wireshark
Leave a Comment / Cheat Sheets, Tools & Techniques / By

🐟 Wireshark for Beginners: Capture, Filter, and Analyze Network Traffic

🔎 What is Wireshark?

Wireshark is the industry-standard network protocol analyzer for capturing and analyzing packet-level network traffic. Ethical hackers, incident responders, and network engineers use it to visualize traffic flows, troubleshoot protocols, and perform packet-level forensics.

Analogy: Wireshark is like an x-ray machine for networks — it reveals exactly what’s traveling inside packets so you can diagnose problems and detect malicious behavior.

🛡️ Why Learn Wireshark First?

  • ✅ Deep packet visibility — see headers, payloads, and protocol flows.
  • ✅ Essential for incident response & forensics.
  • ✅ Used in CEH labs and real-world investigations.
  • ✅ Free, cross-platform, and scriptable (tshark).

🔧 Capture vs Display Filters — The Single Most Important Distinction

  • Capture filters (BPF syntax) limit which packets are written to disk. Apply before you start capturing. Use capture filters to reduce capture size and avoid capturing irrelevant traffic.
    • Example (capture only HTTP): tcp port 80
  • Display filters (Wireshark syntax) are applied after capture to narrow what you see. They let you analyze specific conversations without re-capturing.
    • Example (show only HTTP requests): http.request

⚡ Essential Capture Filters (BPF) — Set these before capturing

🔴 Capture filter🧭 Purpose
host 10.0.0.5Capture traffic to/from single IP
net 192.168.1.0/24Capture entire subnet
tcp port 443Capture HTTPS only
udp port 53Capture DNS queries/responses
ether proto 0x0806Capture ARP only

Tip: BPF uses different syntax (libpcap); it’s used in tcpdump/tshark too.

🔎 Essential Display Filters (Wireshark syntax) — apply after capture

🔵 Display filter🧭 Purpose
ip.addr == 10.0.0.5Packets to or from IP
tcp.port == 22SSH traffic (port 22)
http.request.method == "POST"Show only HTTP POST requests
dns.qry.name == "example.com"DNS queries for domain
tls.handshake.type == 1TLS Client Hello packets
tcp.analysis.retransmissionTCP retransmissions (problems)

Infographic tip: show side-by-side examples so beginners immediately see the difference.

🧭 Quick GUI Workflow (Beginner step-by-step)

  1. Open Wireshark → Select interface (Ethernet/Wi-Fi). 🖧
  2. (Optional) Enter a capture filter to limit packets. 🔴
  3. Click Start and reproduce the issue or traffic you need. ▶️
  4. Click Stop when done. ⏹️
  5. Apply display filters to focus on relevant packets. 🔍
  6. Right-click a packet → Follow → TCP Stream to reassemble conversations. 🔁
  7. Export objects (File → Export Objects → HTTP/SMB) to extract files. 💾

🛠 tshark (CLI) — capture & automate

tshark is Wireshark’s CLI — perfect for automation, servers, and limited GUIs.

Common tshark examples

# Capture 1000 packets on eth0 to file
sudo tshark -i eth0 -c 1000 -w capture.pcapng

# Capture only HTTP packets (BPF capture filter)
sudo tshark -i eth0 -f "tcp port 80" -w http_capture.pcapng

# Read a pcap and show top protocols
tshark -r capture.pcapng -q -z io,phs

# Print only DNS queries from a pcap
tshark -r capture.pcapng -Y "dns.qry.name" -T fields -e dns.qry.name

🔍 Practical Example — Find a Failed Login (step-by-step)

  1. Capture traffic while an authentication attempt runs (or open existing pcap).
  2. Use display filter for relevant service (e.g., SSH): tcp.port == 22 && ip.addr == 10.0.0.5.
  3. Look for suspicious patterns: repeated connections, tcp.analysis.retransmission, or tcp.flags.reset==1.
  4. Follow the TCP stream for payload clues.
  5. Correlate with server logs (/var/log/auth.log) — always combine packet data with system logs.

CEH tip: packet captures often contain credentials or tokens in plaintext — treat captures as sensitive evidence.

🧾 Common Forensic Checks

  • tcp.analysis.retransmission → packet loss / unstable link
  • tcp.analysis.duplicate_ack → retrans issues
  • http.authbasic → HTTP Basic Auth headers (credentials)
  • frame contains "password" → rudimentary search for plaintext credentials
  • tls.handshake.ciphersuite → check negotiated cipher suites
  • dns.count.queries > X → DNS amplification or exfil patterns

⚖️ Legal & Privacy Best Practices

  • Only capture traffic on networks you own or have written permission to test.
  • Packet captures may contain PII and credentials — encrypt and store securely.
  • Use mirrored (SPAN) ports or lab VLANs for non-intrusive capture.
  • Redact or restrict access to sensitive fields when sharing captures.

🎯 CEH v13 Strategy Checklist

Knowledge (MCQ)

  • Capture filter (BPF) vs display filter (Wireshark) distinction.
  • Recognize common display filters and what they show (tcp.analysis.*http.requestdns.qry.name).
  • Understand when to use tshark vs GUI.

Practical (Hands-on)

  • Capture with tshark -i eth0 -c 500 -w /tmp/cap.pcapng.
  • Use display filter http.request.method == "POST" && ip.src == 10.0.0.5.
  • Reassemble sessions: Follow → TCP Stream.
  • Export objects (HTTP/SMB) for file recovery.
  • Hunt anomalies: retransmissions, TLS alerts, oversized frames.

✅ Key Takeaways

  • 🐟 Wireshark shows packet-level truth — invaluable for forensics and troubleshooting.
  • 🔴 Capture filters reduce noise at capture time.
  • 🔵 Display filters let you slice and dice captures post-facto.
  • 🧰 tshark automates captures on servers and scripts.
  • 🔐 Treat captures as sensitive — they often contain secrets.
Scroll to Top