Wireshark Network Traffic Analysis

1---
2name: Wireshark Network Traffic Analysis
3description: This skill should be used when the user asks to "analyze network traffic with Wireshark", "capture packets for troubleshooting", "filter PCAP files", "follow TCP/UDP streams", "detect network anomalies", "investigate suspicious traffic", or "perform protocol analysis". It provides comprehensive techniques for network packet capture, filtering, and analysis using Wireshark.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Wireshark Network Traffic Analysis
10 
11## Purpose
12 
13Execute comprehensive network traffic analysis using Wireshark to capture, filter, and examine network packets for security investigations, performance optimization, and troubleshooting. This skill enables systematic analysis of network protocols, detection of anomalies, and reconstruction of network conversations from PCAP files.
14 
15## Inputs / Prerequisites
16 
17### Required Tools
18- Wireshark installed (Windows, macOS, or Linux)
19- Network interface with capture permissions
20- PCAP/PCAPNG files for offline analysis
21- Administrator/root privileges for live capture
22 
23### Technical Requirements
24- Understanding of network protocols (TCP, UDP, HTTP, DNS)
25- Familiarity with IP addressing and ports
26- Knowledge of OSI model layers
27- Understanding of common attack patterns
28 
29### Use Cases
30- Network troubleshooting and connectivity issues
31- Security incident investigation
32- Malware traffic analysis
33- Performance monitoring and optimization
34- Protocol learning and education
35 
36## Outputs / Deliverables
37 
38### Primary Outputs
39- Filtered packet captures for specific traffic
40- Reconstructed communication streams
41- Traffic statistics and visualizations
42- Evidence documentation for incidents
43 
44## Core Workflow
45 
46### Phase 1: Capturing Network Traffic
47 
48#### Start Live Capture
49Begin capturing packets on network interface:
50 
51```
521. Launch Wireshark
532. Select network interface from main screen
543. Click shark fin icon or double-click interface
554. Capture begins immediately
56```
57 
58#### Capture Controls
59| Action | Shortcut | Description |
60|--------|----------|-------------|
61| Start/Stop Capture | Ctrl+E | Toggle capture on/off |
62| Restart Capture | Ctrl+R | Stop and start new capture |
63| Open PCAP File | Ctrl+O | Load existing capture file |
64| Save Capture | Ctrl+S | Save current capture |
65 
66#### Capture Filters
67Apply filters before capture to limit data collection:
68 
69```
70# Capture only specific host
71host 192.168.1.100
72 
73# Capture specific port
74port 80
75 
76# Capture specific network
77net 192.168.1.0/24
78 
79# Exclude specific traffic
80not arp
81 
82# Combine filters
83host 192.168.1.100 and port 443
84```
85 
86### Phase 2: Display Filters
87 
88#### Basic Filter Syntax
89Filter captured packets for analysis:
90 
91```
92# IP address filters
93ip.addr == 192.168.1.1              # All traffic to/from IP
94ip.src == 192.168.1.1               # Source IP only
95ip.dst == 192.168.1.1               # Destination IP only
96 
97# Port filters
98tcp.port == 80                       # TCP port 80
99udp.port == 53                       # UDP port 53
100tcp.dstport == 443                   # Destination port 443
101tcp.srcport == 22                    # Source port 22
102```
103 
104#### Protocol Filters
105Filter by specific protocols:
106 
107```
108# Common protocols
109http                                  # HTTP traffic
110https or ssl or tls                   # Encrypted web traffic
111dns                                   # DNS queries and responses
112ftp                                   # FTP traffic
113ssh                                   # SSH traffic
114icmp                                  # Ping/ICMP traffic
115arp                                   # ARP requests/responses
116dhcp                                  # DHCP traffic
117smb or smb2                          # SMB file sharing
118```
119 
120#### TCP Flag Filters
121Identify specific connection states:
122 
123```
124tcp.flags.syn == 1                   # SYN packets (connection attempts)
125tcp.flags.ack == 1                   # ACK packets
126tcp.flags.fin == 1                   # FIN packets (connection close)
127tcp.flags.reset == 1                 # RST packets (connection reset)
128tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN-only (initial connection)
129```
130 
131#### Content Filters
132Search for specific content:
133 
134```
135frame contains "password"            # Packets containing string
136http.request.uri contains "login"    # HTTP URIs with string
137tcp contains "GET"                   # TCP packets with string
138```
139 
140#### Analysis Filters
141Identify potential issues:
142 
143```
144tcp.analysis.retransmission          # TCP retransmissions
145tcp.analysis.duplicate_ack           # Duplicate ACKs
146tcp.analysis.zero_window             # Zero window (flow control)
147tcp.analysis.flags                   # Packets with issues
148dns.flags.rcode != 0                 # DNS errors
149```
150 
151#### Combining Filters
152Use logical operators for complex queries:
153 
154```
155# AND operator
156ip.addr == 192.168.1.1 && tcp.port == 80
157 
158# OR operator
159dns || http
160 
161# NOT operator
162!(arp || icmp)
163 
164# Complex combinations
165(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443
166```
167 
168### Phase 3: Following Streams
169 
170#### TCP Stream Reconstruction
171View complete TCP conversation:
172 
173```
1741. Right-click on any TCP packet
1752. Select Follow > TCP Stream
1763. View reconstructed conversation
1774. Toggle between ASCII, Hex, Raw views
1785. Filter to show only this stream
179```
180 
181#### Stream Types
182| Stream | Access | Use Case |
183|--------|--------|----------|
184| TCP Stream | Follow > TCP Stream | Web, file transfers, any TCP |
185| UDP Stream | Follow > UDP Stream | DNS, VoIP, streaming |
186| HTTP Stream | Follow > HTTP Stream | Web content, headers |
187| TLS Stream | Follow > TLS Stream | Encrypted traffic (if keys available) |
188 
189#### Stream Analysis Tips
190- Review request/response pairs
191- Identify transmitted files or data
192- Look for credentials in plaintext
193- Note unusual patterns or commands
194 
195### Phase 4: Statistical Analysis
196 
197#### Protocol Hierarchy
198View protocol distribution:
199 
200```
201Statistics > Protocol Hierarchy
202 
203Shows:
204- Percentage of each protocol
205- Packet counts
206- Bytes transferred
207- Protocol breakdown tree
208```
209 
210#### Conversations
211Analyze communication pairs:
212 
213```
214Statistics > Conversations
215 
216Tabs:
217- Ethernet: MAC address pairs
218- IPv4/IPv6: IP address pairs
219- TCP: Connection details (ports, bytes, packets)
220- UDP: Datagram exchanges
221```
222 
223#### Endpoints
224View active network participants:
225 
226```
227Statistics > Endpoints
228 
229Shows:
230- All source/destination addresses
231- Packet and byte counts
232- Geographic information (if enabled)
233```
234 
235#### Flow Graph
236Visualize packet sequence:
237 
238```
239Statistics > Flow Graph
240 
241Options:
242- All packets or displayed only
243- Standard or TCP flow
244- Shows packet timing and direction
245```
246 
247#### I/O Graphs
248Plot traffic over time:
249 
250```
251Statistics > I/O Graph
252 
253Features:
254- Packets per second
255- Bytes per second
256- Custom filter graphs
257- Multiple graph overlays
258```
259 
260### Phase 5: Security Analysis
261 
262#### Detect Port Scanning
263Identify reconnaissance activity:
264 
265```
266# SYN scan detection (many ports, same source)
267ip.src == SUSPECT_IP && tcp.flags.syn == 1
268 
269# Review Statistics > Conversations for anomalies
270# Look for single source hitting many destination ports
271```
272 
273#### Identify Suspicious Traffic
274Filter for anomalies:
275 
276```
277# Traffic to unusual ports
278tcp.dstport > 1024 && tcp.dstport < 49152
279 
280# Traffic outside trusted network
281!(ip.addr == 192.168.1.0/24)
282 
283# Unusual DNS queries
284dns.qry.name contains "suspicious-domain"
285 
286# Large data transfers
287frame.len > 1400
288```
289 
290#### ARP Spoofing Detection
291Identify ARP attacks:
292 
293```
294# Duplicate ARP responses
295arp.duplicate-address-frame
296 
297# ARP traffic analysis
298arp
299 
300# Look for:
301# - Multiple MACs for same IP
302# - Gratuitous ARP floods
303# - Unusual ARP patterns
304```
305 
306#### Examine Downloads
307Analyze file transfers:
308 
309```
310# HTTP file downloads
311http.request.method == "GET" && http contains "Content-Disposition"
312 
313# Follow HTTP Stream to view file content
314# Use File > Export Objects > HTTP to extract files
315```
316 
317#### DNS Analysis
318Investigate DNS activity:
319 
320```
321# All DNS traffic
322dns
323 
324# DNS queries only
325dns.flags.response == 0
326 
327# DNS responses only
328dns.flags.response == 1
329 
330# Failed DNS lookups
331dns.flags.rcode != 0
332 
333# Specific domain queries
334dns.qry.name contains "domain.com"
335```
336 
337### Phase 6: Expert Information
338 
339#### Access Expert Analysis
340View Wireshark's automated findings:
341 
342```
343Analyze > Expert Information
344 
345Categories:
346- Errors: Critical issues
347- Warnings: Potential problems
348- Notes: Informational items
349- Chats: Normal conversation events
350```
351 
352#### Common Expert Findings
353| Finding | Meaning | Action |
354|---------|---------|--------|
355| TCP Retransmission | Packet resent | Check for packet loss |
356| Duplicate ACK | Possible loss | Investigate network path |
357| Zero Window | Buffer full | Check receiver performance |
358| RST | Connection reset | Check for blocks/errors |
359| Out-of-Order | Packets reordered | Usually normal, excessive is issue |
360 
361## Quick Reference
362 
363### Keyboard Shortcuts
364| Action | Shortcut |
365|--------|----------|
366| Open file | Ctrl+O |
367| Save file | Ctrl+S |
368| Start/Stop capture | Ctrl+E |
369| Find packet | Ctrl+F |
370| Go to packet | Ctrl+G |
371| Next packet | ↓ |
372| Previous packet | ↑ |
373| First packet | Ctrl+Home |
374| Last packet | Ctrl+End |
375| Apply filter | Enter |
376| Clear filter | Ctrl+Shift+X |
377 
378### Common Filter Reference
379```
380# Web traffic
381http || https
382 
383# Email
384smtp || pop || imap
385 
386# File sharing  
387smb || smb2 || ftp
388 
389# Authentication
390ldap || kerberos
391 
392# Network management
393snmp || icmp
394 
395# Encrypted
396tls || ssl
397```
398 
399### Export Options
400```
401File > Export Specified Packets    # Save filtered subset
402File > Export Objects > HTTP       # Extract HTTP files
403File > Export Packet Dissections   # Export as text/CSV
404```
405 
406## Constraints and Guardrails
407 
408### Operational Boundaries
409- Capture only authorized network traffic
410- Handle captured data according to privacy policies
411- Avoid capturing sensitive credentials unnecessarily
412- Properly secure PCAP files containing sensitive data
413 
414### Technical Limitations
415- Large captures consume significant memory
416- Encrypted traffic content not visible without keys
417- High-speed networks may drop packets
418- Some protocols require plugins for full decoding
419 
420### Best Practices
421- Use capture filters to limit data collection
422- Save captures regularly during long sessions
423- Use display filters rather than deleting packets
424- Document analysis findings and methodology
425 
426## Examples
427 
428### Example 1: HTTP Credential Analysis
429 
430**Scenario**: Investigate potential plaintext credential transmission
431 
432```
4331. Filter: http.request.method == "POST"
4342. Look for login forms
4353. Follow HTTP Stream
4364. Search for username/password parameters
437```
438 
439**Finding**: Credentials transmitted in cleartext form data.
440 
441### Example 2: Malware C2 Detection
442 
443**Scenario**: Identify command and control traffic
444 
445```
4461. Filter: dns
4472. Look for unusual query patterns
4483. Check for high-frequency beaconing
4494. Identify domains with random-looking names
4505. Filter: ip.dst == SUSPICIOUS_IP
4516. Analyze traffic patterns
452```
453 
454**Indicators**:
455- Regular timing intervals
456- Encoded/encrypted payloads
457- Unusual ports or protocols
458 
459### Example 3: Network Troubleshooting
460 
461**Scenario**: Diagnose slow web application
462 
463```
4641. Filter: ip.addr == WEB_SERVER
4652. Check Statistics > Service Response Time
4663. Filter: tcp.analysis.retransmission
4674. Review I/O Graph for patterns
4685. Check for high latency or packet loss
469```
470 
471**Finding**: TCP retransmissions indicating network congestion.
472 
473## Troubleshooting
474 
475### No Packets Captured
476- Verify correct interface selected
477- Check for admin/root permissions
478- Confirm network adapter is active
479- Disable promiscuous mode if issues persist
480 
481### Filter Not Working
482- Verify filter syntax (red = error)
483- Check for typos in field names
484- Use Expression button for valid fields
485- Clear filter and rebuild incrementally
486 
487### Performance Issues
488- Use capture filters to limit traffic
489- Split large captures into smaller files
490- Disable name resolution during capture
491- Close unnecessary protocol dissectors
492 
493### Cannot Decrypt TLS/SSL
494- Obtain server private key
495- Configure at Edit > Preferences > Protocols > TLS
496- For ephemeral keys, capture pre-master secret from browser
497- Some modern ciphers cannot be decrypted passively
498