5.2: Wireshark for Packet Analysis

Wireshark is a protocol analyzer — it allows you to see every bit and byte that traverses a network interface. Think of it like an X-ray for network traffic. It captures, decodes, and displays data across OSI layers:

  • L2 (Data Link): Ethernet frames, VLAN tags, ARP.
  • L3 (Network): IP headers, fragmentation, ICMP.
  • L4 (Transport): TCP/UDP headers, flags, retransmissions.
  • L5–L7 (Session–Application): HTTP, TLS, SMB, DNS, FTP, etc.

Unlike basic tools (like tcpdump), Wireshark parses protocols, makes them human-readable, and allows complex filtering, session reassembly, and forensic deep dives.

Capabilities in Depth

1. Packet Capture

  • Captures in real time or from saved PCAP/PCAPNG files.

  • Supports libpcap/WinPcap/Npcap drivers.

  • Can capture on:

    • Physical NICs
    • Virtual interfaces (VMware, Hyper-V, Docker bridges)
    • Remote captures (rpcapd, SSH pipe, tcpdump streaming).

2. Protocol Decoding

  • Supports 2,000+ protocols, from TCP/IP basics to obscure industrial SCADA/ICS protocols (e.g., Modbus, DNP3).
  • Wireshark dynamically updates decoders as protocols evolve (e.g., QUIC).
  • Ability to reassemble fragmented IP packets and TCP streams.

3. Filtering

  • Capture filters (BPF syntax): Applied before capture, efficient, low overhead. Example:

    tcp port 443 and host 192.168.1.10

  • Display filters (Wireshark syntax): Applied after capture, rich filtering. Example:

    ip.src == 10.0.0.5 && http.request.method == "POST"

4. Stream Reassembly

  • Follow TCP Stream: Reconstructs bidirectional conversations.

  • Reassemble higher-layer objects:

    • HTTP: Extract downloaded files.
    • SMTP/IMAP: Rebuild emails.
    • SMB/FTP: Extract transferred binaries.

5. Statistics & Visualization

  • Flow Graphs: Show TCP handshakes, retransmissions, session timelines.
  • Protocol Hierarchy: Breakdown of traffic types.
  • Conversations & Endpoints: Summaries of who-talks-to-who, bandwidth used.
  • IO Graphs: Customizable time-series graphs (e.g., throughput, packet drops).

6. Integration with Command-Line Tools

  • tshark: CLI version of Wireshark, scriptable, great for automation.
  • Can pipe to grep, jq, or SIEM pipelines.

Use Cases

1. Incident Response

  • Beaconing detection: Look for periodic small DNS/TCP packets → signs of malware C2 (Command-and-Control).
  • Data exfiltration: Identify unusual large outbound transfers (e.g., DNS tunneling, HTTPS uploads to unknown domains).
  • Lateral movement: Look for SMB, RDP, WinRM traffic between unexpected hosts.

2. Malware Analysis

  • Observe how malware communicates:

    • DNS queries to DGA domains.
    • TLS traffic with odd JA3 fingerprints (identifying unique client TLS handshakes).
    • Payload extraction (if not encrypted).

  • Example: Capture malware’s HTTP POST beacon and extract the payload.

3. Network Troubleshooting

  • Detect TCP issues:

    • 3-way handshake failures → firewall/NAT issue.
    • Retransmissions, duplicate ACKs → latency or packet loss.
    • Out-of-order segments → asymmetric routing.

  • Application troubleshooting:

    • Is the slowdown network-level (latency) or app-level (slow response)?
    • Verify TLS negotiation (cipher chosen, cert validation).

4. Compliance & Security Validation

  • Check if sensitive apps are sending unencrypted traffic (e.g., HTTP instead of HTTPS).
  • Confirm TLS version and cipher strength in financial/healthcare apps.
  • Audit for cleartext credentials (FTP, Telnet, SNMPv1).

Challenges & Limitations

  1. Encrypted Traffic

    • TLS 1.3 hides most of the handshake (even cert info if ESNI/Encrypted Client Hello enabled).

    • Can decrypt if you have:

      • The server’s private key (not always available).
      • Client-side session keys via SSLKEYLOGFILE (browser logging).

  2. Big Data Problem

    • Capturing on 10/40/100Gbps links → terabytes of PCAP.
    • Need filters, ring buffers, and indexing (tools like Moloch/Arkime help).

  3. Expertise Required

    • Raw packets can be overwhelming.
    • Analysts must know TCP/IP internals, protocol quirks, and attack signatures.

Best Practices

  • Always capture with filters when possible → reduces noise.

  • Use ring buffer captures to avoid filling disks.

  • Combine with IDS/IPS logs (e.g., Suricata → PCAP evidence).

  • When analyzing malware:

    • Use isolated lab network with controlled DNS/HTTP sinks.

  • Automate routine tasks with tshark + Python.

Advanced Wireshark Features Analysts Use

  • Coloring rules: Highlight anomalies (e.g., TCP resets, ICMP errors).
  • Custom dissectors: Write Lua or C dissectors for proprietary protocols.
  • Expert Info: Built-in diagnostic engine highlighting warnings (e.g., “TCP segment not captured”).
  • JA3/JA3S fingerprinting: Identify unique TLS clients/servers.
  • Decryption support: WPA2 Wi-Fi (if PSK known), TLS (if key available).

Summary: Wireshark isn’t just a packet sniffer — it’s a forensic microscope for network communications. It enables:

  • Blue teamers → Detect and analyze attacks.
  • Malware analysts → Understand adversary payloads.
  • Network engineers → Pinpoint performance bottlenecks.
  • Auditors → Validate compliance and encryption.

But it requires deep TCP/IP + protocol expertise and careful filtering to avoid drowning in noise.

← 1.2: Common Protocols & Ports
6.2: Common Vulnerabilities & Exposures (CVE) →