Wireshark-Lite · Rolling Thunder Security

Wireshark's interface looks the same on every platform: a packet list at the top, an expanding protocol tree in the middle, and a hex/ASCII pane at the bottom. Click a packet to load the other two panes. Type a display filter to narrow the list.

The simulation below uses a synthetic capture of an intrusion: a reconnaissance scan, a successful login, a malicious file fetch, and the beginning of a beacon. Click any packet to drill in. Use the filter presets to follow the story.

capture-2025-03-14-intrusion.pcap14 packets · demo

Filter:

No.TimeSourceDestinationProtoLengthInfo

Select a packet above to see the dissection tree.

[ hex view appears when a packet is selected ]

14 displayedProfile: Default

The story in this capture

Walk through the packets in order. The narrative emerges:

Packets 1–5 · Recon. 198.51.100.7 sends a series of SYN packets to 10.0.0.50 on different ports — 22, 80, 443, 3306, 8080. Most get RST (port closed); 80 and 443 respond with SYN+ACK (open). Classic port scan signature.
Packets 6–7 · DNS. The attacker resolves auth.acme-internal.com. The fact that the attacker is querying an internal-naming-convention domain is itself a finding — how did they know it existed?
Packets 8–9 · HTTP login attempt. POST to /admin/login. The body contains admin:hunter2 base64-encoded in Authorization. Bad practice on the part of the application that it accepts that endpoint over HTTP.
Packets 10–11 · Payload fetch. Authenticated, the attacker downloads payload.sh from the attacker server.
Packets 12–14 · Beacon. Outbound TCP to 198.51.100.7:4444. Connect, small data, disconnect. The pattern will repeat every 30 seconds. This is the C2 channel.

Display filters — the killer feature

Wireshark display filters use a different syntax from BPF (capture filters). They're more expressive because they have access to parsed protocol fields, not just raw bytes. Some essentials:

Filter	Shows
`http`	All HTTP traffic
`http.request.method == "POST"`	Just POST requests
`ip.addr == 198.51.100.7`	Source OR destination is that IP
`tcp.flags.syn == 1 && tcp.flags.ack == 0`	SYN packets (port scan indicator)
`tcp.analysis.retransmission`	Just retransmits — quick way to find network problems
`dns.qry.name contains "evil"`	DNS queries with "evil" in the name
`tls.handshake.extensions_server_name == "example.com"`	TLS connections to that hostname (SNI)
`frame.time >= "2025-03-14 23:35"`	Packets after a specific timestamp

"Follow the stream"

Wireshark's most underrated feature. Right-click a TCP packet → Follow → TCP Stream. Wireshark reassembles every segment of that connection in order and shows you the conversation — with client bytes in one color and server bytes in another. For HTTP, you see the request and response together, not split across dozens of segments.

For text protocols (HTTP, SMTP, IRC, telnet, FTP commands) this is a god-tier feature. For TLS, you'll see the handshake and then encrypted bytes — less useful, but the SNI still tells you what destination the client was looking for.

Things Wireshark can do that surprise people

VoIP playback. Telephony → RTP → RTP Streams. Wireshark can play back captured Voice-over-IP calls as audio. (Use ethically.)
File extraction. File → Export Objects → HTTP. Wireshark pulls every downloaded file out of the capture and lets you save it. Same for SMB, IMF (email), DICOM, TFTP.
Conversation statistics. Statistics → Conversations. See who talked to whom, how many packets, how many bytes. Quick way to identify the largest data movers in a capture.
IO graphs. Statistics → IO Graphs. Plot packets-per-second over time. The beacon pattern becomes a perfectly regular sawtooth.
Decrypt TLS if you have the session keys. Browsers can be configured to log keys to a file (SSLKEYLOGFILE) that Wireshark reads. Mostly used for debugging your own apps; not normally an investigation technique.

Captures can be evidence. If you're investigating a real incident with potential legal follow-up, document chain of custody. Hash the pcap (sha256sum capture.pcap) at the moment of capture. Keep originals untouched and analyze copies. The forensics module covers this in detail.

The point

Wireshark is the lingua franca of network analysis. The same three-pane interface, the same filter syntax, the same Follow Stream trick — consistent across decades and across every operating system. Investing in fluency pays off forever.

For real-world capture analysis: capture as little as possible (-w with rotation and BPF filters), filter to what you need (display filters), reassemble streams when the bytes-by-themselves don't make sense (Follow Stream), and never share raw pcaps without sanitizing them first.

References

Formatted in APA 7.

Wireshark Foundation. (2024). Wireshark user's guide. https://www.wireshark.org/docs/wsug_html_chunked/
Wireshark Foundation. (2024). Wireshark display filter reference. https://www.wireshark.org/docs/dfref/
Sanders, C. (2017). Practical packet analysis: Using Wireshark to solve real-world network problems (3rd ed.). No Starch Press.
SANS Institute. (2023). Wireshark for incident response. SANS Cheat Sheets. https://www.sans.org/posters/