Lesson Notes
Hands-On: Wireshark Basics
Module 2: Networking Basics. What is Wireshark? Core concepts, capture/decode/display pipeline, dissectors, PCAP. Spot unencrypted vs. TLS traffic; layered analysis and pentest use.
Module 2: What Is Wireshark? — Core Concepts & Architecture
Wireshark is an open-source packet analyzer (protocol dissector) that captures, decodes, and displays network traffic at all OSI layers (L1–L7). It started as Ethereal in 1998 and was renamed Wireshark in 2006. Pentest value: it reveals plaintext leaks (e.g. HTTP credentials), TLS handshakes, and vulnerable service banners; a large share of recon can come from passive sniffing. Key principles: Promiscuous mode lets the network card capture all traffic on the segment, not just packets destined to your machine—so L2 broadcasts and ARP are visible. You can capture live (from an interface) or analyze offline PCAP files. Wireshark uses dissectors: thousands of protocol parsers that decode raw bytes into a readable tree (e.g. HTTP → request/response fields; TLS → cipher details). Heuristics help auto-detect protocols from signatures (e.g. port 80 often means HTTP). Threat model: full visibility assumes a shared medium (hub or Wi-Fi) or that you have achieved a MITM position (e.g. ARP poisoning); on a switched network you normally see only your own traffic unless you use L2 attacks. PCAP is the common file format (timestamp, metadata, packet bytes), compatible with Wireshark, tshark, and tcpdump.
How Wireshark Works: Capture → Decode → Display
Wireshark uses a three-stage pipeline. (1) Capture: the network card sends frames to the kernel buffer, then to Wireshark via libpcap (Linux) or WinPcap/Npcap (Windows). You can apply a BPF (Berkeley Packet Filter) before capture (e.g. tcp port 80) to reduce noise. (2) Decode: the raw byte stream is parsed into a protocol tree—e.g. Ethernet frame → IP packet → TCP segment → HTTP or TLS payload. Fragments and streams (e.g. a full HTTP response over several TCP segments) are reassembled. (3) Display: packets appear in a list with color coding; you use display filters (e.g. http.request.method == "POST") to focus on login attempts, or tls.handshake.ciphersuite to inspect cipher negotiation. You can enable TLS decryption in preferences if you have the session keys (e.g. from a browser SSLKEYLOGFILE). Display filter examples: http.request.method == "POST" for credential harvesting; dns contains "admin" for recon; smb.cmd for NTLM-related traffic.
Core Features: Packet List, Details, and Bytes
The packet list pane shows columns: number, time, source, destination, protocol, length, and a summary. Coloring rules highlight SYNs, HTTP, errors, or custom conditions (e.g. retransmissions). The packet details pane is a tree: expand Frame → Ethernet II → Internet Protocol → TCP → HTTP (or TLS) to see every field; clicking a field highlights the corresponding bytes. The packet bytes pane shows hex and ASCII; you can export objects (e.g. images or files extracted from HTTP). Follow Stream reconstructs a full TCP, UDP, or TLS conversation—useful to extract a complete HTTP POST or chat log. Statistics → Conversations shows top talkers by IP, port, or MAC. IO Graphs plot traffic over time (e.g. to spot DoS spikes). Expert Info flags retransmissions, bad checksums, and other anomalies. Protocol Hierarchy and Endpoints help you see what protocols dominate and which hosts are talking.
Layered Analysis: OSI Mapping in Wireshark
You can map what you see to the OSI model. L4 TCP: look for the three-way handshake (SYN, SYN-ACK, ACK); a filter like tcp.flags.syn == 1 and tcp.flags.ack == 0 shows initial SYNs, which can indicate a port scan. L7 HTTP vs TLS: on port 80 you may see plaintext GET/POST with credentials; on 443 you see ClientHello (with SNI), ServerHello (with chosen cipher), then Application Data as encrypted blobs. Filter tls.record.content_type == 23 for encrypted TLS payload. Attack signatures: duplicate IP addresses with different MACs can mean ARP poisoning (L2); http contains "1' OR 1=1--" might indicate SQLi (L7); many half-open SYNs suggest a SYN flood (L4); abnormal TLS Heartbeat can point to Heartbleed-style issues.
Pentest Applications: Recon to Exploit Chains
Typical workflow: capture traffic (or load a PCAP), inspect service banners (e.g. SSH-2.0-OpenSSH_8.9) for CVE lookup, enumerate from DNS queries and HTTP parameters, and use extracted data (e.g. NTLMv2 hashes from SMB) for cracking or relay. Passive sniffing does not generate new traffic, so it is stealthy; active use might involve replaying or modifying PCAPs to test IDS. Detection evasion concepts: encrypting C2 over TLS on 443, fragmenting payloads, or normalizing TTL. Pitfalls: on switched networks you are limited to your own conversations unless you use ARP spoofing or similar; encrypted traffic still leaks metadata (sizes, timing). Use Wireshark only on networks you are authorized to monitor. Alternatives: tshark for the command line (e.g. tshark -r file.pcap -Y "http" -T fields -e http.request.uri); modern Wireshark supports HTTP/3 (QUIC). Pentest mindset: Wireshark gives you visibility into protocols—find plaintext leaks, weak TLS, or attack signatures, then chain findings ethically and recommend encryption and NDR where appropriate.
Key Takeaway for Lesson 14
Wireshark is a packet analyzer that captures, decodes, and displays traffic across all layers. Understand the capture → decode → display pipeline, promiscuous mode, dissectors, and PCAP format. Use display filters and Follow Stream to find HTTP credentials, TLS details, and attack patterns. Map what you see to the OSI layers (TCP handshakes, HTTP vs TLS, ARP/DNS). In pentesting, use it for passive recon and to verify encryption (plaintext vs ciphertext); only use it on authorized networks. Next: setting up your lab with Kali and VeraCrypt.