← Back to home
Wireshark Forense PCAP TShark Sniffing Blue Team
Advanced

Wireshark & TShark: Traffic Analysis

Mar 20, 2022

Wireshark is the world's most popular network protocol analyzer. It captures network traffic in real-time and breaks it down layer by layer (OSI model). In cybersecurity, it is critical for Network Forensics (DFIR), malware analysis, and detecting data leaks.

1. Architecture & Packet Capturing

To capture traffic, your network card enters Promiscuous Mode. Captures are saved as .pcap or .pcapng files.

# Capture from CLI using tshark:
tshark -i eth0 -w incident_capture.pcapng

# Read an existing .pcapng:
tshark -r incident_capture.pcapng

Capture Filters (BPF)

Applied BEFORE capturing to drop unwanted traffic and save disk space.

# Only capture web server traffic:
tshark -i eth0 -f "host 192.168.1.50"

# Ignore SSH to avoid infinite noise loops:
tshark -i eth0 -f "not port 22"

2. Display Filters

Applied AFTER capturing. These are the analyst's scalpel. They don't delete packets, just hide the noise.

# By IP Address:
ip.addr == 192.168.1.100       # Source or Destination
ip.src == 10.0.0.5             # Source only
ip.dst == 8.8.8.8              # Destination only

# By Protocol & Port:
tcp.port == 443                # HTTPS
udp.dstport == 53              # DNS Queries

# Payload Content (String search):
frame contains "password"
tcp.payload contains "MZ"      # Detect Windows executable signatures

πŸ”΄ Network Forensics Investigator

You have a 2GB PCAP file from an incident. You know the infected IP 192.168.1.100 established a secure connection and exfiltrated data to port 443. Write the exact Display Filter to isolate ONLY the packet that initiated this connection (the TCP SYN packet).

>_ START CTF 20 CHALLENGE

3. Decrypting HTTPS Traffic (SSL/TLS)

To view encrypted traffic in clear text, you need the client's symmetric keys.

# 1. Set environment variable before the victim opens the browser:
export SSLKEYLOGFILE=/tmp/sslkeylog.log

# 2. In Wireshark: Edit -> Preferences -> Protocols -> TLS
# 3. Load sslkeylog.log into "(Pre)-Master-Secret log filename".
# Encrypted traffic is now readable!

4. Extracting Files (Malware/Docs)

If malware was downloaded via cleartext HTTP, Wireshark can rebuild the executable.

5. TCP Handshake & Anomalies

Understand TCP Flags to detect DoS or port scans. 

# Detect Nmap Stealth SYN Scan:
tcp.flags.syn == 1 and tcp.flags.ack == 0

# Detect Connection Drops (RST):
tcp.flags.reset == 1

6. TShark: CLI Statistical Analysis

For massive PCAPs, use tshark to extract specific fields without crashing your GUI.

# Extract all Source IPs and HTTP Hosts visited:
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host

# Top Talkers (Which IP generated the most traffic?):
tshark -r capture.pcap -q -z endpoints,ip