (local traffic)
- any: Capture from all interfaces
Capture Filters
Capture filters limit what traffic is captured (uses BPF syntax):
# Capture only traffic to/from specific host
host 192.168.1.100
# Capture only specific port
port 80
port 443
# Capture traffic to/from a network
net 192.168.1.0/24
# Capture only TCP
tcp
# Capture only UDP
udp
# Combine filters
host 192.168.1.100 and port 80
tcp port 443 and host 10.0.0.1Command Line Capture (tshark)
# Basic capture
tshark -i eth0
# Capture to file
tshark -i eth0 -w capture.pcap
# Capture with filter
tshark -i eth0 -f "port 80" -w http.pcap
# Capture specific number of packets
tshark -i eth0 -c 100 -w capture.pcapDisplay Filters
Display filters are applied after capture to show only relevant packets. They use a different syntax than capture filters.
Basic Filters
# Filter by IP address
ip.addr == 192.168.1.100
ip.src == 192.168.1.100
ip.dst == 10.0.0.1
# Filter by port
tcp.port == 80
tcp.srcport == 443
udp.port == 53
# Filter by protocol
http
dns
tcp
udp
icmp
arp
ssh
ftp
smtp
dhcpHTTP Filters
# All HTTP traffic
http
# HTTP requests only
http.request
# HTTP responses only
http.response
# Specific HTTP method
http.request.method == "GET"
http.request.method == "POST"
# Filter by URL
http.request.uri contains "login"
http.host contains "example.com"
# Filter by status code
http.response.code == 200
http.response.code == 404
http.response.code >= 400TCP Filters
# TCP flags
tcp.flags.syn == 1
tcp.flags.ack == 1
tcp.flags.fin == 1
tcp.flags.reset == 1
# SYN packets only (connection initiation)
tcp.flags.syn == 1 and tcp.flags.ack == 0
# Follow TCP stream
tcp.stream eq 0
# TCP retransmissions
tcp.analysis.retransmissionDNS Filters
# All DNS traffic
dns
# DNS queries
dns.flags.response == 0
# DNS responses
dns.flags.response == 1
# Specific domain
dns.qry.name contains "example.com"
# DNS query types
dns.qry.type == 1 # A record
dns.qry.type == 28 # AAAA record
dns.qry.type == 5 # CNAME
dns.qry.type == 15 # MXCombining Filters
# AND
ip.addr == 192.168.1.100 and tcp.port == 80
# OR
http or dns
# NOT
not arp
!(ip.addr == 192.168.1.1)
# Complex combinations
(ip.src == 192.168.1.100 or ip.dst == 192.168.1.100) and tcp.port == 443Analyzing Packets
Packet Details Pane
The middle pane shows packet details in layers:
- Frame: Physical layer information
- Ethernet: MAC addresses
- IP: Source/destination IP, TTL
- TCP/UDP: Ports, flags, sequence numbers
- Application: HTTP, DNS, etc.
Following Streams
Right-click a packet and select “Follow” to see the complete conversation:
- Follow TCP Stream: View complete TCP session
- Follow UDP Stream: View UDP conversation
- Follow HTTP Stream: View HTTP request/response
Exporting Objects
Extract files transferred over the network:
File > Export Objects > HTTP/SMB/TFTP
Security Analysis Use Cases
Detecting Cleartext Credentials
# HTTP POST requests (potential login forms)
http.request.method == "POST"
# FTP credentials
ftp.request.command == "USER" or ftp.request.command == "PASS"
# Telnet traffic
telnet
# HTTP Basic Authentication
http.authorizationDetecting Port Scans
# SYN scan detection (many SYN without ACK)
tcp.flags.syn == 1 and tcp.flags.ack == 0
# Look for many RST responses
tcp.flags.reset == 1
# Statistics > Conversations to see connection patternsDetecting ARP Spoofing
# All ARP traffic
arp
# ARP replies (potential spoofing)
arp.opcode == 2
# Look for duplicate IP to MAC mappings
# Edit > Preferences > Protocols > ARP > Detect ARP request stormsDetecting DNS Tunneling
# Long DNS queries (potential tunneling)
dns and dns.qry.name.len > 50
# TXT record queries (commonly used for tunneling)
dns.qry.type == 16
# Unusual DNS traffic volume to single domainAnalyzing Malware Traffic
# HTTP to suspicious ports
http and not (tcp.port == 80 or tcp.port == 443)
# Beaconing detection (regular intervals)
# Use Statistics > IO Graph to visualize patterns
# User-Agent anomalies
http.user_agent contains "curl"
http.user_agent contains "python"
http.user_agent contains "wget"Statistics and Analysis Features
Useful Statistics Menus
- Statistics > Capture File Properties: Overview of capture
- Statistics > Protocol Hierarchy: Protocol breakdown
- Statistics > Conversations: All connections
- Statistics > Endpoints: All hosts
- Statistics > IO Graph: Traffic over time
- Statistics > HTTP > Requests: HTTP request summary
Expert Information
Analyze > Expert Information shows warnings about network issues:
- TCP retransmissions
- Duplicate ACKs
- Out-of-order packets
- Connection resets
Useful Keyboard Shortcuts
Ctrl+E Start/Stop capture
Ctrl+K Capture options
Ctrl+F Find packet
Ctrl+G Go to packet number
Ctrl+N Next packet in conversation
Ctrl+B Previous packet in conversation
Ctrl+Shift+O Follow TCP streamSummary
Wireshark is an essential tool for network analysis and security assessments. Master display filters to quickly find relevant traffic, and use the statistics features to identify patterns. Practice analyzing different protocols to become proficient at identifying suspicious network activity.
