Skip to content

Next edition July 6th, 2026

Tools

Wireshark

The world's most widely used network protocol analyzer, Wireshark captures and interactively analyzes network traffic in real-time, enabling security professionals to troubleshoot networks, analyze protocols, and investigate security incidents.

Author
Unihackers Team
Reading time
3 min read
Last updated

What is Wireshark?

Wireshark is a free, open-source network protocol analyzer that captures and decodes traffic flowing across a network interface in real time. It is the industry-standard tool for inspecting packets at every layer of the TCP/IP stack, from Ethernet frames to TLS handshakes and HTTP requests.

In short, Wireshark lets you:

  • Capture every packet entering or leaving a network interface (live or from a .pcap file)
  • Decode more than 3,000 protocols into human-readable fields
  • Filter traffic with a powerful display-filter syntax (e.g. tcp.port == 443, http.request)
  • Reconstruct full conversations by following TCP, UDP, or TLS streams
  • Investigate security incidents, malware command-and-control, and network performance issues

Originally released in 1998 as Ethereal and renamed Wireshark in 2006, it runs on Windows, macOS, and Linux and is maintained by the Wireshark Foundation. It is free under the GNU GPL v2 license and used by network engineers, SOC analysts, penetration testers, and incident responders worldwide.

Why It Matters

Wireshark is the essential tool for understanding network communications at the packet level. When security incidents occur, logs tell you what happened, but packet captures reveal exactly how. This granularity is invaluable for forensic analysis, malware investigation, and understanding attack techniques.

Network troubleshooting benefits equally from packet analysis. When applications behave unexpectedly, packets reveal whether the issue lies with the network, server, or client. Understanding TCP handshakes, protocol behavior, and timing helps diagnose problems that higher-level monitoring misses.

For security professionals, Wireshark proficiency is foundational. Penetration testers analyze captured credentials and reconnaissance traffic. Incident responders examine command-and-control communications. Network security engineers troubleshoot and validate security tools. The skill transfers across virtually every technical security role.

Learning Wireshark deepens understanding of networking fundamentals. Seeing packets flow reveals how protocols actually work, beyond textbook descriptions. This practical knowledge enhances every aspect of security work.

Getting Started with Wireshark

Interface Overview

Capturing Traffic

capture-basics.sh
Bash

# Start Wireshark on specific interface
wireshark -i eth0

# Command-line capture with tshark
tshark -i eth0 -w capture.pcap

# Capture with filter (only HTTP)
tshark -i eth0 -f "port 80" -w http_traffic.pcap

# Capture for specific duration
timeout 60 tshark -i eth0 -w one_minute.pcap

Capture Filters vs. Display Filters

filter-types.txt
Text

Capture Filters (BPF syntax) - Applied during capture:
host 192.168.1.100
port 443
tcp and port 80
not broadcast

Display Filters (Wireshark syntax) - Applied to captured data:
ip.addr == 192.168.1.100
tcp.port == 443
http.request.method == "GET"
dns.flags.response == 0

Essential Display Filters

Protocol Filters

protocol-filters.txt
Text

Basic Protocol Filters:

# Filter by protocol
http
dns
tcp
udp
icmp
tls
ssh

# HTTP specific
http.request
http.response
http.request.method == "POST"
http.response.code == 200
http.host contains "example.com"

# DNS specific
dns
dns.flags.response == 0  # Queries only
dns.flags.response == 1  # Responses only
dns.qry.name contains "suspicious"

# TLS/SSL
tls.handshake
tls.handshake.type == 1  # Client Hello
tls.handshake.extensions_server_name

IP and Port Filters

ip-port-filters.txt
Text

IP Address Filters:
ip.addr == 192.168.1.100        # Either source or dest
ip.src == 192.168.1.100         # Source only
ip.dst == 192.168.1.100         # Destination only
ip.addr == 192.168.1.0/24       # Subnet

Port Filters:
tcp.port == 443                 # Either source or dest
tcp.dstport == 80               # Destination only
tcp.srcport == 53               # Source only
udp.port == 53

Combined Filters:
ip.addr == 192.168.1.100 && tcp.port == 443
http && ip.src == 10.0.0.5
(dns || http) && ip.addr == 192.168.1.100

Security-Focused Filters

security-filters.txt
Text

Security Analysis Filters:

# Failed TCP connections (RST flags)
tcp.flags.reset == 1

# SYN without ACK (potential scan)
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Potential port scan (many SYNs to different ports)
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Suspicious DNS (long hostnames, unusual TLDs)
dns && dns.qry.name contains ".xyz"

# HTTP with potential SQLi
http.request.uri contains "UNION"
http.request.uri contains "SELECT"

# Clear-text credentials
http.authorization
ftp.request.command == "PASS"

# Large data transfers
tcp.len > 10000

Analysis Techniques

Following Streams

Right-click on a packet and select "Follow > TCP Stream" to reconstruct full conversations.

stream-analysis.txt
Text

Stream Following:
- TCP Stream: Complete TCP conversation
- UDP Stream: Related UDP packets
- TLS Stream: Decrypted TLS (requires keys)
- HTTP Stream: HTTP request/response pairs

Use Cases:
- Reconstruct downloaded files
- View complete HTTP conversations
- Analyze command-and-control traffic
- Extract credentials from clear-text protocols

Statistics and Analysis

statistics-features.txt
Text

Useful Statistics Features:

Statistics > Conversations
- See all IP/TCP/UDP conversations
- Identify top talkers
- Sort by bytes transferred

Statistics > Protocol Hierarchy
- Breakdown of protocols in capture
- Identify unexpected protocols

Statistics > Endpoints
- All communicating hosts
- Traffic volume per host

Statistics > HTTP > Requests
- All HTTP requests in capture
- Quick URL overview

Analyze > Expert Information
- Warnings and errors
- Retransmissions, resets
- Protocol violations

Extracting Data

data-extraction.txt
Text

Export Objects (File > Export Objects):
- HTTP: Downloaded files, images, documents
- SMB: Windows file shares
- IMF: Email messages
- TFTP: Transferred files

Manual Extraction:
- Follow stream > Save as raw
- File > Export Packet Bytes
- Use tshark for automated extraction

Security Use Cases

Incident Investigation

incident-workflow.txt
Text

Incident Investigation Workflow:

1. Scope the Timeframe
 - Filter to relevant time window
 - Identify involved hosts

2. Identify C2 Traffic
 - Look for beaconing patterns
 - Check DNS for tunneling
 - Examine unusual ports/protocols

3. Trace Lateral Movement
 - SMB/RDP connections
 - Authentication traffic
 - Remote execution (WMI, PSExec)

4. Find Data Exfiltration
 - Large outbound transfers
 - Encrypted tunnels
 - Cloud storage uploads

5. Extract IOCs
 - Destination IPs/domains
 - User agents
 - File hashes from transfers

Malware Analysis

malware-analysis.txt
Text

Malware Traffic Analysis:

Initial Callbacks:
- DNS lookups for C2 domains
- HTTP/HTTPS to unknown hosts
- Non-standard port usage

C2 Communication Patterns:
- Regular beacon intervals
- Encoded/encrypted payloads
- User-Agent anomalies

Data Exfiltration:
- Large POST requests
- DNS tunneling (long subdomains)
- FTP/SFTP transfers

Command-Line with tshark

tshark-examples.sh
Bash

# Basic capture to file
tshark -i eth0 -w capture.pcap

# Read and filter pcap
tshark -r capture.pcap -Y "http.request"

# Extract specific fields
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri

# Statistics
tshark -r capture.pcap -q -z conv,tcp

# DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c | sort -rn

Career Relevance

Packet analysis skills distinguish capable security professionals. While GUI tools simplify common tasks, understanding network traffic at the packet level enables deeper analysis and troubleshooting.

Roles Using Packet Analysis (US Market)

RoleEntry LevelMid LevelSenior
Network Security Analyst$65,000$90,000$120,000
Incident Responder$75,000$100,000$135,000
Penetration Tester$80,000$110,000$145,000
Forensic Analyst$75,000$100,000$135,000

Source: CyberSeek

2026 Snapshot

Latest figures from authoritative 2026 industry reports:

  • Wireshark remains the #1 network protocol analyzer with millions of monthly downloads, decoding 3,000+ protocols as of the 4.4 release in early 2026 (Wireshark.org).
  • 60% of SOC analysts report using Wireshark weekly for incident triage and packet-level investigation, second only to SIEM dashboards (SANS 2025 SOC Survey).
  • The tool is included in CompTIA Security+, CySA+, GCIH, and OSCP exam objectives, making it the most-tested defensive analysis utility in 2026 certification programs (CompTIA exam objectives).
In the Bootcamp

How We Teach Wireshark

In our Cybersecurity Bootcamp, you won't just learn about Wireshark in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.

Covered in:

Module 5: Security Governance, Risk & Compliance (GRC)

Related topics you'll master:NIST CSFISO 27001GDPR/NIS2Risk Management
See How We Teach This

360+ hours of expert-led training • CompTIA Security+ included