Wireshark Network Traffic Analysis

Purpose

Execute comprehensive network traffic analysis using Wireshark to capture, filter, and examine network packets for security investigations, performance optimization, and troubleshooting. This skill enables systematic analysis of network protocols, detection of anomalies, and reconstruction of network conversations from PCAP files.

Inputs / Prerequisites

Required Tools

Wireshark installed (Windows, macOS, or Linux)
Network interface with capture permissions
PCAP/PCAPNG files for offline analysis
Administrator/root privileges for live capture

Technical Requirements

Understanding of network protocols (TCP, UDP, HTTP, DNS)
Familiarity with IP addressing and ports
Knowledge of OSI model layers
Understanding of common attack patterns

Use Cases

Network troubleshooting and connectivity issues
Security incident investigation
Malware traffic analysis
Performance monitoring and optimization
Protocol learning and education

Outputs / Deliverables

Primary Outputs

Filtered packet captures for specific traffic
Reconstructed communication streams
Traffic statistics and visualizations
Evidence documentation for incidents

Core Workflow

Phase 1: Capturing Network Traffic

Start Live Capture

Begin capturing packets on network interface:

Launch Wireshark
Select network interface from main screen
Click shark fin icon or double-click interface
Capture begins immediately

Capture Controls

Action Shortcut Description

Start/Stop Capture Ctrl+E Toggle capture on/off

Restart Capture Ctrl+R Stop and start new capture

Open PCAP File Ctrl+O Load existing capture file

Save Capture Ctrl+S Save current capture

Capture Filters

Apply filters before capture to limit data collection:

Capture only specific host

host 192.168.1.100

Capture specific port

port 80

Capture specific network

net 192.168.1.0/24

Exclude specific traffic

not arp

Combine filters

host 192.168.1.100 and port 443

Phase 2: Display Filters

Basic Filter Syntax

Filter captured packets for analysis:

IP address filters

ip.addr == 192.168.1.1 # All traffic to/from IP ip.src == 192.168.1.1 # Source IP only ip.dst == 192.168.1.1 # Destination IP only

Port filters

tcp.port == 80 # TCP port 80 udp.port == 53 # UDP port 53 tcp.dstport == 443 # Destination port 443 tcp.srcport == 22 # Source port 22

Protocol Filters

Filter by specific protocols:

Common protocols

http # HTTP traffic https or ssl or tls # Encrypted web traffic dns # DNS queries and responses ftp # FTP traffic ssh # SSH traffic icmp # Ping/ICMP traffic arp # ARP requests/responses dhcp # DHCP traffic smb or smb2 # SMB file sharing

TCP Flag Filters

Identify specific connection states:

tcp.flags.syn == 1 # SYN packets (connection attempts) tcp.flags.ack == 1 # ACK packets tcp.flags.fin == 1 # FIN packets (connection close) tcp.flags.reset == 1 # RST packets (connection reset) tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN-only (initial connection)

Content Filters

Search for specific content:

frame contains "password" # Packets containing string http.request.uri contains "login" # HTTP URIs with string tcp contains "GET" # TCP packets with string

Analysis Filters

Identify potential issues:

tcp.analysis.retransmission # TCP retransmissions tcp.analysis.duplicate_ack # Duplicate ACKs tcp.analysis.zero_window # Zero window (flow control) tcp.analysis.flags # Packets with issues dns.flags.rcode != 0 # DNS errors

Combining Filters

Use logical operators for complex queries:

AND operator

ip.addr == 192.168.1.1 && tcp.port == 80

OR operator

dns || http

NOT operator

!(arp || icmp)

Complex combinations

(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443

Phase 3: Following Streams

TCP Stream Reconstruction

View complete TCP conversation:

Right-click on any TCP packet
Select Follow > TCP Stream
View reconstructed conversation
Toggle between ASCII, Hex, Raw views
Filter to show only this stream

Stream Types

Stream Access Use Case

TCP Stream Follow > TCP Stream Web, file transfers, any TCP

UDP Stream Follow > UDP Stream DNS, VoIP, streaming

HTTP Stream Follow > HTTP Stream Web content, headers

TLS Stream Follow > TLS Stream Encrypted traffic (if keys available)

Stream Analysis Tips

Review request/response pairs
Identify transmitted files or data
Look for credentials in plaintext
Note unusual patterns or commands

Phase 4: Statistical Analysis

Protocol Hierarchy

View protocol distribution:

Statistics > Protocol Hierarchy

Shows:

Percentage of each protocol
Packet counts
Bytes transferred
Protocol breakdown tree

Conversations

Analyze communication pairs:

Statistics > Conversations

Tabs:

Ethernet: MAC address pairs
IPv4/IPv6: IP address pairs
TCP: Connection details (ports, bytes, packets)
UDP: Datagram exchanges

Endpoints

View active network participants:

Statistics > Endpoints

Shows:

All source/destination addresses
Packet and byte counts
Geographic information (if enabled)

Flow Graph

Visualize packet sequence:

Statistics > Flow Graph

Options:

All packets or displayed only
Standard or TCP flow
Shows packet timing and direction

I/O Graphs

Plot traffic over time:

Statistics > I/O Graph

Features:

Packets per second
Bytes per second
Custom filter graphs
Multiple graph overlays

Phase 5: Security Analysis

Detect Port Scanning

Identify reconnaissance activity:

SYN scan detection (many ports, same source)

ip.src == SUSPECT_IP && tcp.flags.syn == 1

Review Statistics > Conversations for anomalies

Look for single source hitting many destination ports

Identify Suspicious Traffic

Filter for anomalies:

Traffic to unusual ports

tcp.dstport > 1024 && tcp.dstport < 49152

Traffic outside trusted network

!(ip.addr == 192.168.1.0/24)

Unusual DNS queries

dns.qry.name contains "suspicious-domain"

Large data transfers

frame.len > 1400

ARP Spoofing Detection

Identify ARP attacks:

Duplicate ARP responses

arp.duplicate-address-frame

ARP traffic analysis

arp

Look for:

- Multiple MACs for same IP

- Gratuitous ARP floods

- Unusual ARP patterns

Examine Downloads

Analyze file transfers:

HTTP file downloads

http.request.method == "GET" && http contains "Content-Disposition"

Follow HTTP Stream to view file content

Use File > Export Objects > HTTP to extract files

DNS Analysis

Investigate DNS activity:

All DNS traffic

dns

DNS queries only

dns.flags.response == 0

DNS responses only

dns.flags.response == 1

Failed DNS lookups

dns.flags.rcode != 0

Specific domain queries

dns.qry.name contains "domain.com"

Phase 6: Expert Information

Access Expert Analysis

View Wireshark's automated findings:

Analyze > Expert Information

Categories:

Errors: Critical issues
Warnings: Potential problems
Notes: Informational items
Chats: Normal conversation events

Common Expert Findings

Finding Meaning Action

TCP Retransmission Packet resent Check for packet loss

Duplicate ACK Possible loss Investigate network path

Zero Window Buffer full Check receiver performance

RST Connection reset Check for blocks/errors

Out-of-Order Packets reordered Usually normal, excessive is issue

Quick Reference

Keyboard Shortcuts

Action Shortcut

Open file Ctrl+O

Save file Ctrl+S

Start/Stop capture Ctrl+E

Find packet Ctrl+F

Go to packet Ctrl+G

Next packet ↓

Previous packet ↑

First packet Ctrl+Home

Last packet Ctrl+End

Apply filter Enter

Clear filter Ctrl+Shift+X

Common Filter Reference

Web traffic

http || https

Email

smtp || pop || imap

File sharing

smb || smb2 || ftp

Authentication

ldap || kerberos

Network management

snmp || icmp

Encrypted

tls || ssl

Export Options

File > Export Specified Packets # Save filtered subset File > Export Objects > HTTP # Extract HTTP files File > Export Packet Dissections # Export as text/CSV

Constraints and Guardrails

Operational Boundaries

Capture only authorized network traffic
Handle captured data according to privacy policies
Avoid capturing sensitive credentials unnecessarily
Properly secure PCAP files containing sensitive data

Technical Limitations

Large captures consume significant memory
Encrypted traffic content not visible without keys
High-speed networks may drop packets
Some protocols require plugins for full decoding

Best Practices

Use capture filters to limit data collection
Save captures regularly during long sessions
Use display filters rather than deleting packets
Document analysis findings and methodology

Examples

Example 1: HTTP Credential Analysis

Scenario: Investigate potential plaintext credential transmission

Filter: http.request.method == "POST"
Look for login forms
Follow HTTP Stream
Search for username/password parameters

Finding: Credentials transmitted in cleartext form data.

Example 2: Malware C2 Detection

Scenario: Identify command and control traffic

Filter: dns
Look for unusual query patterns
Check for high-frequency beaconing
Identify domains with random-looking names
Filter: ip.dst == SUSPICIOUS_IP
Analyze traffic patterns

Indicators:

Regular timing intervals
Encoded/encrypted payloads
Unusual ports or protocols

Example 3: Network Troubleshooting

Scenario: Diagnose slow web application

Filter: ip.addr == WEB_SERVER
Check Statistics > Service Response Time
Filter: tcp.analysis.retransmission
Review I/O Graph for patterns
Check for high latency or packet loss

Finding: TCP retransmissions indicating network congestion.

Troubleshooting

No Packets Captured

Verify correct interface selected
Check for admin/root permissions
Confirm network adapter is active
Disable promiscuous mode if issues persist

Filter Not Working

Verify filter syntax (red = error)
Check for typos in field names
Use Expression button for valid fields
Clear filter and rebuild incrementally

Performance Issues

Use capture filters to limit traffic
Split large captures into smaller files
Disable name resolution during capture
Close unnecessary protocol dissectors

Cannot Decrypt TLS/SSL

Obtain server private key
Configure at Edit > Preferences > Protocols > TLS
For ephemeral keys, capture pre-master secret from browser
Some modern ciphers cannot be decrypted passively