You've learned about networks, protocols, and security. Now it's time to see network traffic in action. Wireshark is the industry-standard tool for capturing and analyzing network packets. If you want to understand what's really happening on a network, you need to master Wireshark.
Wireshark is a free, open-source packet analyzer. It captures network traffic in real-time and displays it in human-readable format. Think of it as a microscope for networks—it lets you examine every single packet flowing across the wire.
Security professionals use Wireshark to: - Troubleshoot network issues - Detect malicious activity - Reverse engineer protocols - Analyze malware communication - Investigate security incidents - Learn how protocols actually work - Capture credentials (in authorized testing) - Verify encryption is working
Wireshark is so powerful and essential that it's installed by default on Kali Linux and used daily by security professionals worldwide.
Before we dive into Wireshark, let's understand what we're capturing.
Normally, your network card only captures packets addressed to you. In promiscuous mode, your network card captures all packets on the network segment, regardless of destination. This is essential for security analysis but also why packet sniffing can be a privacy concern.
Note: On switched networks, you usually only see: - Broadcast traffic - Multicast traffic - Traffic to/from your machine
To see other traffic, you'd need to be on a hub (rare today), use ARP poisoning to redirect traffic through your machine, or have access to network tap/SPAN port.
Capture filters: Applied during capture, determine what packets are saved. More efficient but can't be changed after capture.
Display filters: Applied after capture, determine what you see. Can be changed anytime without recapturing.
Both use different syntax—capture filters use BPF (Berkeley Packet Filter), display filters use Wireshark's own syntax.
When you open Wireshark, you see: - Interface list: Network interfaces you can capture from - Capture pane: Real-time packet list during capture - Packet details pane: Expanded view of selected packet - Packet bytes pane: Raw hexadecimal and ASCII data
Each row represents one packet with columns: - No.: Packet number - Time: When packet was captured - Source: Source IP address - Destination: Destination IP address - Protocol: Protocol used (TCP, UDP, HTTP, etc.) - Length: Packet size in bytes - Info: Summary of packet contents
Click on any packet to see three views:
Packet List: The summary row
Packet Details: Expandable tree showing each protocol layer: - Frame: Physical layer info - Ethernet II: Data link layer (MAC addresses) - Internet Protocol: Network layer (IP addresses) - TCP/UDP: Transport layer (ports, flags) - Application data: Whatever protocol is inside (HTTP, DNS, etc.)
Packet Bytes: Raw data in hex and ASCII
This three-pane view is Wireshark's power—you can see the same packet at different levels of detail.
With thousands or millions of packets, you need to filter. Display filters are Wireshark's query language.
Filter by protocol:
http
tcp
dns
icmp
Filter by IP address:
ip.addr == 192.168.1.1 # Any direction
ip.src == 192.168.1.1 # Source only
ip.dst == 192.168.1.1 # Destination only
Filter by port:
tcp.port == 80 # Any direction
tcp.srcport == 443 # Source port
tcp.dstport == 22 # Destination port
Combine filters:
ip.addr == 192.168.1.1 && tcp.port == 80
http || dns
tcp.port == 443 && ip.src == 10.0.0.5
Logical operators:
- && or and: Both conditions must be true
- || or or: Either condition true
- ! or not: Negation
Find login credentials (if not encrypted):
http.request.method == "POST"
ftp.request.command == "PASS"
Find DNS queries:
dns.qry.name contains "malicious"
Find TCP connections:
tcp.flags.syn == 1 && tcp.flags.ack == 0
Find specific HTTP methods:
http.request.method == "POST"
http.request.uri contains "/admin"
Find errors:
http.response.code >= 400
tcp.analysis.retransmission
Find large packets (potential data exfiltration):
frame.len > 1000
Find suspicious user agents:
http.user_agent contains "sqlmap"
http.user_agent contains "nikto"
HTTP is unencrypted and reveals everything. Let's analyze an HTTP request:
GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
In Wireshark:
1. Filter for http
2. Find a GET request
3. Right-click → Follow → HTTP Stream
4. See the entire conversation in plain text
You can see: - URLs visited - Cookies - Form data - User agents - Server responses
Security note: This is why HTTPS is crucial. HTTP traffic is completely visible to anyone on the network.
HTTPS encrypts HTTP, so you'll see: - TLS handshake (establishing encryption) - Encrypted application data (unreadable) - Certificate information (visible during handshake)
Filter: tls or ssl
You can see: - Which sites are visited (from SNI in Client Hello) - IP addresses - Certificate validity - TLS version - Cipher suites
But you can't see: - Specific URLs - Transmitted data - Cookies or credentials
DNS queries reveal a lot about user activity:
Filter: dns
You can see: - What domains are being resolved - Response IP addresses - Query types (A, AAAA, MX, TXT, etc.)
Security uses: - Detect DNS tunneling (data exfiltration through DNS) - Find connections to known malicious domains - Identify command and control traffic - Spot DGA (Domain Generation Algorithm) patterns
Example filter for DNS queries only:
dns.flags.response == 0
Understanding TCP handshakes is fundamental:
Filter to see only handshakes:
tcp.flags.syn == 1
What this reveals: - Which services are being accessed - Successful vs. failed connections - Port scanning activity (many SYNs, few ACKs)
FTP sends credentials in plaintext:
Filter: ftp
You'll see: - USER command (username) - PASS command (password in plain text!) - File transfers - Directory listings
Right-click a packet → Follow → TCP Stream to see the entire session.
Security lesson: FTP is incredibly insecure. Use SFTP or FTPS instead.
SYN Scan: Many SYN packets to different ports, few responses
tcp.flags.syn == 1 && tcp.flags.ack == 0
Look for: - Single source IP - Many different destination ports - High packet rate - Many RST responses (closed ports)
ARP poisoning redirects traffic by lying about MAC addresses.
Filter: arp
Look for: - Duplicate IP addresses with different MACs - Many ARP replies without corresponding requests - Gratuitous ARP (announcements without requests)
Filter for duplicate IPs:
arp.duplicate-address-detected
Indicators: - Unusual ports - Suspicious domains in DNS queries - Regular beacon intervals (malware checking in) - Large uploads (data exfiltration) - Connections to known malicious IPs
Filter for beaconing (regular intervals):
tcp && frame.time_delta > 60 && frame.time_delta < 61
If credentials are sent unencrypted:
HTTP authentication:
http.authbasic
FTP passwords:
ftp.request.command == "PASS"
Telnet login:
telnet && tcp.port == 23
Right-click → Follow Stream to see full credential exchange.
Protocol Hierarchy: Statistics → Protocol Hierarchy - Shows breakdown of all protocols in capture - Identifies unusual traffic
Conversations: Statistics → Conversations - Lists all pairs of communicating hosts - Shows data transferred - Identifies heavy users or data transfers
I/O Graphs: Statistics → I/O Graph - Visualizes traffic over time - Spots spikes or patterns - Useful for DDoS analysis
Right-click any packet → Follow → [protocol] Stream
Shows entire conversation in readable format. Works for: - TCP Stream - UDP Stream - HTTP Stream - TLS Stream (shows encrypted data)
For HTTP/HTTPS captures: File → Export Objects → HTTP
Extracts all files transferred: - Images - JavaScript - CSS - Downloads - Malware samples (be careful!)
View → Time Display Format - Seconds since beginning of capture - Absolute time - Delta time (since previous packet)
Useful for identifying timing patterns.
View → Coloring Rules
Wireshark colors packets by default: - Light blue: UDP - Light purple: TCP - Black: Errors - Green: HTTP - Light yellow: Windows-specific traffic
You can create custom rules:
tcp.analysis.retransmission → Red (possible network issues)
dns.qry.name contains "malware" → Red (suspicious DNS)
Don't capture everything—be specific:
Capture filter for HTTP only:
port 80 or port 443
Capture specific host:
host 192.168.1.100
Capture subnet:
net 192.168.1.0/24
Exclude broadcast noise:
not broadcast and not multicast
For continuous monitoring: 1. Capture → Options 2. Enable "Use multiple files" 3. Set ring buffer (e.g., 100 files of 10 MB each) 4. Wireshark automatically rotates files
Capture on one machine, analyze on another: 1. Set up tcpdump on remote server 2. Pipe traffic to Wireshark on local machine
ssh user@remote "tcpdump -i eth0 -w -" | wireshark -k -i -
tcp.analysis.retransmissionImportant: Packet capture can reveal: - Passwords and credentials - Private communications - Financial information - Medical records - Trade secrets
Rules: - Only capture on networks you own or have written permission - Don't capture in public Wi-Fi without authorization - Treat captured data as highly sensitive - Follow company security policies - Understand local laws on network monitoring
In many jurisdictions, unauthorized packet capture is illegal wiretapping.
tcpdump: Command-line packet capture (often used on servers)
tcpdump -i eth0 -w capture.pcap port 80
tshark: Command-line version of Wireshark (great for scripting)
tshark -r capture.pcap -Y http.request -T fields -e http.host
NetworkMiner: Extracts artifacts from pcap files CapAnalysis: Web-based pcap analyzer Zeek (formerly Bro): Network security monitoring platform
Wireshark is a skill that develops over time. Start by: 1. Capturing your own web browsing 2. Analyzing different protocols 3. Practicing with public pcap files 4. Participating in CTF challenges 5. Contributing to investigations
In upcoming lessons, we'll use Wireshark to analyze specific attack scenarios and learn how to detect sophisticated threats. Every security professional needs packet analysis skills—it's the ground truth of what's really happening on a network.
Keep practicing, and you'll develop an intuition for what's normal vs. suspicious in network traffic. That intuition is invaluable in cybersecurity.