Wireshark Network Analysis

A deep packet inspection skill for capturing, filtering, and analyzing network traffic using Wireshark and tshark to diagnose network issues and investigate security incidents.

When to Use

Choose Wireshark Analysis when:

• Investigating network-level security incidents or suspicious traffic patterns
• Debugging application protocol issues like failed TLS handshakes or API errors
• Analyzing malware command-and-control communication captured in pcap files
• Profiling network performance to identify latency bottlenecks and retransmissions

Consider alternatives when:

• You need continuous network monitoring — use a dedicated IDS like Suricata or Zeek
• Working with encrypted traffic you cannot decrypt — use endpoint logging instead
• Analyzing high-volume production traffic — use flow-based tools like NetFlow or sFlow

Quick Start

Copy
# Capture traffic on interface eth0, filter to port 443
tshark -i eth0 -f "port 443" -w capture.pcap -c 10000

# Read pcap and display HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri

Copy
# Parse pcap with pyshark for automated analysis
import pyshark

def analyze_pcap(pcap_file, display_filter=None):
    cap = pyshark.FileCapture(
        pcap_file,
        display_filter=display_filter
    )
    connections = {}
    dns_queries = []
    suspicious = []

    for pkt in cap:
        try:
            if hasattr(pkt, 'ip'):
                src = pkt.ip.src
                dst = pkt.ip.dst
                key = f"{src}->{dst}"
                connections[key] = connections.get(key, 0) + 1

            if hasattr(pkt, 'dns') and hasattr(pkt.dns, 'qry_name'):
                dns_queries.append({
                    "query": pkt.dns.qry_name,
                    "type": pkt.dns.qry_type,
                    "timestamp": str(pkt.sniff_time)
                })
                # Flag suspicious DNS patterns
                name = pkt.dns.qry_name
                if len(name) > 60 or name.count('.') > 5:
                    suspicious.append(f"Long/deep DNS: {name}")

            if hasattr(pkt, 'tcp'):
                if int(pkt.tcp.flags_syn) and not int(pkt.tcp.flags_ack):
                    pass  # SYN tracking for scan detection
        except AttributeError:
            continue

    cap.close()
    return {
        "total_connections": len(connections),
        "top_talkers": sorted(connections.items(), key=lambda x: -x[1])[:10],
        "dns_queries": len(dns_queries),
        "suspicious_indicators": suspicious
    }

Core Concepts

Essential Display Filters

Filter	Purpose	Example
ip.addr == x.x.x.x	Traffic to/from specific IP	ip.addr == 192.168.1.100
tcp.port == N	Filter by TCP port	tcp.port == 443
http.request.method == "POST"	HTTP POST requests only	Find form submissions
dns.qry.name contains "evil"	DNS queries matching pattern	Detect C2 domains
tcp.analysis.retransmission	TCP retransmissions	Diagnose packet loss
tls.handshake.type == 1	TLS Client Hello messages	SSL/TLS connection starts
frame.time_delta > 1	Packets with >1s gap	Find latency issues
tcp.flags.syn == 1 && tcp.flags.ack == 0	SYN-only packets	Detect port scans

Protocol Analysis Workflow

Copy
# Step 1: Get protocol statistics
tshark -r capture.pcap -q -z io,phs

# Step 2: Extract HTTP objects (files transferred)
tshark -r capture.pcap --export-objects http,/tmp/extracted/

# Step 3: Follow a specific TCP stream
tshark -r capture.pcap -q -z follow,tcp,ascii,0

# Step 4: TLS handshake analysis
tshark -r capture.pcap -Y "tls.handshake" \
  -T fields -e ip.src -e ip.dst \
  -e tls.handshake.type -e tls.handshake.extensions_server_name

Configuration

Option	Description	Default
capture_interface	Network interface to capture on	"eth0"
capture_filter	BPF filter applied during capture	""
display_filter	Wireshark display filter for analysis	""
snap_length	Bytes to capture per packet	65535
ring_buffer_size	File size for ring buffer captures (MB)	100
ring_buffer_files	Number of ring buffer files	10
name_resolution	Enable DNS name resolution	false
tls_keylog_file	Path to TLS key log for decryption	""

Best Practices

1. Use capture filters to limit data volume rather than capturing everything and filtering afterward — on busy networks, capturing all traffic fills disks quickly and makes analysis impractical
2. Disable name resolution during capture to avoid generating additional DNS traffic that contaminates your capture and slows down the display; resolve names during analysis instead
3. Set up TLS key logging with the SSLKEYLOGFILE environment variable on endpoints you control to decrypt HTTPS traffic for troubleshooting without needing to install proxy certificates
4. Color-code conversations in Wireshark's GUI to visually track related flows, and create custom profiles with pre-configured display filters for common investigation types
5. Preserve chain of custody for forensic captures by calculating file hashes immediately after capture, writing them to a separate log, and storing original pcap files read-only

Common Issues

Capture drops packets on high-speed interfaces: The default Wireshark capture buffer cannot keep up with gigabit traffic. Use dumpcap with a ring buffer (-b filesize:100000 -b files:20) or tshark instead of the GUI, and apply strict BPF capture filters to reduce the volume before it hits the buffer.

Encrypted traffic is opaque: Modern applications use TLS for everything, making packet inspection useless without decryption keys. Configure the SSLKEYLOGFILE variable on browsers and applications to log session keys, then point Wireshark to this file under Preferences > Protocols > TLS to decrypt captured sessions.

Pcap files are too large to analyze: Multi-gigabyte captures crash the Wireshark GUI and make manual analysis impossible. Use editcap to split large files into smaller chunks by time or packet count, or use tshark command-line filters to extract only the relevant packets into a new, smaller pcap file.