Skip to content
My Docs

Wireshark And Packet Analysis

Category: Network Tools and Commands
Type: Network Tools & Commands
Generated on: 2025-07-10 09:14:39
For: Network Engineering, Administration & Technical Interviews

This cheatsheet provides a comprehensive guide to Wireshark and packet analysis, covering basic and advanced usage for network administrators and engineers.

1. Tool Overview

  • Wireshark: A free and open-source packet analyzer. It captures network traffic and allows you to examine the data inside each packet. Useful for troubleshooting network issues, analyzing protocols, and security investigations.
  • When to use:
    • Troubleshooting network connectivity issues (slow speeds, dropped connections)
    • Analyzing network protocols (HTTP, DNS, TCP, UDP)
    • Identifying malicious activity (malware communication, unauthorized access)
    • Debugging network applications
    • Learning about network protocols

2. Basic Syntax (Wireshark GUI)

Wireshark is primarily a GUI application. Key elements:

  • Capture Interface: Select the network interface to capture traffic from (e.g., eth0, wlan0).
  • Capture Filter: Limit the captured traffic to specific protocols, hosts, or ports (e.g., tcp port 80, host 192.168.1.1).
  • Display Filter: Filter the displayed packets after capture (more flexible than capture filters).
  • Packet List Pane: Shows a summary of each captured packet.
  • Packet Details Pane: Displays the decoded contents of a selected packet.
  • Packet Bytes Pane: Shows the raw hexadecimal and ASCII representation of the packet.
  • Statistics Menu: Provides tools for analyzing captured traffic (e.g., protocol hierarchy, endpoints, conversations).

3. Practical Examples (Wireshark GUI)

  • Capture all HTTP traffic on port 80:
    1. Select the correct interface.
    2. Enter tcp port 80 in the Capture Filter box.
    3. Start the capture.
  • Analyze DNS queries:
    1. Start capturing traffic on your network.
    2. Use the display filter dns to show only DNS packets.
    3. Examine the “Query” and “Answer” sections in the Packet Details pane.
  • Find packets to/from a specific IP address:
    1. Start capturing traffic.
    2. Use the display filter ip.addr == 192.168.1.100 (replace with the desired IP).
  • Follow a TCP stream:
    1. Right-click on a TCP packet in the Packet List pane.
    2. Select “Follow” -> “TCP Stream”.
    3. Wireshark will display only the packets belonging to that TCP connection.

4. Common Options (Wireshark GUI & TShark)

  • Capture Filters (Wireshark & TShark):
    • host <ip_address>: Capture traffic to/from a specific IP address.
    • net <network>/<mask>: Capture traffic within a specific network (e.g., net 192.168.1.0/24).
    • port <port_number>: Capture traffic on a specific port.
    • tcp: Capture only TCP traffic.
    • udp: Capture only UDP traffic.
    • icmp: Capture only ICMP traffic.
    • http: Capture only HTTP traffic.
    • dns: Capture only DNS traffic.
    • ether host <MAC_address>: Capture traffic to/from a specific MAC address.
    • vlan <vlan_id>: Capture traffic on a specific VLAN.
  • Display Filters (Wireshark only): (Much more powerful than capture filters)
    • ip.addr == <ip_address>: Display packets to/from a specific IP.
    • tcp.port == <port_number>: Display packets with a specific TCP port.
    • http.request.method == "GET": Display HTTP GET requests.
    • http.response.code == 404: Display HTTP 404 errors.
    • dns.qry.name contains "example.com": Display DNS queries for “example.com”.
    • tcp.flags.syn == 1 && tcp.flags.ack == 0: Show TCP SYN packets (connection initiation).
    • icmp.type == 8: Show ICMP Echo Request (ping).
    • icmp.type == 0: Show ICMP Echo Reply (ping response).

5. Advanced Usage (Wireshark GUI & TShark)

  • TShark (Command-line Wireshark):

    • Capture and save to file:
    Terminal window
    tshark -i eth0 -w capture.pcap  # Capture on eth0, save to capture.pcap
    • Capture with a filter:
    Terminal window
    tshark -i eth0 -f "tcp port 80" -w http_traffic.pcap
    • Read a capture file and apply a display filter:
    Terminal window
    tshark -r capture.pcap -Y "http.request.method == 'GET'"
    • Analyze capture and output statistics:
    Terminal window
    tshark -r capture.pcap -q -z io,stat,1,"http.request.method==GET"
    • Live capture with specific filter and output to console:
    Terminal window
    tshark -i eth0 -f "tcp port 443" -T fields -e ip.src -e ip.dst -e tcp.port -e tcp.len

  • Custom Columns: In Wireshark GUI, you can create custom columns to display specific packet information (e.g., HTTP user-agent, DNS query name).

  • Expert Information: Wireshark’s “Expert Information” (Analyze -> Expert Information) provides warnings and errors detected in the captured traffic. Useful for quickly identifying potential problems.

  • IO Graphs: (Statistics -> IO Graphs) Visualize network traffic patterns over time. Useful for identifying traffic spikes and anomalies.

  • Conversation Filters: Right-click on a packet and select “Conversation Filter” to create filters based on IP addresses, ports, or protocols involved in the conversation.

  • Decode As…: Right-click on a packet and select “Decode As…” to force Wireshark to interpret the packet data as a different protocol. This can be useful when a protocol is misidentified.

6. Troubleshooting Scenarios

  • Slow website loading:
    1. Capture traffic on your network while accessing the website.
    2. Use the display filter http.
    3. Analyze the TCP handshake (SYN, SYN-ACK, ACK) to identify delays.
    4. Examine the HTTP requests and responses to see if there are large files being transferred or slow server response times. Look at http.time to measure the time spent in HTTP transactions.
  • DNS resolution failure:
    1. Capture traffic while trying to resolve a domain name.
    2. Use the display filter dns.
    3. Check if the DNS query is being sent and if a response is received.
    4. Verify the DNS server address and if there are any DNS errors in the response.
  • Network connectivity issues:
    1. Capture traffic on the affected network interface.
    2. Look for ICMP “Destination Unreachable” messages.
    3. Check for TCP retransmissions, which indicate packet loss.
    4. Verify that the IP address, subnet mask, and gateway are configured correctly.
  • Identifying malware communication:
    1. Capture network traffic.
    2. Look for traffic to unusual IP addresses or domain names.
    3. Analyze the protocols being used (e.g., HTTP, HTTPS, DNS) for suspicious activity.
    4. Use threat intelligence feeds to identify known malicious IPs and domains. Wireshark can be integrated with external threat intelligence databases.
  • Dropped Packets:
    1. Capture traffic.
    2. Look for TCP Retransmissions and TCP Dup Acks. High numbers indicate packet loss.
    3. Examine the interface statistics on the capturing device to see if packets are being dropped due to resource constraints (CPU, memory, buffer overflow).

7. Output Interpretation

  • Packet List Pane: Provides a summary of each packet, including:
    • No.: Packet number.
    • Time: Time the packet was captured.
    • Source: Source IP address and port.
    • Destination: Destination IP address and port.
    • Protocol: Protocol used (e.g., TCP, UDP, HTTP).
    • Length: Packet length in bytes.
    • Info: Additional information about the packet (e.g., HTTP request method, DNS query name).
  • Packet Details Pane: Displays the decoded contents of the selected packet. Each protocol layer is shown as a hierarchical tree.
  • Packet Bytes Pane: Shows the raw hexadecimal and ASCII representation of the packet.

8. Security Considerations

  • Capturing sensitive data: Be careful when capturing traffic containing sensitive information (e.g., passwords, credit card numbers). Use HTTPS whenever possible. Consider using capture filters to exclude sensitive traffic.
  • Storing capture files: Protect capture files from unauthorized access. Encrypt them if necessary.
  • Network performance: Capturing traffic can impact network performance, especially on busy networks. Use capture filters to minimize the amount of captured data.
  • Legal considerations: Be aware of local laws and regulations regarding network monitoring and data privacy. Obtain consent before capturing traffic on other people’s networks.
  • Promiscuous Mode: Capturing in promiscuous mode allows you to see all traffic on a network segment, even traffic not destined for your machine. This can raise privacy concerns.
  • Avoid Capturing on Production Servers: Unless absolutely necessary, avoid running Wireshark directly on production servers. Use port mirroring or network taps to capture traffic remotely.

9. Platform Differences

  • Linux:
    • Requires root privileges to capture traffic.
    • Use tcpdump to capture traffic from the command line. tcpdump uses the same capture filter syntax as Wireshark.
    • Interface names may vary (e.g., eth0, wlan0, enp0s3).
  • Windows:
    • Requires WinPcap or Npcap to capture traffic. Npcap is recommended.
    • Interface names are usually more descriptive (e.g., “Ethernet”, “Wi-Fi”).
  • macOS:
    • Requires administrator privileges to capture traffic.
    • Interface names may vary (e.g., en0, en1).
    • tcpdump is available in the terminal.

Example Platform Specific Commands:

  • Linux (capture and save to pcap):

    Terminal window
    sudo tcpdump -i eth0 -w capture.pcap

  • Windows (using TShark):

    Terminal window
    tshark -i "Ethernet" -w capture.pcap

Additional Notes:

  • Learn the Protocols: A deep understanding of network protocols (TCP, UDP, HTTP, DNS, etc.) is essential for effective packet analysis.
  • Practice Regularly: The best way to learn Wireshark is to use it regularly. Capture traffic on your own network and experiment with different filters and analysis techniques.
  • Stay Updated: Wireshark is constantly being updated with new features and bug fixes. Keep your installation up-to-date.

This cheatsheet provides a solid foundation for using Wireshark and TShark for network analysis. Remember to consult the official Wireshark documentation for more detailed information.