Latest Posts

Wireshark for Traffic Analysis

Posted on by Rishan Solutions

Loading

Wireshark for Traffic Analysis – A Comprehensive Guide

Introduction

Wireshark is the world’s most popular network protocol analyzer, used for capturing, analyzing, and troubleshooting network traffic. It helps security analysts, network administrators, and ethical hackers inspect data packets in real time, identify vulnerabilities, and diagnose network issues.

Why Use Wireshark?

Monitor real-time network traffic
Analyze security threats & suspicious activities
Inspect individual packets for forensic analysis
Identify network misconfigurations & bottlenecks
Detect malicious activities (malware, unauthorized access, etc.)

1. Installing Wireshark

Wireshark is available for Windows, Linux, and macOS.

a) Installing on Windows

  1. Download Wireshark for Windows from:
    https://www.wireshark.org/download.html
  2. Run the installer and select WinPcap or Npcap (required for live capture).
  3. Launch Wireshark and start capturing network packets.

b) Installing on Linux (Ubuntu/Kali)

Wireshark comes pre-installed in Kali Linux. If not, install it using:

sudo apt update && sudo apt install wireshark -y

To allow non-root users to capture packets:

sudo usermod -aG wireshark $USER

c) Installing on macOS

Install Wireshark using Homebrew:

brew install wireshark

2. Understanding Wireshark Interface

When you open Wireshark, you’ll see:
🔹 Capture Interfaces – Select which network interface (Ethernet, Wi-Fi) to monitor.
🔹 Packet List Panel – Displays captured packets in a live feed.
🔹 Packet Details Panel – Shows in-depth protocol details of a selected packet.
🔹 Packet Bytes Panel – Displays raw data (hexadecimal & ASCII formats).

3. Capturing Network Traffic

a) Start Capturing Packets

  1. Select a network interface (Wi-Fi, Ethernet, Loopback, etc.).
  2. Click Start (Shark Fin Button) or press Ctrl + E.
  3. Let the capture run for some time, then stop (Ctrl + E again).
  4. Inspect the captured packets.

b) Filtering Traffic

Wireshark captures all network traffic, but you can filter specific data using the display filter bar.

Example Filters:
🔹 Show only HTTP traffic:

http

🔹 Show only TCP packets:

tcp

🔹 Show only packets from a specific IP:

ip.src == 192.168.1.10

🔹 Show only DNS queries:

dns

🔹 Show only traffic from a specific port (e.g., 443 for HTTPS):

tcp.port == 443

4. Analyzing Network Traffic

a) Identifying Suspicious Traffic

Unusual IP Connections – Unexpected connections to external servers may indicate malware or data exfiltration.
Frequent DNS Requests – A large number of DNS lookups might indicate a DNS tunneling attack.
Malformed Packets – Corrupted or unexpected packet structures could indicate a cyberattack.

b) Checking HTTP & HTTPS Traffic

To analyze web traffic:

  1. Use the filter: http || tls
  2. Look at GET & POST requests (for potential data leaks).
  3. Check TLS certificates for encrypted HTTPS traffic.

c) Detecting Malicious Traffic

Common indicators of malicious activity:
Unusual TCP Flags – FIN-PSH-URG flags may indicate port scanning.
Excessive SYN Packets – Potential DDoS attack (SYN flood).
High Volume of ICMP Requests – May indicate ping sweep reconnaissance.
Connections to Known Malicious IPs – Check against threat intelligence databases.

5. Extracting Files & Credentials

a) Extracting Files from Network Traffic

If a file was transmitted over the network, you can extract it from a pcap file:

  1. Open Wireshark.
  2. Go to File > Export Objects > HTTP or SMB.
  3. Select the file and save it for further analysis.

b) Capturing Plaintext Passwords

Many older protocols send unencrypted credentials, which can be captured:
FTP (tcp.port == 21)
Telnet (tcp.port == 23)
HTTP Basic Authentication (http contains “Authorization”)

However, modern websites use HTTPS, which encrypts passwords.

6. Network Performance Monitoring

Wireshark helps identify network issues like:
High latency (packet delays)
Packet loss (dropped data packets)
Bandwidth consumption (identify which device is using excessive data)

a) Checking Network Latency

Use ICMP ping packets to measure response time:

icmp

b) Identifying Packet Loss

Look for TCP retransmissions using:

tcp.analysis.retransmission

7. Wireshark for Security Analysis

Wireshark is a powerful tool for threat detection and forensic investigation.

a) Detecting ARP Spoofing

If an attacker is performing an ARP poisoning attack, you may see duplicate MAC addresses:

arp.duplicate-address-detected

b) Identifying a Man-in-the-Middle (MITM) Attack

If an attacker intercepts SSL/TLS traffic, you might see:
Unexpected self-signed certificates
Multiple SSL handshakes for the same session
Unusual DNS requests redirecting traffic

c) Analyzing Malware Communication

  1. Filter traffic from an infected machine: ip.src == 192.168.1.100
  2. Look for suspicious outbound connections to unknown servers.
  3. Check for data exfiltration attempts (large outbound file transfers).

8. Saving & Exporting Capture Files

After analyzing traffic, you can save the capture for later use:

File > Save As > .pcap

PCAP files can be opened later in Wireshark or analyzed with tools like Zeek, Tshark, or Snort.

9. Wireshark Alternatives

If you want alternatives, consider:
🔹 Tcpdump – CLI-based packet capture tool.
🔹 TShark – Command-line version of Wireshark.
🔹 Zeek (Bro IDS) – Advanced network monitoring tool.
🔹 NetworkMiner – Extracts files and credentials from PCAP files.

Leave a Reply

Your email address will not be published. Required fields are marked *