📊

Comprehensive Guide to Wireshark Usage

May 10, 2025

Introduction to Wireshark

  • Wireshark is a powerful network traffic analyzer for both Mac and Windows.
  • This tutorial is an update from a tutorial published over 8 years ago with new insights into Wireshark and cybersecurity.

Installation

  • Wireshark is free to download and use for both Mac and Windows.
  • An additional package may be needed for Mac users upon installation.

Capturing Network Traffic

  • Once installed, Wireshark can capture packets by selecting the network interface card.
  • Start capturing by double-clicking on a network, like Ethernet or Wi-Fi.
  • Stop capturing by clicking the red stop button after you have enough data.

Analyzing Packet Data

  • Each row in Wireshark represents a packet of information.
  • Network communication consists of packets transferred between the computer and a web server.
  • Challenges include filtering out unimportant packets (e.g., IoT device communications).

Using Statistics and Conversations

  • Use the 'Statistics' dropdown in Wireshark for capturing file properties and conversations.
  • Conversations show communication data such as IP addresses involved, bytes sent, and packet sizes.
  • Knowing key IP addresses on your network is crucial for analysis.

Goals and Filters in Wireshark

  • Wireshark is best used with specific goals in mind (e.g., device troubleshooting, phishing detection).
  • Apply filters to focus on specific packets (e.g., all packets to/from a specific IP address).
  • Use 'Apply as filter' by right-clicking on an IP address.

Capturing More Data

  • Close the current PCAP and start a new capture to gather interesting data.
  • Load websites during the capture for more meaningful data collection.

Filtering HTTP and HTTPS Traffic

  • Use filters to view HTTP (insecure) and HTTPS (secure) traffic.
  • Follow HTTP streams to see unencrypted data and understand phishing mechanisms.

Encryption and Decryption

  • To view encrypted traffic, use TCP port filters (e.g., TCP.port == 80).
  • Upload encryption keys to Wireshark for decryption (advanced users).

Creating Filter Buttons

  • Create buttons for common filters to streamline the analysis process.
  • Example: creating a filter button for port 80 traffic.

Coloring Rules

  • Coloring indicates different types of traffic and analysis results (e.g., black for bad TCP).
  • Modify coloring rules in the 'View' menu.

Preferences and Layout

  • Change layout and preferences to customize how packets are displayed.
  • Enable packet diagram view for educational purposes.

Useful Filters

  • Hide lesser protocols: !(ARP or STP or LLDP or CDP)
  • TCP SYN flags: TCP.flags.SYN==1
  • Wireshark flagged packets: TCP.analysis.flags
  • Aborted release packets: TCP.flags.reset==1

Practice and Resources

  • Use websites like malware-traffic-analysis.net for PCAP practice files and technical analysis exercises.

Conclusion

  • Wireshark is a versatile tool for network analysis with a range of filters and settings for detailed investigation.
  • Use filters and practice exercises to become proficient in using Wireshark for cybersecurity.

Full transcript