Skip to content

Next Bootcamp Edition
May 4th, 2026

Tools

Wireshark

The world's most widely used network protocol analyzer, Wireshark captures and interactively analyzes network traffic in real-time, enabling security professionals to troubleshoot networks, analyze protocols, and investigate security incidents.

Author
Unihackers Team
Reading time
2 min read
Last updated

Why It Matters

Wireshark is the essential tool for understanding network communications at the packet level. When security incidents occur, logs tell you what happened—but packet captures reveal exactly how. This granularity is invaluable for forensic analysis, malware investigation, and understanding attack techniques.

Network troubleshooting benefits equally from packet analysis. When applications behave unexpectedly, packets reveal whether the issue lies with the network, server, or client. Understanding TCP handshakes, protocol behavior, and timing helps diagnose problems that higher-level monitoring misses.

For security professionals, Wireshark proficiency is foundational. Penetration testers analyze captured credentials and reconnaissance traffic. Incident responders examine command-and-control communications. Network security engineers troubleshoot and validate security tools. The skill transfers across virtually every technical security role.

Learning Wireshark deepens understanding of networking fundamentals. Seeing packets flow reveals how protocols actually work, beyond textbook descriptions. This practical knowledge enhances every aspect of security work.

Getting Started with Wireshark

Interface Overview

Capturing Traffic

capture-basics.sh
Bash

# Start Wireshark on specific interface
wireshark -i eth0

# Command-line capture with tshark
tshark -i eth0 -w capture.pcap

# Capture with filter (only HTTP)
tshark -i eth0 -f "port 80" -w http_traffic.pcap

# Capture for specific duration
timeout 60 tshark -i eth0 -w one_minute.pcap

Capture Filters vs. Display Filters

filter-types.txt
Text

Capture Filters (BPF syntax) - Applied during capture:
host 192.168.1.100
port 443
tcp and port 80
not broadcast

Display Filters (Wireshark syntax) - Applied to captured data:
ip.addr == 192.168.1.100
tcp.port == 443
http.request.method == "GET"
dns.flags.response == 0

Essential Display Filters

Protocol Filters

protocol-filters.txt
Text

Basic Protocol Filters:

# Filter by protocol
http
dns
tcp
udp
icmp
tls
ssh

# HTTP specific
http.request
http.response
http.request.method == "POST"
http.response.code == 200
http.host contains "example.com"

# DNS specific
dns
dns.flags.response == 0  # Queries only
dns.flags.response == 1  # Responses only
dns.qry.name contains "suspicious"

# TLS/SSL
tls.handshake
tls.handshake.type == 1  # Client Hello
tls.handshake.extensions_server_name

IP and Port Filters

ip-port-filters.txt
Text

IP Address Filters:
ip.addr == 192.168.1.100        # Either source or dest
ip.src == 192.168.1.100         # Source only
ip.dst == 192.168.1.100         # Destination only
ip.addr == 192.168.1.0/24       # Subnet

Port Filters:
tcp.port == 443                 # Either source or dest
tcp.dstport == 80               # Destination only
tcp.srcport == 53               # Source only
udp.port == 53

Combined Filters:
ip.addr == 192.168.1.100 && tcp.port == 443
http && ip.src == 10.0.0.5
(dns || http) && ip.addr == 192.168.1.100

Security-Focused Filters

security-filters.txt
Text

Security Analysis Filters:

# Failed TCP connections (RST flags)
tcp.flags.reset == 1

# SYN without ACK (potential scan)
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Potential port scan (many SYNs to different ports)
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Suspicious DNS (long hostnames, unusual TLDs)
dns && dns.qry.name contains ".xyz"

# HTTP with potential SQLi
http.request.uri contains "UNION"
http.request.uri contains "SELECT"

# Clear-text credentials
http.authorization
ftp.request.command == "PASS"

# Large data transfers
tcp.len > 10000

Analysis Techniques

Following Streams

Right-click on a packet and select "Follow > TCP Stream" to reconstruct full conversations.

stream-analysis.txt
Text

Stream Following:
- TCP Stream: Complete TCP conversation
- UDP Stream: Related UDP packets
- TLS Stream: Decrypted TLS (requires keys)
- HTTP Stream: HTTP request/response pairs

Use Cases:
- Reconstruct downloaded files
- View complete HTTP conversations
- Analyze command-and-control traffic
- Extract credentials from clear-text protocols

Statistics and Analysis

statistics-features.txt
Text

Useful Statistics Features:

Statistics > Conversations
- See all IP/TCP/UDP conversations
- Identify top talkers
- Sort by bytes transferred

Statistics > Protocol Hierarchy
- Breakdown of protocols in capture
- Identify unexpected protocols

Statistics > Endpoints
- All communicating hosts
- Traffic volume per host

Statistics > HTTP > Requests
- All HTTP requests in capture
- Quick URL overview

Analyze > Expert Information
- Warnings and errors
- Retransmissions, resets
- Protocol violations

Extracting Data

data-extraction.txt
Text

Export Objects (File > Export Objects):
- HTTP: Downloaded files, images, documents
- SMB: Windows file shares
- IMF: Email messages
- TFTP: Transferred files

Manual Extraction:
- Follow stream > Save as raw
- File > Export Packet Bytes
- Use tshark for automated extraction

Security Use Cases

Incident Investigation

incident-workflow.txt
Text

Incident Investigation Workflow:

1. Scope the Timeframe
 - Filter to relevant time window
 - Identify involved hosts

2. Identify C2 Traffic
 - Look for beaconing patterns
 - Check DNS for tunneling
 - Examine unusual ports/protocols

3. Trace Lateral Movement
 - SMB/RDP connections
 - Authentication traffic
 - Remote execution (WMI, PSExec)

4. Find Data Exfiltration
 - Large outbound transfers
 - Encrypted tunnels
 - Cloud storage uploads

5. Extract IOCs
 - Destination IPs/domains
 - User agents
 - File hashes from transfers

Malware Analysis

malware-analysis.txt
Text

Malware Traffic Analysis:

Initial Callbacks:
- DNS lookups for C2 domains
- HTTP/HTTPS to unknown hosts
- Non-standard port usage

C2 Communication Patterns:
- Regular beacon intervals
- Encoded/encrypted payloads
- User-Agent anomalies

Data Exfiltration:
- Large POST requests
- DNS tunneling (long subdomains)
- FTP/SFTP transfers

Command-Line with tshark

tshark-examples.sh
Bash

# Basic capture to file
tshark -i eth0 -w capture.pcap

# Read and filter pcap
tshark -r capture.pcap -Y "http.request"

# Extract specific fields
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri

# Statistics
tshark -r capture.pcap -q -z conv,tcp

# DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c | sort -rn

Career Relevance

Packet analysis skills distinguish capable security professionals. While GUI tools simplify common tasks, understanding network traffic at the packet level enables deeper analysis and troubleshooting.

Roles Using Packet Analysis (US Market)

RoleEntry LevelMid LevelSenior
Network Security Analyst$65,000$90,000$120,000
Incident Responder$75,000$100,000$135,000
Penetration Tester$80,000$110,000$145,000
Forensic Analyst$75,000$100,000$135,000

Source: CyberSeek

In the Bootcamp

How We Teach Wireshark

In our Cybersecurity Bootcamp, you won't just learn about Wireshark in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.

Covered in:

Module 5: Security Governance, Risk & Compliance (GRC)

Related topics you'll master:NIST CSFISO 27001GDPR/NIS2Risk Management
See How We Teach This

360+ hours of expert-led training • 94% employment rate