Mastering Wireshark : From Basic to Mastery

Wireshark is an open-source network protocol analyzer that allows you to capture and inspect network traffic in real-time. It is widely used for troubleshooting, network analysis, and security auditing. With support for hundreds of protocols, Wireshark is an essential tool for network administrators, security professionals, and developers.

Getting Started with Wireshark

Before using Wireshark, ensure it is installed on your system. You can download it from the official website: https://www.wireshark.org/.Once installed, launch Wireshark and select a network interface to start capturing packets. Familiarize yourself with the interface, including the packet list, packet details, and packet bytes panes.

50 Essential Wireshark Commands

Basic Commands (Beginner)

1. Start Capturing

   • Command: Click the shark fin icon or press Ctrl+E.

   • What it does: Begins capturing live network traffic on the selected interface.
     

2. Stop Capturing

   • Command: Click the red square icon or press Ctrl+E again.

   • What it does: Stops the ongoing packet capture.
     

3. Restart Capturing

   • Command: Press Ctrl+Shift+R.

   • What it does: Restarts the packet capture process.
     

4. Open a Capture File

   • Command: Use File > Open or press Ctrl+O.

   • What it does: Opens a previously saved .pcap file for analysis.
     

5. Save a Capture File

   • Command: Use File > Save As or press Ctrl+S.

   • What it does: Saves the current packet capture to a file.
     

6. Apply a Display Filter

   • Command: Type a filter in the filter bar (e.g., tcp) and press Enter.

   • What it does: Filters the displayed packets based on the specified criteria (e.g., only TCP packets).
     

7. Clear Display Filter

   • Command: Click the X in the filter bar or press Ctrl+Backspace.

   • What it does: Clears the current display filter and shows all packets.
     

8. Search Packets

   • Command: Press Ctrl+F.

   • What it does: Opens a search dialog to find text or hex values within packets.
     

9. Follow TCP Stream

   • Command: Right-click a packet > Follow > TCP Stream.

   • What it does: Displays the entire TCP conversation between two endpoints.
     

10. Colorize Packets

    • Command: Use View > Coloring Rules.

    • What it does: Allows you to customize packet colors based on specific criteria.
      
      

Intermediate Commands

11. Filter by IP Address

    • Command: ip.addr == x.x.x.x.

    • What it does: Filters traffic involving a specific IP address.
      

12. Filter by Source IP

    • Command: ip.src == x.x.x.x.

    • What it does: Filters traffic originating from a specific source IP.
      

13. Filter by Destination IP

    • Command: ip.dst == x.x.x.x.

    • What it does: Filters traffic sent to a specific destination IP.
      

14. Filter by Protocol

    • Command: tcp, udp, http, dns, etc.

    • What it does: Filters packets based on the specified protocol.
      

15. Filter by Port

    • Command: tcp.port == 80 or udp.port == 53.

    • What it does: Filters traffic based on the specified port number.
      

16. Filter by MAC Address

    • Command: eth.addr == xx:xx:xx:xx:xx:xx.

    • What it does: Filters traffic based on a specific MAC address.
      

17. Filter by HTTP Method

    • Command: http.request.method == "GET".

    • What it does: Filters HTTP GET requests.
      

18. Filter by Packet Length

    • Command: frame.len == xx.

    • What it does: Filters packets based on their size (in bytes).
      

19. Filter by Time

    • Command: frame.time >= "YYYY-MM-DD HH:MM:SS".

    • What it does: Filters packets based on their timestamp.
      

20. Filter by TCP Flags

    • Command: tcp.flags.syn == 1.

    • What it does: Filters packets with the SYN flag set (used in TCP handshakes).

Advanced Commands

21. Filter by HTTP Status Code

    • Command: http.response.code == 404.

    • What it does: Filters HTTP responses with a 404 status code.
      

22. Filter by DNS Query

    • Command: dns.qry.name == "example.com".

    • What it does: Filters DNS queries for a specific domain name.
      

23. Filter by SSL/TLS

    • Command: ssl or tls.

    • What it does: Filters encrypted SSL/TLS traffic.
      

24. Filter by VoIP Traffic

    • Command: sip or rtp.

    • What it does: Filters VoIP (Voice over IP) traffic.
      

25. Filter by ICMP Type

    • Command: icmp.type == 8.

    • What it does: Filters ICMP echo requests (ping).
      

26. Filter by ARP Requests

    • Command: arp.opcode == 1.

    • What it does: Filters ARP requests.
      

27. Filter by Broadcast Traffic

    • Command: eth.dst == ff:ff:ff:ff:ff:ff.

    • What it does: Filters broadcast packets.
      

28. Filter by VLAN ID

    • Command: vlan.id == xx.

    • What it does: Filters traffic based on VLAN ID.
      

29. Filter by TCP Window Size

    • Command: tcp.window_size < 1000.

    • What it does: Filters packets with a small TCP window size.
      

30. Filter by Packet Loss

    • Command: tcp.analysis.lost_segment.

    • What it does: Identifies lost TCP segments.

Expert Commands

31. Filter by Retransmissions

    • Command: tcp.analysis.retransmission.

    • What it does: Identifies retransmitted TCP packets.
      

32. Filter by Out-of-Order Packets

    • Command: tcp.analysis.out_of_order.

    • What it does: Detects out-of-order TCP packets.
      

33. Filter by Zero Window

    • Command: tcp.analysis.zero_window.

    • What it does: Identifies zero window conditions (receiver buffer full).
      

34. Filter by Duplicate ACKs

    • Command: tcp.analysis.duplicate_ack.

    • What it does: Detects duplicate TCP acknowledgments.
      

35. Filter by RTT (Round-Trip Time)

    • Command: tcp.analysis.ack_rtt.

    • What it does: Analyzes round-trip times for TCP packets.
      

36. Filter by TCP Checksum Errors

    • Command: tcp.checksum_bad == 1.

    • What it does: Identifies TCP packets with checksum errors.
      

37. Filter by HTTP User-Agent

    • Command: http.user_agent contains "Chrome".

    • What it does: Filters HTTP traffic based on the user-agent string.
      

38. Filter by HTTP Cookie

    • Command: http.cookie contains "sessionid".

    • What it does: Filters HTTP traffic containing specific cookies.
      

39. Filter by FTP Commands

    • Command: ftp.request.command == "USER".

    • What it does: Filters FTP commands (e.g., USER, PASS).
      

40. Filter by SMB Traffic

    • Command: smb.

    • What it does: Filters Server Message Block (SMB) traffic.
      

Master-Level Commands

41. Filter by Packet TTL

    • Command: ip.ttl == xx.

    • What it does: Filters packets based on their Time-to-Live (TTL) value.
      

42. Filter by Packet Fragmentation

    • Command: ip.flags.mf == 1.

    • What it does: Filters fragmented IP packets.
      

43. Filter by IPv6 Traffic

    • Command: ipv6.

    • What it does: Filters IPv6 traffic.
      

44. Filter by Multicast Traffic

    • Command: eth.dst[0] & 1.

    • What it does: Filters multicast packets.
      

45. Filter by TCP Sequence Number

    • Command: tcp.seq == xx.

    • What it does: Filters packets based on TCP sequence numbers.
      

46. Filter by TCP Acknowledgment Number

    • Command: tcp.ack == xx.

    • What it does: Filters packets based on TCP acknowledgment numbers.
      

47. Filter by HTTP Host

    • Command: http.host == "example.com".

    • What it does: Filters HTTP traffic based on the host header.
      

48. Filter by HTTP Referer

    • Command: http.referer contains "google.com".

    • What it does: Filters HTTP traffic based on the referer header.
      

49. Filter by HTTP Content-Type

    • Command: http.content_type == "text/html".

    • What it does: Filters HTTP traffic based on the content type.
      

50. Filter by Custom Expression

    • Command: frame contains "xyz".

    • What it does: Filters packets containing specific text or hex values.