// What is Wireshark?
Wireshark is a free, open-source network protocol analyser. It captures live network traffic or reads from saved packet capture files (.pcap / .pcapng) and lets you inspect every packet in detail � from raw bytes up to application-layer data.
As a SOC analyst or DFIR responder, Wireshark is invaluable for investigating suspicious network activity, analysing malware command-and-control traffic, reconstructing file transfers, and understanding exactly what a compromised host was communicating with.
Wireshark uses libpcap (Linux/macOS) or Npcap (Windows) for live capture. On Windows, install Npcap when prompted during the Wireshark installer � without it, live capture won't work.
// Interface Overview
Wireshark's main window is split into three panes. Understanding what each one shows saves a lot of time when you're working through a large capture.
Packet List (top)
One row per packet. Shows number, timestamp, source/destination IP, protocol, length, and a summary. Click a row to select it.
Packet Details (middle)
Dissected layers for the selected packet � expanding each layer shows every field decoded from the raw bytes. Right-click any field to build a filter from it.
Packet Bytes (bottom)
Raw hex dump of the packet alongside ASCII decode. Highlighted bytes correspond to the field selected in the details pane.
Colour coding
Wireshark colours packets by protocol and state out of the box. You can customise colouring rules under View > Colouring Rules.
| Default colour | Meaning |
|---|---|
| Light green | TCP traffic |
| Light blue | UDP traffic |
| Dark blue | DNS queries / responses |
| Black (red text) | TCP errors � bad checksum, retransmissions, out-of-order |
| Yellow | Windows-specific protocols (SMB, NetBIOS) |
| Purple / magenta | ICMP traffic |
// Capture Filters
Capture filters are applied before packets are recorded. They reduce the volume of data captured, which matters on busy networks. Capture filters use BPF (Berkeley Packet Filter) syntax � different from display filter syntax.
Capture filters discard non-matching packets permanently. If you're not sure what you need, capture everything and use display filters to narrow it down afterwards � you can't get back packets that were filtered out at capture time.
| Filter | What it captures |
|---|---|
host 192.168.1.10 | All traffic to or from a specific IP |
src host 192.168.1.10 | Traffic originating from a specific IP |
dst host 10.0.0.1 | Traffic destined for a specific IP |
net 192.168.1.0/24 | All traffic within a subnet |
port 443 | Traffic on port 443 (HTTPS) in either direction |
tcp port 80 | TCP traffic on port 80 only |
not port 22 | Exclude SSH � useful to stop your own session flooding the capture |
tcp | TCP traffic only |
udp | UDP traffic only |
icmp | ICMP only (ping, traceroute) |
host 1.2.3.4 and port 80 | HTTP traffic to/from a specific host |
// Display Filters
Display filters are applied after capture � they hide packets that don't match without discarding them. This is the filter you'll use most during analysis. Display filters use Wireshark's own syntax and support any decoded field in any protocol.
The filter bar turns green for a valid filter, red for an invalid one, and yellow for a valid but potentially unintentional expression. Right-click any field in the Packet Details pane and choose Apply as Filter to build filters automatically.
General syntax
| Operator | Meaning | Example |
|---|---|---|
== | Equals | ip.addr == 10.0.0.1 |
!= | Not equals | ip.addr != 10.0.0.1 |
> / < | Greater / less than | frame.len > 1000 |
contains | Field contains a string | http.host contains "evil" |
matches | Regex match | dns.qry.name matches "\.ru$" |
&& | AND | ip.src == 10.0.0.1 && tcp.port == 80 |
|| | OR | tcp.port == 80 || tcp.port == 443 |
! | NOT | !arp |
Common display filters
| Filter | Shows |
|---|---|
ip.addr == 192.168.1.10 | All traffic to or from an IP |
ip.src == 192.168.1.10 | Traffic from a specific source |
tcp.port == 4444 | Traffic on a specific port � common C2 port |
http | HTTP traffic only |
http.request | HTTP GET/POST requests only |
http.request.method == "POST" | HTTP POST requests � data being sent out |
dns | All DNS queries and responses |
dns.qry.name contains "pastebin" | DNS lookups for a specific domain pattern |
tls | TLS handshakes and encrypted traffic |
tls.handshake.type == 1 | TLS Client Hello � start of a new TLS connection |
tcp.flags.syn == 1 && tcp.flags.ack == 0 | TCP SYN packets only � useful for port scan detection |
icmp | All ICMP traffic � ping sweeps, tunnelling |
smb || smb2 | SMB file sharing � lateral movement indicator |
frame contains "password" | Any packet containing the word "password" in plaintext |
// Protocol Analysis
Most investigations focus on a handful of protocols. Knowing what to look for in each one saves time.
HTTP
HTTP is plaintext, so everything is readable in Wireshark. Key fields to inspect:
| Field | Where to find it | What to look for |
|---|---|---|
| Request URI | http.request.uri | Suspicious paths, encoded parameters, shell commands in URLs |
| Host header | http.host | Domain contacted � compare against threat intel |
| User-Agent | http.user_agent | Malware often uses fake or unusual User-Agent strings |
| POST body | HTTP > Line-based text data | Credentials, exfiltrated data, C2 check-ins |
| Response code | http.response.code | 200 = success, 404 = not found, 302 = redirect |
| Content-Type | http.content_type | Unexpected types (e.g. application/octet-stream from a suspicious host) |
DNS
DNS is a common channel for C2, exfiltration, and reconnaissance. Filter with dns and look for:
High Query Volume
Hundreds of queries to the same domain in a short window � likely beaconing or DGA (Domain Generation Algorithm) malware.
Long Subdomains
Subdomains longer than ~50 characters are suspicious � DNS tunnelling encodes data as subdomains (e.g. aGVsbG8gd29ybGQ.evil.com).
Random-looking Domains
DGA malware generates domains algorithmically. Look for high consonant clusters, random alphanumeric strings, or domains that fail a dictionary check.
Unusual Record Types
TXT and NULL record queries are rare in normal traffic but common in DNS tunnelling tools like dnscat2 and iodine.
TLS / HTTPS
The payload of TLS traffic is encrypted, but the handshake is visible. The Server Name Indication (SNI) field in the Client Hello reveals the destination hostname even over HTTPS.
Filter for TLS Client Hellos: tls.handshake.type == 1 � then look at tls.handshake.extensions_server_name for the destination domain.
If you have the server's private key or a pre-master secret log file, Wireshark can decrypt TLS traffic. Go to Edit > Preferences > Protocols > TLS to configure decryption.
// Following Streams
Wireshark reassembles fragmented packets and lets you read the full conversation between two hosts as a continuous stream. This is one of the most useful features for incident investigation.
Right-click any packet and choose Follow > TCP Stream (or UDP Stream, HTTP Stream, etc.). The stream window shows the full data exchange � client data in red, server data in blue by default.
| Stream type | Best used for |
|---|---|
| TCP Stream | Any TCP connection � raw reassembled data. Essential for shell sessions, custom protocols, or anything not decoded by a dissector. |
| UDP Stream | UDP sessions � DNS responses, TFTP file transfers, custom UDP protocols. |
| HTTP Stream | HTTP request and response together. Useful but TCP Stream often shows more. |
| TLS Stream | Encrypted TLS data � only readable if you have keys loaded. |
In the stream viewer, change the encoding from ASCII to Raw or Hex Dump if you're looking at binary data (malware downloads, file transfers). Use the Save as button to extract the raw content.
// Statistics & Analysis Tools
The Statistics and Analyze menus contain tools that give you a high-level picture of a capture before diving into individual packets.
| Tool | Menu | What it does |
|---|---|---|
| Protocol Hierarchy | Statistics | Breakdown of protocols in the capture by packet count and bytes � instantly shows what makes up the traffic. |
| Conversations | Statistics | Lists all communication pairs (IP, TCP, UDP) with byte counts. Sort by bytes to find high-volume connections. |
| Endpoints | Statistics | All unique IP/MAC addresses � useful for identifying active hosts. |
| I/O Graph | Statistics | Traffic volume over time. Spikes indicate bursts of activity � useful for correlating with a timeline. |
| DNS Statistics | Statistics > DNS | Summary of DNS query types, response codes, and top queried domains. |
| HTTP Statistics | Statistics > HTTP | Request types, response codes, and packet counter for HTTP traffic. |
| Expert Information | Analyze | Wireshark's automated findings � errors, warnings, notes. Start here when reviewing an unfamiliar capture. |
| TCP Stream Graphs | Statistics > TCP Stream Graphs | Visualise TCP sequence numbers, throughput, RTT, and window scaling for a selected connection. |
Start with Protocol Hierarchy and Conversations. On an unfamiliar capture, these two views tell you what protocols are present and which hosts are talking the most � giving you a quick triage picture before reading individual packets.
// Identifying Suspicious Traffic
These are common patterns to look for when analysing a capture for malicious activity.
Port scanning
A host sending SYN packets to many ports on the same target in rapid succession. Filter and look for RST responses indicating closed ports.
tcp.flags.syn == 1 and tcp.flags.ack == 0 and ip.src == 192.168.1.10C2 beaconing
Malware that phones home on a regular interval shows up as evenly spaced connections � often to the same IP and port. Use Statistics > Conversations, sort by packet count, and look for repeated low-volume sessions at regular intervals.
Cleartext credentials
Credentials sent over unencrypted protocols (FTP, Telnet, HTTP Basic Auth, SMTP) are readable directly in Wireshark.
ftp.request.command == "PASS"http.authorizationARP poisoning
An attacker floods the network with ARP replies mapping their MAC to another host's IP � enabling man-in-the-middle. Look for a single MAC claiming multiple IP addresses.
arp.opcode == 2DNS exfiltration
Data encoded as subdomains in DNS queries � tunnelling tools like dnscat2 generate long, encoded subdomains at high frequency.
dns.qry.name matches "\.[a-z0-9]{30,}\."Suspicious indicators at a glance
| Indicator | What it suggests |
|---|---|
| Outbound traffic on uncommon ports (4444, 1337, 8888) | Reverse shell or C2 channel |
| ICMP packets with large payloads (>64 bytes) | ICMP tunnelling for C2 or exfiltration |
| HTTP POST to an IP address (no domain) | C2 check-in, data exfiltration |
| Unusual User-Agent strings in HTTP | Malware mimicking a browser, or using a custom agent |
| Base64 strings in HTTP URIs or POST bodies | Obfuscated payload or encoded data being sent |
| Repeated connections to a single external IP at regular intervals | Beaconing malware |
| SMB connections between non-server workstations | Lateral movement, ransomware spreading |
| TLS to non-standard ports | C2 using encrypted channel on an unexpected port |
// Exporting Artefacts
Wireshark can reconstruct and export files and objects that were transferred during the captured session.
Export HTTP objects
Go to File > Export Objects > HTTP. Wireshark lists all files transferred over HTTP � images, scripts, executables, documents. Select items and save them for further analysis.
Handle exported files carefully. If you're extracting files from a malware capture, export to an isolated directory and analyse in a sandbox. An exported file could be a live executable.
Other export options
| Option | Menu path | Use case |
|---|---|---|
| Export Objects > SMB | File > Export Objects | Extract files transferred over SMB file shares |
| Export Objects > TFTP | File > Export Objects | Extract TFTP file transfers � common in network device configs |
| Export Specified Packets | File > Export Specified Packets | Save a filtered subset of packets as a new .pcap � useful for sharing a relevant slice of a large capture |
| Export Packet Dissections | File > Export Packet Dissections | Save decoded packet data as CSV, JSON, or plain text for reporting or further processing |
// Tips & Best Practices
Use tshark for large captures. Wireshark's command-line companion tshark can apply display filters, extract fields, and output to CSV or JSON without loading the full capture into the GUI � much faster for multi-GB pcap files.
Right-click to build filters. In the Packet Details pane, right-click any field and choose Apply as Filter > Selected to instantly populate the display filter bar. Faster and less error-prone than typing filters manually.
Save your filter expressions. You can bookmark frequently used display filters by clicking the + button next to the filter bar. Name them so you can reuse them quickly across investigations.
Name resolution can mislead. Wireshark resolves IP addresses to hostnames by default. Disable it under View > Name Resolution if DNS is slow or you want to see raw IPs. Resolved names are based on the capture machine's DNS � not necessarily accurate for the network you're analysing.
Encrypted traffic is the norm. Most modern traffic is TLS � Wireshark shows metadata but not payloads without keys. Focus on DNS, TLS SNI, certificate fields, and traffic patterns when payloads are encrypted. You can still extract a lot of context without decryption.