- network
- forensics
Market
Wireshark
Overview
Wireshark captures live traffic from interfaces or reads PCAP/PCAPNG files offline. Dissectors decode layers (Ethernet → IP → TCP → TLS → HTTP) and expose field filters for precise display filtering.
Display filters (e.g., `http.request.method == "POST" && ip.addr == 10.0.0.5`) differ from capture filters (BPF syntax on tcpdump: `host 10.0.0.5 and port 443`). Capture filters reduce volume at collection time; display filters slice already-captured data.
Follow TCP/UDP streams reconstructs application conversations. Export objects pulls files from HTTP, SMB, and other protocols. Expert info flags retransmissions, checksum errors, and malformed packets.
For TLS, Wireshark decrypts if you supply a key log file (SSLKEYLOGFILE env var in browser) or RSA key (legacy). Without keys, you see ClientHello/SNI and metadata only.
Primary use cases
- Incident response triage on PCAPs from compromised hosts
- Debugging application protocol behavior and malformed packets
- Extracting credentials from cleartext protocols (HTTP Basic, FTP, Telnet, LDAP simple bind)
- VoIP/RTP stream playback and SIP ladder diagrams
- Validating firewall rules and identifying unexpected egress
Key commands
Capture to file (CLI tshark)
tshark -i eth0 -f 'tcp port 443' -w capture.pcapngRead PCAP with display filter
tshark -r capture.pcapng -Y 'dns.flags.response == 0' -T fields -e dns.qry.nameDecrypt TLS with key log
tshark -r capture.pcapng -o tls.keylog_file:sslkeys.log -Y httpNotable modules / features
- 2000+ protocol dissectors; custom dissectors via Lua
- IO graphs, flow graphs, TCP stream graphs for throughput analysis
- Statistics: protocol hierarchy, conversations, endpoints, HTTP request sequences
- Mergecap, editcap, capinfos CLI utilities in the Wireshark suite
Detection / defense notes
- Encrypt sensitive protocols; assume cleartext on LAN is observable
- Monitor for promiscuous-mode NICs and SPAN port access
- DNS query logging complements PCAP for exfil detection without full capture