Wireshark is an open-source network protocol analyzer. It uses a graphical user interface (GUI), which makes it easier to visualize network communications for packet analysis purposes.
- Wireshark can analyze traffic and display the information in an easy-to-navigate format regardless of the protocols used (e.g., HTTP, TCP, DNS).
- Wireshark can reconstruct back-and-forth conversations in a network.
- Wireshark allows easy filtering to narrow down essential details.
- Wireshark can also export and analyze objects that are transferred over the network.
Traffic Sniffing#
You can use the blue “shark button” to start network sniffing (capturing traffic), the red button will stop the sniffing, and the green button will restart the sniffing process. The status bar will also provide the used sniffing interface and the number of collected packets.
View File Details#
Knowing the file details is helpful. Especially when working with multiple pcap files, sometimes you will need to know and recall the file details (File hash, capture time, capture file comments, interface and statistics) to identify the file, classify and prioritise it. You can view the details by following “Statistics —> Capture File Properties” or by clicking the “pcap icon located on the left bottom”.
Packet details#
Packet details are shown in three different panes, which allow us to discover them in different formats.
| Packet List Pane | Summary of each packet (source and destination addresses, protocol, and packet info). You can click on the list to choose a packet for further investigation. Once you select a packet, the details will appear in the other panels. |
| Packet Details Panel | Detailed protocol breakdown of the selected packet. |
| Packet Bytes Pane | Hex and decoded ASCII representation of the selected packet. It highlights the packet field depending on the clicked section in the details pane. |
Packet Filtering#
Wireshark has a powerful filter engine that helps analysts to narrow down the traffic and focus on the event of interest. Wireshark has two types of filtering approaches: capture and display filters. Capture filters are used for “capturing” only the packets valid for the used filter. Display filters are used for “viewing” the packets valid for the used filter.
Display filters#
Wireshark’s display filters let you apply filters to packet capture files. This is helpful when you are inspecting packet captures with large volumes of information. Display filters will help you find specific information that’s most relevant to your investigation. You can filter packets based on information such as protocols, IP addresses, ports, and virtually any other property found in a packet.
- You can apply filters to a packet capture using Wireshark’s filter toolbar.
Comparison operators
You can use different comparison operators to locate specific header fields and values. Comparison operators can be expressed using either abbreviations or symbols. For example, this filter using the == equal symbol in this filter ip.src == 8.8.8.8 is identical to using the eq abbreviation in this filter ip.src eq 8.8.8.8.
This table summarizes the different types of comparison operators you can use for display filtering.
| Operator type | Symbol | Abbreviation |
|---|---|---|
| Equal | == | eq |
| Not equal | != | ne |
| Greater than | > | gt |
| Less than | < | lt |
| Greater than or equal to | >= | ge |
| Less than or equal to | <= | le |
- You can combine comparison operators with Boolean logical operators like and and or to create complex display filters. Parentheses can also be used to group expressions and to prioritize search terms.
Contains operator
The contains operator is used to filter packets that contain an exact match of a string of text.
Matches operator
The matches operator is used to filter packets based on the regular expression (regex) that’s specified. Regular expression is a sequence of characters that forms a pattern.
Filter for protocols#
Protocol filtering is one of the simplest ways you can use display filters. You can simply enter the name of the protocol to filter. For example, to filter for DNS packets simply type dns in the filter toolbar.
Some protocols you can filter for:dns, http, ftp, ssh, arp, telnet, icmp
Filter for an IP address#
You can use display filters to locate packets with a specific IP address.
- If you would like to filter packets that contain a specific IP address use ip.addr, followed by a space, the equal == comparison operator, and the IP address. eg:
ip.addr == 172.21.224.2 - To filter for packets originating from a specific source IP address, you can use the ip.src filter. eg:
ip.src == 10.10.10.10 - To filter for packets delivered to a specific destination IP address, you can use the ip.dst filter. eg:
ip.dst == 4.4.4.4
Filter for a MAC address#
You can also filter packets according to the Media Access Control (MAC) address.
eg: eth.addr == 00:70:f4:23:18:c4
Filter for ports#
Port filtering is used to filter packets based on port numbers. This is helpful when you want to isolate specific types of traffic. DNS traffic uses TCP or UDP port 53 so this will list traffic related to DNS queries and responses only.
For example, if you would like to filter for a UDP port: udp.port == 53
Likewise, you can filter for TCP ports as well: tcp.port == 25
Find Packets#
Wireshark can find packets by packet content. You can use the “Edit —> Find Packet” menu to make a search inside the packets for a particular event of interest.
There are two crucial points in finding packets. The first is knowing the input type. This functionality accepts four types of inputs (Display filter, Hex, String and Regex). String and regex searches are the most commonly used search types. Searches are case insensitive, but you can set the case sensitivity in your search by clicking the radio button.
The second point is choosing the search field. You can conduct searches in the three panes (packet list, packet details, and packet bytes), and it is important to know the available information in each pane to find the event of interest. For example, if you try to find the information available in the packet details pane and conduct the search in the packet list pane, Wireshark won’t find it even if it exists.
Conversation Filter#
When you use the “Apply as a Filter” option, you will filter only a single entity of the packet. This option is a good way of investigating a particular value in packets. However, suppose you want to investigate a specific packet number and all linked packets by focusing on IP addresses and port numbers. In that case, the “Conversation Filter” option helps you view only the related packets and hide the rest of the packets easily. You can use the”right-click menu” or “Analyse —> Conversation Filter” menu to filter conversations.
Colourise Conversation#
This option is similar to the “Conversation Filter” with one difference. It highlights the linked packets without applying a display filter and decreasing the number of viewed packets. This option works with the “Colouring Rules” option to apply changes to the colored packets without taking the previously applied colour rules into account. You can use the “right-click menu” or “View —> Colourise Conversation” menu to colourise a linked packet in a single click. Note that you can use the “View —> Colourise Conversation —> Reset Colourisation” menu to undo this operation.
Follow streams#
Wireshark provides a feature that lets you filter for packets specific to a protocol and view streams. A stream or conversation is the exchange of data between devices using a protocol. Wireshark reassembles the data that was transferred in the stream in a way that’s simple to read.
Following a protocol stream is useful when trying to understand the details of a conversation. For example, you can examine the details of an HTTP conversation to view the content of the exchanged request and response messages.
You can use the”right-click menu” or “Analyse —> Follow TCP/UDP/HTTP Stream” menu to follow traffic streams. Streams are shown in a separate dialogue box; packets originating from the server are highlighted with blue, and those originating from the client are highlighted with red.
Once you follow a stream, Wireshark automatically creates and applies the required filter to view the specific stream. Remember, once a filter is applied, the number of the viewed packets will change. You will need to use the “X button” located on the right upper side of the display filter bar to remove the display filter and view all available packets in the capture file.
Colouring Packets#
Along with quick packet information, Wireshark also colour packets in order of different conditions and the protocol to spot anomalies and protocols in captures quickly
Coloring rules are used to provide high-level visual cues to help you quickly classify the different types of data.
- DNS : light blue
- TCP HTTP : light green
Wireshark has two types of packet colouring methods: temporary rules that are only available during a program session and permanent rules that are saved under the preference file (profile) and available for the next program session. You can use the “right-click menu” or “View —> Coloring Rules” menu to create permanent colouring rules. The “Colourise Packet List” menu activates/deactivates the colouring rules. Temporary packet colouring is done with the “right-click menu” or “View —> Conversation Filter” menu,
Mark Packets#
Marking packets is another helpful functionality for analysts. You can find/point to a specific packet for further investigation by marking it. It helps analysts point to an event of interest or export particular packets from the capture. You can use the “Edit” or the “right-click” menu to mark/unmark packets.
Marked packets will be shown in black regardless of the original colour representing the connection type. Note that marked packet information is renewed every file session, so marked packets will be lost after closing the capture file.
Export Objects (Files)#
Wireshark can extract files transferred through the wire. For a security analyst, it is vital to discover shared files and save them for further investigation. Exporting objects are available only for selected protocol’s streams (DICOM, HTTP, IMF, SMB and TFTP).
Time Display Format#
Wireshark lists the packets as they are captured, so investigating the default flow is not always the best option. By default, Wireshark shows the time in “Seconds Since Beginning of Capture”, the common usage is using the UTC Time Display Format for a better view. You can use the “View —> Time Display Format” menu to change the time display format.
Expert Info#
Wireshark also detects specific states of protocols to help analysts easily spot possible anomalies and problems. Note that these are only suggestions, and there is always a chance of having false positives/negatives. Expert info can provide a group of categories in three different severities.
| Severity | Colour | Info |
|---|---|---|
| Chat | Blue | Information on usual workflow. |
| Note | Cyan | Notable events like application error codes. |
| Warn | Yellow | Warnings like unusual error codes or problem statements. |
| Error | Red | Problems like malformed packets. |
You can use the “lower left bottom section” in the status bar or “Analyse —> Expert Information” menu to view all available information entries via a dialogue box. It will show the packet number, summary, group protocol and total occurrence.
Sections in a packet#
The Frame (Layer 1):#
This will show you what frame/packet you are looking at and details specific to the Physical layer of the OSI model.
This provides you with details about the overall network packet, or frame, including the frame length and the arrival time of the packet. At this level, you’re viewing information about the entire packet of data.
Source MAC (Layer 2):#
This will show you the source and destination MAC Addresses; from the Data Link layer of the OSI model.
eg: Ethernet II
This item contains details about the packet at the Ethernet level, including the source and destination MAC addresses and the type of internal protocol that the Ethernet packet contains.
Source IP (Layer 3):#
This will show you the source and destination IPv4 Addresses; from the Network layer of the OSI model.
IPv4
This provides packet data about the Internet Protocol (IP) data contained in the Ethernet packet. It contains information such as the source and destination IP addresses and the Internal Protocol (for example, TCP or UDP), which is carried inside the IP packet.
Protocol (Layer 4):#
This will show you details of the protocol used (UDP/TCP) and source and destination ports; from the Transport layer of the OSI model.
TCP
This provides detailed information about the TCP packet, including the source and destination TCP ports, the TCP sequence numbers, and the TCP flags.
Protocol Errors:#
This continuation of the 4th layer shows specific segments from TCP that needed to be reassembled.
Application Protocol (Layer 5):#
This will show details specific to the protocol used, such as HTTP, FTP, and SMB. From the Application layer of the OSI model.
Application Data: #
This extension of the 5th layer can show the application-specific data.