From Packet Capture to Threat Hunting with Wireshark
Wireshark is an open-source packet analyzer. It can be used as a network troubleshooter, security event analyzer and has many capabilities which we will discuss here.
Wireshark has network traffic filters which can provide who is talking to whom, which protocols are in play, and how long each step takes.
It runs on Windows, macOS, and Linux and costs nothing, Wireshark has become the go‑to tool for troubleshooting, security forensics, protocol development, and even classroom demos.
Reader's Take‑aways
In this article we will be focusing on different use cases, filters and tricks that you can use to become a hardcode Wireshark user.
We will be also looking at it in a security angle, to make best use of it to detect various attacks based on network protocols.
2. Network Troubleshooting & Performance Tuning
A pcap file is used to store network traffic rules. You can get a pcap of the network using the following command
tcpdump -i <your_interface_name> -w output.pcap
Understanding the pcap files can be quite tiring. Take this file fo example.
It's difficult to find out what's happening. Let's first check the network IO graph.
- The X‑axis is time (seconds, minutes, etc.).
- The Y‑axis defaults to packets per second, but you can switch to Bytes/Tick, bits, etc.
IO graph is Wireshark’s built‑in chart that shows packet or byte rates over time. From the top menu choose Statistics → I/O Graphs.
Conversation: Now we need to know who is talking to whom, this is important since we can easily find out the sender and receiver information without checking each and every package.
We can find who sends the traffic in a particular protocol, number of packets send and received.
Expert Information is another useful tool. If you need a summary of everything happening within the pcap use this tool in Analysis tab.
Expanding the summary returns the list of packets that match the summary, and selecting a packet allows us to navigate automatically to the packet
Another useful graph is the stream graph. It can be used to visualize typical questions in time-series. This feature helps understand bottlenecks in communications. This is a Stevens Graph which shows sequence numbers over time.
Steeper slopes generally indicate higher throughput and lower latency. This means data is being sent and acknowledged more quickly.
Flatter slopes suggest lower throughput and potentially higher latency, as it takes more time for a given amount of data to be sent and acknowledged.
3. Security Operations & Incident Response
Here are various security use cases of Wireshark. It can be used as a forensic tool as well as IDS(Intrusion Detection System)
3.1 Detect Nmap Scans
Nmap scans can be quite noisy, but even the stealth scans can be detected using appropriate flags.
filter : tcp.flags.syn==1 && tcp.flags.ack==0 Detects Nmap SYN scans (also known as "half-open" scans or nmap -sS)
For stealth scans, use tcp.flags == 0x000 (NULL) or tcp.flags.fin==1 && tcp.flags.urg==1 && tcp.flags.psh==1 (Xmas).
3.2 Clear‑text credential leakage
Many protocols use clear text for communication. For example FTP(File transfer protocol)
Navigate to Analyze-> Follow TCP stream
Here username and password is ftp
Plain text is also used by many IoT protocols, so be careful when you use them. Also, you can access these downloaded files.
Export evidence: File → Export _Objects → FTP to save grabbed files.
3.3 Detect ARP spoofing
In ARP Spoofing the attacker sends falsified ARP (Address Resolution Protocol) messages onto a local area network.
These false ARP messages associate the attacker's MAC address with the IP address of a legitimate device on the network (like the default gateway or another host). This tricks other devices on the network into sending traffic meant for the legitimate device to the attacker's machine instead
Wireshark displays a warning when such duplicate IPs are detected.
Use this filter : arp.duplicate-address-detected
3.4 Detect SYN‑flood DoS
A SYN-flood DoS (Denial of Service) is an attack where an attacker sends a high volume of SYN (synchronization) requests to a target server but never completes the TCP three-way handshake.
Filter : tcp.flags.syn==1 && tcp.flags.ack==0 This will show all initial connection attempts.
Use Statistics > Conversations > TCP or Statistics > Endpoints > IPv4 and sort by Packets or Bytes to identify destination IPs and ports receiving an overwhelming number of SYN packets.
3.5 DNS tunnelling (dnscat2)
DNS is meant for internet resource lookups, but it can also be used for transferring small amounts of data. The data is usually prepended to the domain name.
Example: maliciousEncryptedCommand.sketchydomain.com.
The attacker must first register an authoritative domain, such as “sketchydomain.com” which points to the server with the server-side malware installed. Then the client side is installed on the target’s computer, which will begin making DNS requests that will be parsed by the program running on the server.
Tracking this is difficult because its gets mixed up with legit DNS queries.
In the below example the malicious server is cisco-update.com
DNS traffic are usually plain text in our case its encoded with hexadecimal. This the the first red flag. Next red flag is the name of the domain at the end. Usually most DNS queries will be going to Google, Akamai, Amazon, etc.
DNScat2 can be used to simulate this attack.
4. Other Variants Tshark and Cloudshark
There these 2 useful variants of Wireshark -- tshark and cloudshark.
Cloudshark is a paid product where you can view pcap files store them in cloud. It has a web-based Analysis, it allows collaboration, and it can integrate with other tools.
Then we have Tshark which is the CLI version of Wireshark. It will get installed automatically when you install Wireshark in Linux.
Here is an example of Tshark command executed on the ftp.pcap which was addressed before:
Tshak can be used in environment where we cannot have an interface, like remote servers for example
5. Conclusion
Personally I like the user interface version of Wireshark, it makes traffic analysis quick and effective. I hope you liked this article and learned few new things. Thanks for the read.