Wireshark is the world's most popular network protocol analyzer. Essential for network troubleshooting, security analysis, and digital forensics.
Capture Filters
Applied during capture to reduce file size:
# Capture only specific host
host 192.168.1.1
# Capture only specific port
port 80
# Capture range
net 192.168.1.0/24
# Exclude traffic
not port 22Display Filters
Applied after capture for analysis:
# HTTP traffic
http
# Filter by IP
ip.addr == 192.168.1.1
ip.src == 192.168.1.1
ip.dst == 10.0.0.1
# Filter by port
tcp.port == 443
tcp.dstport == 80
# HTTP methods
http.request.method == "POST"
# DNS queries
dns.qry.name contains "malicious"
# Complex filters
http && ip.src == 192.168.1.1 && frame.len > 1000Security Analysis Filters
# Failed TCP connections (scan detection)
tcp.flags.syn == 1 && tcp.flags.ack == 0
# Large data transfers
tcp.len > 10000
# Potential beaconing (regular intervals)
frame.time_delta > 60 && frame.time_delta < 61
# Clear-text credentials
http.authbasic || ftp.request.command == "PASS"
# Suspicious DNS
dns.qry.name matches ".*[0-9]{8,}.*"Analysis Tips
- Follow TCP streams (Right-click → Follow → TCP Stream)
- Use Statistics → Conversations for traffic overview
- Export objects (File → Export Objects → HTTP)
- Look for unusual ports with encryption
December 2024