Tactical Briefing: Wireshark Core
Wireshark is the industry-standard Network Protocol Analyzer. It serves as an observer-only tool that captures binary data directly from the Network Interface Card (NIC) and translates it into human-readable protocol dissection. By stripping away abstraction, it allows analysts to see the literal "truth" of what is happening on the wire.
Unlike a SIEM which logs high-level events, Wireshark provides the forensic payload. It is the definitive tool for verifying that security controls (like encryption) are functional and that traffic patterns match expected behavior.
Functional Scope
- Live Packet Capture (Pcap)
- Deep Protocol Dissection
- Payload Decryption (TLS)
- Conversation Reconstruction
Troubleshooting
Trace "weird" latency, identify retransmissions, and find faulty network configurations like MTU mismatches or ICMP redirects.
Threat Hunting
Identify Command & Control (C2) beaconing, detect ARP spoofing attempts, and flag suspicious data exfiltration signatures.
Forensics
Extract clear-text credentials from unencrypted protocols and reconstruct file transfers (like .exe or .zip) from captured streams.
Compliance
Validate that sensitive traffic is properly encrypted (TLS/SSL) and verify that firewalls are correctly dropping unauthorized ports.
Defenders vs Attackers: Operations Scope
Understanding how both sides leverage packet analysis is key to identifying hostile intent within a capture.
Blue Team / Defenders
Reconstructing objects from SMB or HTTP streams to identify the specific malware variant being introduced to the network.
Using Protocol Hierarchy to spot deviations (e.g., 80% of traffic on Port 53 being exfiltration instead of DNS).
Confirming that "secure" protocols (LDAPS, HTTPS, SSH) are not reverting to insecure fallbacks (LDAP, HTTP, Telnet) during auth handshakes.
Red Team / Attackers
Analyzing TCP Window sizes and TTL values to determine the host's OS without sending a single probe.
Sniffing traffic on local segments to capture unencrypted auth headers or Telnet/FTP login sequences.
Identifying ports allowed through egress firewalls (e.g., DNS, NTP) to use as covert exfiltration tunnels.
Advanced Tactical Features
Beyond basic filtering, these features automate the heavy lifting of traffic analysis and forensic reconstruction.
Follow Stream
Reassembles individual packets into a human-readable stream, removing protocol headers.
Usage: Right-click packet > Follow > TCP/UDP/HTTP Stream.
Real-Life Case: "Follow Stream" reveals the actual web shell commands an attacker is running in plain-text.
Expert Information
Summary of protocol anomalies, retransmissions, and errors found by Wireshark's built-in analysis engine.
Usage: Analyze > Expert Information.
Real-Life Case: Finding "TCP Zero Window" alerts to confirm a server's buffer is overwhelmed.
Endpoints & Conversations
Statistical lists of all hosts and communicating pairs found in the capture.
Usage: Statistics > Endpoints.
Real-Life Case: Finding one host talking to 500+ devices on port 445, flagging lateral movement.
I/O Graphs
Graphical visualization of throughput over time. Used to find spikes or periodic traffic patterns.
Usage: Statistics > I/O Graphs.
Real-Life Case: Visualizing a 60-second "heartbeat" to identify a C2 beacon.
Decrypting TLS
Injecting secrets to transform encrypted payloads back into readable application data.
Usage: preferences > protocols > TLS > Master-Secret log filename.
Real-Life Case: Decrypting an HTTPS session revealing credentials being sent to a rogue API endpoint.
Protocol Hierarchy
Top-down breakdown of all traffic by protocol, showing packet counts and bandwidth distribution.
Usage: Statistics > Protocol Hierarchy.
Real-Life Case: Discovering that 90% of "Port 443" traffic is actually BitTorrent, not HTTPS.
Filter Mechanics & Logic Operators
Capture Filters (BPF)
PRE-CAPTUREImplemented via the BPF engine. This filter tells the NIC exactly which packets to copy to RAM.
Display Filters
POST-CAPTUREApplied to existing data in the UI. These are safe, non-destructive logic expressions.
| Class | Operator | Tactical Logic | Return Result |
|---|---|---|---|
| Equality | == , != | Matches or excludes specific values. | Boolean |
| Logical | && , || , ! | Combines multiple conditions (AND, OR, NOT). | Set Intersection |
| Search | contains | Searches payloads for pattern match strings. | Pattern Match |
| Membership | in {val1 val2} | Matches if field value exists within a set. | List Selection |
| Slice | [n:m] | Matches specific bytes starting at offset n. | Byte Range |
Offset & Slice Syntax [n:m]
Filters for VMware virtual machines by matching the first 3 bytes (OUI).
Bitwise Match Filter (&)
Finds SYN packets regardless of other flags (matches SYN and SYN/ACK).
TCP Flag Tactical Reference
Recognizing hex values for flags allows you to identify connection states and hostile scans without expanding packet details.
| Flag State | Hex Value | Filter Signature | Scenario |
|---|---|---|---|
| SYN | 0x02 | tcp.flags == 0x02 | Handshake request. Target discovery probe. |
| SYN/ACK | 0x12 | tcp.flags == 0x12 | Server confirmation. Port is OPEN. |
| RST/ACK | 0x14 | tcp.flags == 0x14 | Reset acknowledgement. Port is CLOSED. |
| PSH/ACK | 0x18 | tcp.flags == 0x18 | Active data transmission signature (HTTP/etc). |
| XMAS Scan | 0x29 | tcp.flags == 0x29 | FIN+PSH+URG set. Hostile bypass probe. |
| NULL Scan | 0x00 | tcp.flags == 0x00 | No flags set. Hostile OS fingerprinting probe. |
Interactive Packet Explorer
Select packets to see the Three-Pane Layout in action. Linkages between the Details (middle) and Bytes (bottom) help you find actual data.
MISSION: FIND THE NEEDLE
A high-value target has sent a password in clear-text over HTTP. Your objective: Identify the packet and locate the password string in the Packet Bytes pane.
| No. | Time | Source | Destination | Protocol | Info |
|---|
Common Display Filters Library
Discovery & Subnets
"Check DHCP for IP assignment, then ARP for gateway discovery."
Web & SSL/TLS Analysis
"Find slow handshakes via TLS 'Client Hello' (type 1) timing."
Malware & Recon Hunt
"Hunt for scanning behavior or unauthorized admin tool execution."
Authentication & Identity
"Identify users logged into a specific machine via NTLM auth."
Data Exfiltration
"Detect DNS tunneling via unusually long, non-cached queries."
Forensic Anomaly Hunt
"Identify buffer overflows or application-layer DoS scenarios."
Email Analysis
"Locate unencrypted SMTP data phases indicating outbound phish."
File Shares
"Audit lateral file movement by searching for executables over SMB."
Database & Industrial
"Find SQL injection or unauthorized DB queries in plain-text."
Infrastructure & Noise
"Diagnose broadcast storms or locate rogue infrastructure devices."
VoIP & Multimedia
"Troubleshoot call quality by isolating voice streams (RTP) from signaling."
Wireless / 802.11
"Identify Deauthentication attacks via management frame subtype 0x0c."