What is Wireshark?

Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse network traffic running on a computer network. Think of it as a "network microscope" that shows you exactly what's happening on your network at the packet level.

Key Concept

Every piece of data sent over a network is broken into small chunks called "packets". Wireshark captures these packets and decodes them so humans can read and understand network communications.

Why Do We Need Wireshark?

  • Network Troubleshooting: Find why applications are slow or connections are dropping
  • Security Analysis: Detect malware, data exfiltration, and unauthorized access
  • Protocol Learning: See how TCP/IP, HTTP, DNS, and other protocols actually work
  • Forensics: Investigate security incidents by analyzing captured traffic
  • Development: Debug network applications and verify implementations

The Three Core Skills

  1. Capturing: Recording network traffic from an interface
  2. Filtering: Finding the specific packets you need among thousands
  3. Analyzing: Understanding what the packets mean

Understanding Network Interfaces

Before capturing, you must select which network interface to monitor. This is often a point of confusion for beginners.

Common Mistake

Selecting the wrong interface means capturing no useful traffic. If you're analyzing web traffic but selected a disconnected interface, you'll see nothing!

Common Interface Types

  • eth0, ens33, enp0s3 - Wired Ethernet adapters
  • wlan0, wlp2s0 - Wireless adapters
  • lo - Loopback (local traffic only, like 127.0.0.1)
  • any - Capture from ALL interfaces simultaneously
  • virbr0, docker0 - Virtual bridges for VMs/containers
Pro Tip

When unsure which interface to use, select "any" to capture from all interfaces. You can then filter by interface later using frame.interface_name == "eth0"

Display Filters vs Capture Filters

This distinction confuses many beginners. Understanding the difference is crucial!

Display Filters

  • Applied AFTER capture
  • Hide packets from view
  • Easy to change on-the-fly
  • All data still saved
  • Uses Wireshark syntax
ip.addr == 192.168.1.1
http.request.method == "GET"

Capture Filters

  • Applied DURING capture
  • Prevents packets from being recorded
  • Must be set before starting
  • Filtered data is GONE forever
  • Uses BPF syntax (tcpdump-style)
host 192.168.1.1
port 80
This Lab Focuses on Display Filters

Display filters are more flexible and commonly used for analysis. They use Wireshark's powerful expression syntax which we'll practice extensively.

Filter Syntax Fundamentals

Basic Comparison Operators

ip.addr == 192.168.1.1 # Equal to
ip.addr != 10.0.0.1 # Not equal to
frame.len > 1000 # Greater than
tcp.port >= 1024 # Greater than or equal
udp.port < 1024 # Less than (well-known ports)

Logical Operators

http && ip.src == 192.168.1.100 # AND - both must be true
dns || dhcp # OR - either can be true
!arp # NOT - exclude ARP packets
not tcp # Alternative NOT syntax

Handling Ports (Common Confusion Point!)

Important: Port Filter Variations

These filter fields behave differently - choosing the wrong one is a common mistake!

tcp.port == 80 # Matches if EITHER src OR dst port is 80
tcp.srcport == 80 # Only matches SOURCE port 80
tcp.dstport == 80 # Only matches DESTINATION port 80
udp.port == 53 # Same logic for UDP

IP Address Filters (Another Confusion Point!)

ip.addr == 192.168.1.1 # Matches if EITHER src OR dst is this IP
ip.src == 192.168.1.1 # Only matches SOURCE IP
ip.dst == 192.168.1.1 # Only matches DESTINATION IP
ip.addr == 192.168.1.0/24 # Matches entire subnet (CIDR notation)

String Matching

http.host contains "google" # Contains substring
http.request.uri matches "login" # Regex match
frame contains "password" # Search raw packet data

Common Analysis Scenarios

Finding HTTP Traffic

http # All HTTP traffic
http.request # HTTP requests only
http.response # HTTP responses only
http.request.method == "POST" # POST requests (form submissions)
http.response.code == 404 # 404 Not Found errors
http.response.code >= 400 # All client/server errors

DNS Analysis

dns # All DNS traffic
dns.qry.name contains "malware" # Suspicious domain queries
dns.flags.response == 1 # DNS responses only
dns.qry.type == 16 # TXT record queries (sometimes C2)

TCP Connection Analysis

tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN packets (new connections)
tcp.flags.reset == 1 # RST packets (connection resets)
tcp.analysis.retransmission # Retransmitted packets
tcp.stream eq 5 # Follow specific TCP stream

Security Investigation

# Port scanning detection
tcp.flags.syn == 1 && tcp.flags.ack == 0 && ip.src == 10.0.0.50

# SMB traffic (lateral movement)
tcp.port == 445

# Non-standard HTTPS port
tcp.port == 8443 || tcp.port == 4443

# Large data transfers (exfiltration?)
frame.len > 5000 && ip.dst != 192.168.0.0/16

Ready to Practice?

Head to the Filter Lab tab to practice writing filters with instant feedback. Then test your skills in the Challenges section!

Interactive Learning

The Filter Lab provides a simulated network capture. Type filters and see which packets match in real-time. No actual network capture required!

Capturing on primary ethernet adapter
No. Time Source Destination Protocol Length Info
Click "Load Normal Traffic" or "Load Malicious Traffic" to begin
Displayed: 0 / 0 packets
Filter Status: No filter applied
Interface: eth0

Click a packet to view layer-by-layer details

Your Progress

0 of 10 challenges completed 0 points

IP Address Filters

ip.addr == [IP]
Match source OR destination IP
ip.src == [IP]
Match only source IP
ip.dst == [IP]
Match only destination IP
ip.addr == [CIDR]
Match IP range/subnet

Port Filters

tcp.port == [PORT]
Match src OR dst TCP port
tcp.srcport == [PORT]
Match only source port
tcp.dstport == [PORT]
Match only destination port
udp.port == [PORT]
Match src OR dst UDP port

Protocol Filters

http
HTTP traffic
dns
DNS queries and responses
tcp
All TCP packets
udp
All UDP packets
icmp
ICMP (ping) traffic
arp
ARP broadcasts
tls
TLS/SSL encrypted traffic
ssh
SSH traffic

TCP Flags

tcp.flags.syn == 1
SYN flag set (connection start)
tcp.flags.ack == 1
ACK flag set
tcp.flags.fin == 1
FIN flag (connection close)
tcp.flags.reset == 1
RST flag (connection reset)

HTTP Specific

http.request
HTTP requests only
http.response
HTTP responses only
http.request.method == "GET"
GET requests
http.request.method == "POST"
POST requests (form data)
http.response.code == 200
Successful responses
http.response.code >= 400
Error responses

DNS Specific

dns.qry.name contains "[domain]"
Search DNS queries by domain
dns.flags.response == 0
DNS queries only
dns.flags.response == 1
DNS responses only
dns.qry.type == 1
A records (IPv4)

Logical Operators

&& (and)
Both conditions must be true
|| (or)
Either condition can be true
! (not)
Negate/exclude matches
contains
String contains substring

Export Progress

Save your challenge progress and settings to continue later.

Import Progress

Load previously saved progress.

Reset Progress

Clear all challenge progress and start fresh.

Statistics

0
0
0