Wireshark Analysis
by @solomonneas
Network traffic analysis with Wireshark and tshark. Capture packets, write display and BPF filters, follow TCP/UDP/TLS streams, detect C2 beacons, troublesho...
clawhub install wireshark-analysisπ About This Skill
name: Wireshark Network Traffic Analysis version: 1.0.0 description: "Network traffic analysis with Wireshark and tshark. Capture packets, write display and BPF filters, follow TCP/UDP/TLS streams, detect C2 beacons, troubleshoot connectivity, and perform forensic PCAP analysis." metadata: author: zebbern version: "1.1"
Wireshark Network Traffic Analysis
Purpose
Execute comprehensive network traffic analysis using Wireshark to capture, filter, and examine network packets for security investigations, performance optimization, and troubleshooting. This skill enables systematic analysis of network protocols, detection of anomalies, and reconstruction of network conversations from PCAP files.
Inputs / Prerequisites
Required Tools
Technical Requirements
Use Cases
Outputs / Deliverables
Primary Outputs
Core Workflow
Phase 1: Capturing Network Traffic
#### Start Live Capture Begin capturing packets on network interface:
1. Launch Wireshark
2. Select network interface from main screen
3. Click shark fin icon or double-click interface
4. Capture begins immediately
#### Capture Controls | Action | Shortcut | Description | |--------|----------|-------------| | Start/Stop Capture | Ctrl+E | Toggle capture on/off | | Restart Capture | Ctrl+R | Stop and start new capture | | Open PCAP File | Ctrl+O | Load existing capture file | | Save Capture | Ctrl+S | Save current capture |
#### Capture Filters Apply filters before capture to limit data collection:
# Capture only specific host
host 192.168.1.100Capture specific port
port 80Capture specific network
net 192.168.1.0/24Exclude specific traffic
not arpCombine filters
host 192.168.1.100 and port 443
Phase 2: Display Filters
#### Basic Filter Syntax Filter captured packets for analysis:
# IP address filters
ip.addr == 192.168.1.1 # All traffic to/from IP
ip.src == 192.168.1.1 # Source IP only
ip.dst == 192.168.1.1 # Destination IP onlyPort filters
tcp.port == 80 # TCP port 80
udp.port == 53 # UDP port 53
tcp.dstport == 443 # Destination port 443
tcp.srcport == 22 # Source port 22
#### Protocol Filters Filter by specific protocols:
# Common protocols
http # HTTP traffic
https or ssl or tls # Encrypted web traffic
dns # DNS queries and responses
ftp # FTP traffic
ssh # SSH traffic
icmp # Ping/ICMP traffic
arp # ARP requests/responses
dhcp # DHCP traffic
smb or smb2 # SMB file sharing
#### TCP Flag Filters Identify specific connection states:
tcp.flags.syn == 1 # SYN packets (connection attempts)
tcp.flags.ack == 1 # ACK packets
tcp.flags.fin == 1 # FIN packets (connection close)
tcp.flags.reset == 1 # RST packets (connection reset)
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN-only (initial connection)
#### Content Filters Search for specific content:
frame contains "password" # Packets containing string
http.request.uri contains "login" # HTTP URIs with string
tcp contains "GET" # TCP packets with string
#### Analysis Filters Identify potential issues:
tcp.analysis.retransmission # TCP retransmissions
tcp.analysis.duplicate_ack # Duplicate ACKs
tcp.analysis.zero_window # Zero window (flow control)
tcp.analysis.flags # Packets with issues
dns.flags.rcode != 0 # DNS errors
#### Combining Filters Use logical operators for complex queries:
# AND operator
ip.addr == 192.168.1.1 && tcp.port == 80OR operator
dns || httpNOT operator
!(arp || icmp)Complex combinations
(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443
Phase 3: Following Streams
#### TCP Stream Reconstruction View complete TCP conversation:
1. Right-click on any TCP packet
2. Select Follow > TCP Stream
3. View reconstructed conversation
4. Toggle between ASCII, Hex, Raw views
5. Filter to show only this stream
#### Stream Types | Stream | Access | Use Case | |--------|--------|----------| | TCP Stream | Follow > TCP Stream | Web, file transfers, any TCP | | UDP Stream | Follow > UDP Stream | DNS, VoIP, streaming | | HTTP Stream | Follow > HTTP Stream | Web content, headers | | TLS Stream | Follow > TLS Stream | Encrypted traffic (if keys available) |
#### Stream Analysis Tips
Phase 4: Statistical Analysis
#### Protocol Hierarchy View protocol distribution:
Statistics > Protocol HierarchyShows:
Percentage of each protocol
Packet counts
Bytes transferred
Protocol breakdown tree
#### Conversations Analyze communication pairs:
Statistics > ConversationsTabs:
Ethernet: MAC address pairs
IPv4/IPv6: IP address pairs
TCP: Connection details (ports, bytes, packets)
UDP: Datagram exchanges
#### Endpoints View active network participants:
Statistics > EndpointsShows:
All source/destination addresses
Packet and byte counts
Geographic information (if enabled)
#### Flow Graph Visualize packet sequence:
Statistics > Flow GraphOptions:
All packets or displayed only
Standard or TCP flow
Shows packet timing and direction
#### I/O Graphs Plot traffic over time:
Statistics > I/O GraphFeatures:
Packets per second
Bytes per second
Custom filter graphs
Multiple graph overlays
Phase 5: Security Analysis
#### Detect Port Scanning Identify reconnaissance activity:
# SYN scan detection (many ports, same source)
ip.src == SUSPECT_IP && tcp.flags.syn == 1Review Statistics > Conversations for anomalies
Look for single source hitting many destination ports
#### Identify Suspicious Traffic Filter for anomalies:
# Traffic to unusual ports
tcp.dstport > 1024 && tcp.dstport < 49152Traffic outside trusted network
!(ip.addr == 192.168.1.0/24)Unusual DNS queries
dns.qry.name contains "suspicious-domain"Large data transfers
frame.len > 1400
#### ARP Spoofing Detection Identify ARP attacks:
# Duplicate ARP responses
arp.duplicate-address-frameARP traffic analysis
arpLook for:
- Multiple MACs for same IP
- Gratuitous ARP floods
- Unusual ARP patterns
#### Examine Downloads Analyze file transfers:
# HTTP file downloads
http.request.method == "GET" && http contains "Content-Disposition"Follow HTTP Stream to view file content
Use File > Export Objects > HTTP to extract files
#### DNS Analysis Investigate DNS activity:
# All DNS traffic
dnsDNS queries only
dns.flags.response == 0DNS responses only
dns.flags.response == 1Failed DNS lookups
dns.flags.rcode != 0Specific domain queries
dns.qry.name contains "domain.com"
Phase 6: Expert Information
#### Access Expert Analysis View Wireshark's automated findings:
Analyze > Expert InformationCategories:
Errors: Critical issues
Warnings: Potential problems
Notes: Informational items
Chats: Normal conversation events
#### Common Expert Findings | Finding | Meaning | Action | |---------|---------|--------| | TCP Retransmission | Packet resent | Check for packet loss | | Duplicate ACK | Possible loss | Investigate network path | | Zero Window | Buffer full | Check receiver performance | | RST | Connection reset | Check for blocks/errors | | Out-of-Order | Packets reordered | Usually normal, excessive is issue |
Quick Reference
Keyboard Shortcuts
| Action | Shortcut | |--------|----------| | Open file | Ctrl+O | | Save file | Ctrl+S | | Start/Stop capture | Ctrl+E | | Find packet | Ctrl+F | | Go to packet | Ctrl+G | | Next packet | β | | Previous packet | β | | First packet | Ctrl+Home | | Last packet | Ctrl+End | | Apply filter | Enter | | Clear filter | Ctrl+Shift+X |Common Filter Reference
# Web traffic
http || httpsEmail
smtp || pop || imapFile sharing
smb || smb2 || ftpAuthentication
ldap || kerberosNetwork management
snmp || icmpEncrypted
tls || ssl
Export Options
File > Export Specified Packets # Save filtered subset
File > Export Objects > HTTP # Extract HTTP files
File > Export Packet Dissections # Export as text/CSV
Constraints and Guardrails
Operational Boundaries
Technical Limitations
Best Practices
Examples
Example 1: HTTP Credential Analysis
Scenario: Investigate potential plaintext credential transmission
1. Filter: http.request.method == "POST"
2. Look for login forms
3. Follow HTTP Stream
4. Search for username/password parameters
Finding: Credentials transmitted in cleartext form data.
Example 2: Malware C2 Detection
Scenario: Identify command and control traffic
1. Filter: dns
2. Look for unusual query patterns
3. Check for high-frequency beaconing
4. Identify domains with random-looking names
5. Filter: ip.dst == SUSPICIOUS_IP
6. Analyze traffic patterns
Indicators:
Example 3: Network Troubleshooting
Scenario: Diagnose slow web application
1. Filter: ip.addr == WEB_SERVER
2. Check Statistics > Service Response Time
3. Filter: tcp.analysis.retransmission
4. Review I/O Graph for patterns
5. Check for high latency or packet loss
Finding: TCP retransmissions indicating network congestion.
Troubleshooting
No Packets Captured
Filter Not Working
Performance Issues
Cannot Decrypt TLS/SSL
β‘ When to Use
π‘ Examples
Example 1: HTTP Credential Analysis
Scenario: Investigate potential plaintext credential transmission
1. Filter: http.request.method == "POST"
2. Look for login forms
3. Follow HTTP Stream
4. Search for username/password parameters
Finding: Credentials transmitted in cleartext form data.
Example 2: Malware C2 Detection
Scenario: Identify command and control traffic
1. Filter: dns
2. Look for unusual query patterns
3. Check for high-frequency beaconing
4. Identify domains with random-looking names
5. Filter: ip.dst == SUSPICIOUS_IP
6. Analyze traffic patterns
Indicators:
Example 3: Network Troubleshooting
Scenario: Diagnose slow web application
1. Filter: ip.addr == WEB_SERVER
2. Check Statistics > Service Response Time
3. Filter: tcp.analysis.retransmission
4. Review I/O Graph for patterns
5. Check for high latency or packet loss
Finding: TCP retransmissions indicating network congestion.