As a security analyst, I have been using Wireshark for years, and it has become an indispensable tool for me. Wireshark is a powerful network protocol analyzer that allows you to capture and analyze network traffic in real-time. In this article, I will share my tips and tricks for mastering Wireshark and getting the most out of your PCAP analysis!
Introduction to Wireshark
Wireshark is a free and open-source packet analyzer that allows you to capture and analyze network traffic in real-time. It is available for Windows, Linux, and macOS and has a user-friendly interface that makes it easy to use for beginners, and has many features for advanced users.
Wireshark can capture traffic from various sources, including Ethernet, Wi-Fi, Bluetooth, and USB. It supports over 2,000 protocols and can decode traffic from different network layers, including the physical, data link, network, transport, and application layers.
What is a PCAP file?
A PCAP (Packet Capture) file is a file format used by Wireshark to store captured network traffic. A PCAP file contains all the captured packets, including the packet headers and payloads, and can be used to analyze the traffic later.
PCAP files are widely used in network analysis and can be shared between different tools and platforms. Wireshark can read and write PCAP files and supports different compression formats, including gzip and bzip2.
Analyzing network traffic with Wireshark
To analyze network traffic with Wireshark, you need to capture the traffic first. You can do this by selecting the network interface to capture from and starting the capture.
Once you have captured the traffic, you can start analyzing it using Wireshark’s various features, including the packet list, packet details, and packet bytes views. You can also filter the traffic using Wireshark’s display filters and search for specific packets using its search function.
Wireshark also allows you to analyze traffic statistics, including the number of packets, bytes, and protocols used. You can also create graphs and charts to visualize the traffic patterns and trends.
Essential Wireshark tips and tricks for efficient PCAP analysis
- Use display filters – Wireshark’s display filters allow you to filter the traffic based on different criteria, including the protocol, source, and destination address, and port number. Display filters can help you focus on specific traffic and hide irrelevant packets, making it easier to analyze the traffic. https://wiki.wireshark.org/DisplayFilters
- Use coloring rules – Wireshark’s coloring rules allow you to color-code packets based on different criteria, including the protocol, source, and destination address, and port number. Coloring rules can help you identify specific packets quickly and make it easier to analyze the traffic. https://wiki.wireshark.org/ColoringRules
- Configuration Profiles – Wireshark’s profiles allow you to save your settings and preferences and switch between them easily. Profiles can help you customize Wireshark to your needs and save time when analyzing different types of traffic. https://www.wireshark.org/docs/wsug_html_chunked/ChCustConfigProfilesSection.html
- Use the Follow TCP Stream function – Wireshark’s Follow TCP Stream function allows you to view the entire TCP stream of a packet, including the payload. This function can help you analyze application-layer protocols and understand the communication between different hosts. https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowStreamSection.html
Advanced Wireshark techniques for PCAP analysis
Here are some advanced techniques for PCAP analysis with Wireshark:
- Use Wireshark’s expert information system – Wireshark’s expert information analyzes the traffic and provides feedback on potential issues, including errors, warnings, and notes. The expert system can help you identify network problems quickly and understand the traffic better. https://www.wireshark.org/docs/wsug_html_chunked/ChAdvExpert.html
- Use Wireshark’s packet dissection engine – Wireshark’s packet dissection engine can decode over 2,000 protocols and provides detailed information about each packet. You can use the packet dissection engine to analyze the traffic at different network layers and understand the protocols used. https://www.wireshark.org/docs/wsar_html/group__packet.html
- Use Wireshark’s scripting features – Wireshark’s scripting features allow you to automate tasks and customize Wireshark’s behavior. You can use Lua to create your scripts and plugins and extend Wireshark’s functionality. https://wiki.wireshark.org/Lua
Wireshark plugins to improve your PCAP analysis
You can find your Wireshark plugin directory by opening Wireshark and going to Help > About Wireshark and clicking on the Folders tab. To install a plugin, copy the “plugins” directory to Wireshark plugins directory.
Wireshark has a vast library of plugins that can help you improve your PCAP analysis. Here are some popular plugins:
- PA Toolkit – PA Toolkit A Collection Of Traffic Analysis Plugins Focused On Security. https://github.com/pentesteracademy/patoolkit/tree/master/plugins
- Winshark – Wireshark plugin to work with Event Tracing for Windows https://github.com/airbus-cert/Winshark
- GeoIP – Provides geolocation information for IP addresses and displays them on a map. https://wiki.wireshark.org/HowToUseGeoIP.md
- MS Lync/STUN/Dissector Plugin- Armed with the information available in Microsoft’s Office Protocol documents, RFCs, and a healthy dose of reverse engineering, this author was able to put together a plugin for Wireshark that made packet captures taken on an Edge server readable. https://github.com/jamescussen/microsoft-lync-skype-for-business-wireshark-plugin
Wireshark filters and display options
Wireshark provides a display filter language that enables you to precisely control which packets are displayed. They can be used to check for the presence of a protocol or field, the value of a field, or even compare two fields to each other. These comparisons can be combined with logical operators, like “and” and “or”, and parentheses into complex expressions.
Wireshark has a wide range of filters and display options that can help you customize the traffic analysis. Here are some useful filters and display options:
🔍 General Traffic Filters
| Filter | Description |
|---|---|
ip.addr == 192.168.1.1 | Shows all traffic to/from the specified IP address. |
ip.src == 192.168.1.1 | Shows traffic from the specified IP address. |
ip.dst == 192.168.1.1 | Shows traffic to the specified IP address. |
tcp.port == 443 | Filters all TCP packets with source or destination port 443 (HTTPS). |
udp.port == 53 | Filters all UDP packets on port 53 (DNS). |
ip.proto == 1 | Displays ICMP traffic (e.g., pings). |
🔐 Security/Attack Investigation
| Filter | Description |
|---|---|
tcp.flags.syn == 1 and tcp.flags.ack == 0 | Shows TCP SYN packets — useful for detecting port scans. |
tcp.flags.reset == 1 | Shows TCP RST packets — may indicate port scans or dropped connections. |
http.request | Displays all HTTP request packets. |
dns.qry.name == "malicious.com" | Finds DNS queries to a specific domain — useful for malware C2 detection. |
ftp | Filters FTP traffic — good for legacy service audit. |
smtp | Filters SMTP traffic — useful in phishing investigations. |
frame contains "Mimikatz" | Finds packets containing a specific string in the payload. |
🌐 Protocol-Specific Filters
| Filter | Description |
|---|---|
http | Shows only HTTP traffic. |
tls | Shows only TLS-encrypted traffic. |
dns | Displays only DNS protocol traffic. |
dhcp or bootp | Filters for DHCP packets (important for IP assignment issues). |
ntp | Shows Network Time Protocol traffic. |
icmp | Filters ICMP traffic (e.g., ping, traceroute). |
🛠️ Troubleshooting / Performance
| Filter | Description |
|---|---|
tcp.analysis.flags | Shows retransmissions, duplicate ACKs, out-of-order packets, etc. |
tcp.analysis.retransmission | Highlights TCP retransmissions (could indicate packet loss). |
tcp.analysis.window_full | Detects window size issues on TCP connections. |
tcp.len == 0 | Zero-length packets (often keep-alives). |
🧠 Expert Use / Advanced
| Filter | Description |
|---|---|
ip.ttl < 10 | Useful for detecting low-TTL (potential traceroute or malformed traffic). |
tcp.seq == tcp.ack | Detects packets where sequence and ACK numbers match. |
tcp.time_delta > 1 | Show TCP packets where time between packets is greater than 1 second. |
For more information regarding display filters, see:
- https://gitlab.com/wireshark/wireshark/-/wikis/DisplayFilters
- https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/
Exporting Files from pcap files
One of the most useful features of Wireshark is its ability to export objects such as images, documents, and other files from the captured network traffic. This functionality enables users to quickly identify and extract relevant data from pcap files, making it an invaluable feature for various use cases.
Exporting objects from Wireshark is a straightforward process once you have captured or loaded a pcap file with the relevant network traffic. To export files from pcap using Wireshark, begin by selecting the “File” menu, followed by “Export Objects.” A submenu will appear, providing options for exporting various file types like HTTP, SMB, IMAP, and more. Select the appropriate file type based on the protocol used in the network traffic you wish to analyze. For example, if you are interested in extracting images or documents transmitted via HTTP, choose “HTTP” from the list.
Upon selecting the desired file type for export, a new window will display a list of objects found within the pcap file corresponding to that particular protocol. This list includes information such as the object’s filename, content type, size, and source and destination IP addresses. Users can filter this list based on specific criteria using the search function provided at the top of the window. This is particularly useful when dealing with large pcap files containing numerous objects.
Once you have identified the object(s) you wish to export, simply select them in the list and click the “Save As” button. A dialog box will prompt you to choose a destination folder for your exported files. After specifying a location, Wireshark will export the selected objects into individual files in their original format. This allows users to easily view, analyze, or manipulate these files using other software applications.
By enabling users to export files from pcap files, Wireshark provides a convenient means to extract important data from network traffic for further investigation and analysis. Whether you are a network administrator troubleshooting issues, a security professional investigating potential threats, or a developer working on network protocols, the export object functionality in Wireshark is an indispensable tool for your workflow.
What is Tshark?
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark’s native capture file format is pcapng format, which is also the format used by Wireshark and various other tools. https://www.wireshark.org/docs/man-pages/tshark.html
Command line analysis with Tshark
Tshark is a part of the Wireshark package and provides similar functionality to Wireshark, but with a command-line interface.
Here are some useful Tshark commands:
- List all available interfaces: tshark -D
- Filter Traffic (BPF): tshark -f <filter>
- Save captured traffic to a file: tshark -w /file/path/test.pcap
- Reading a pcap file: tshark -r /file/path/test.pcap | head
Wireshark vs Tshark: Which one to use?
Wireshark and Tshark are both packet analyzers that can capture and analyze network traffic. Wireshark has a user-friendly interface and provides a graphical representation of the traffic, while Tshark is a command-line tool that can capture and analyze traffic in a non-interactive mode.
Here are some pros and cons of using Wireshark and Tshark, which can help you choose which would be appropriate for the task at hand:
Wireshark pros:
- User-friendly interface
- Graphical representation of the traffic
- Easy to use for beginners
Wireshark cons:
- High memory usage
- Limited command-line options
- Limited support for scripting
Tshark pros:
- Low memory usage
- Powerful command-line options
- Supports scripting and automation
Tshark cons:
- No graphical representation of the traffic
- Not suitable for beginners
- Limited support for display filters
Wireshark vs other packet analyzers
Wireshark is not the only packet analyzer available in the market. Here are some popular alternatives:
- tcpdump – A command-line tool that can capture and display network traffic. https://www.tcpdump.org/
- Microsoft Network Monitor (Retired)– A packet analyzer developed by Microsoft that can capture and analyze network traffic on Windows. https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/collect-data-using-network-monitor
- SolarWinds Network Performance Monitor – A network monitoring tool that can capture and analyze network traffic. https://www.solarwinds.com/network-performance-monitor
Wireshark is a popular choice for network analysts due to its user-friendly interface, wide range of features, and open-source nature.
Conclusion
Wireshark is a powerful tool for analyzing network traffic, and with these tips and tricks, you can master it and get the most out of your PCAP analysis. Whether you are a beginner or an advanced user, Wireshark has something to offer, and with its extensive library of plugins and features, you can customize it to your needs.
So, start capturing traffic, analyzing it with Wireshark, and improve your network analysis skills today!
I appreciate the information and I’m looking forward to learning more from you in the future!