Wireshark Cheat Sheet - Essentials

Wireshark is more than just a tool; it's the gold standard for network traffic analysis. Whether you're troubleshooting network issues, detecting security threats, or simply curious about what's happening behind the scenes, Wireshark provides unparalleled visibility into network traffic. In this guide, we'll dive deep into Wireshark's features, from basic filters to advanced analysis techniques, helping you become proficient in network packet analysis.

Table of Contents

• Getting Started with Wireshark

• Understanding Display Filters

• Using Logical Operators

• Setting Up Capture Filters

• Customizing Time Display Formats

• Applying Coloring Rules

• Following Streams

• Exporting Objects from Captures

• Leveraging Wireshark's Statistics

• Marking and Annotating Packets

• Enabling Name Resolution

• Utilizing Expert Information

• Creating Display Filter Macros

• Adjusting Preferences and Settings

• Essential Keyboard Shortcuts

• Saving and Managing Filters

• Command-Line Usage with Wireshark and tshark

• Extracting Files from Packet Data

• Navigating the Packet Details Pane

• Interpreting the Packet Bytes Pane

• Using Bookmarks for Efficient Analysis

• Working with Configuration Profiles

• Importing and Exporting Profiles

• Decrypting Encrypted Traffic

• Exploring Advanced Statistics

• Advanced tshark Command-Line Usage

• Exporting Data from Wireshark

• Optimizing Capture Options

• Filtering by Packet Length

• Analyzing Wireless Traffic

• Capturing USB Traffic

• Tips and Tricks for Efficient Analysis

• Understanding Filter Syntax

• Filtering by Protocol Fields

• Identifying Errors and Warnings

• Working with IPv6 Filters

• Applying Filters from Packet Details

• Exporting Data with tshark

• Customizing Packet Coloring

• Tailoring Wireshark's Appearance

Getting Started with Wireshark

Before diving into advanced features, it's essential to familiarize yourself with Wireshark's interface and basic functionalities.

• Installation: Download Wireshark from the official website and follow the installation instructions for your operating system.

• Interface Overview: Wireshark's main window is divided into three panes:

  • Packet List Pane: Displays a summary of each captured packet.

  • Packet Details Pane: Shows detailed information about the selected packet.

  • Packet Bytes Pane: Presents the raw data of the selected packet in hexadecimal and ASCII.

Understanding Display Filters

Display filters are essential for narrowing down the packets displayed in Wireshark, making analysis more manageable.

IP Address Filters

• Any Traffic to/from an IP: ip.addr == 192.168.1.1

• Traffic from a Specific IP: ip.src == 192.168.1.1

• Traffic to a Specific IP :ip.dst == 192.168.1.1

Port Filters

• Any TCP Traffic on Port 80:tcp.port == 80

• TCP Traffic from Port 80:tcp.srcport == 80

• TCP Traffic to Port 80:tcp.dstport == 80

Protocol Filters

• HTTP Traffic:http

• DNS Traffic:dns

• ICMP Traffic:icmp

• UDP Traffic:udp

TCP Flags

• SYN Packets:tcp.flags.syn == 1

• FIN Packets:tcp.flags.fin == 1

• RST Packets:tcp.flags.reset == 1

Error and Analysis Filters

• TCP Retransmissions:tcp.analysis.retransmission

• Lost TCP Segments:tcp.analysis.lost_segment

• Duplicate ACKs:tcp.analysis.duplicate_ack

Content Filters

• Packets Containing Specific Text:frame contains "text"

• HTTP GET Requests:http.request.method == "GET"

• DNS Queries for a Domain:dns.qry.name == "example.com"

MAC Address Filters

• Packets with a Specific MAC Address:eth.addr == AA:BB:CC:DD:EE:FF

Using Logical Operators

Logical operators allow you to combine multiple conditions in your filters.

• AND:and

• OR:or

• NOT:not

Examples:

• Filter for HTTP Traffic from a Specific IP:ip.src == 192.168.1.1 and http

• Filter for DNS or ICMP Traffic:dns or icmp

• Exclude ICMP Traffic:

  not icmp

Setting Up Capture Filters

Capture filters are used to specify which packets should be captured, reducing the amount of data collected.

Host and Network Filters

• Capture Traffic to/from an IP:host 192.168.1.1

• Capture Traffic within a Network:net 192.168.1.0/24

Port Filters

• Capture Traffic on Port 80:port 80

• Capture TCP Traffic on Port 80:tcp port 80

• Capture UDP Traffic on Port 53:udp port 53

Protocol Filters

• Capture Only TCP Traffic:tcp

• Capture Only UDP Traffic:udp

• Capture Only ICMP Traffic:icmp

Direction Filters

• Capture Traffic from a Specific Source:src host 192.168.1.1

• Capture Traffic to a Specific Destination Network:dst net 10.0.0.0/8

Ethernet Address Filters

• Capture Traffic with a Specific MAC Address:ether host AA:BB:CC:DD:EE:FF

Size Filters

• Capture Packets Smaller Than 128 Bytes ;less 128

• Capture Packets Larger Than 512 Bytes: greater 512

Customizing Time Display Formats

Adjusting the time format can help correlate events and analyze traffic patterns.

• Change Time Format:

  • Navigate to View > Time Display Format.

  • Options include:

    • Date and Time of Day.

    • Time Since Previous Packet.

    • Time Since First Packet.

Applying Coloring Rules

Coloring rules make it easier to identify specific types of traffic at a glance.

• Access Coloring Rules:

  • Go to View > Coloring Rules.

• Common Coloring Rules:

  • Bad TCP: Highlights packets with TCP issues.tcp.analysis.flags

  • HTTP Traffic: Highlights HTTP packets.http

  • DNS Traffic: Highlights DNS packets.dns

  • TCP SYN Packets: Highlights TCP connection initiation packets.tcp.flags.syn == 1

Following Streams

Following a stream allows you to view a complete conversation between two endpoints.

• Follow a Stream:

  • Right-click on a packet.

  • Select Follow > Choose the stream type (e.g., TCP, UDP, HTTP).

• Benefit: Displays the entire conversation in a separate window, making it easier to analyze communication.

Exporting Objects from Captures

Wireshark can extract files and other objects transferred over protocols like HTTP, SMB, and more.

• Export Objects:

  • Go to File > Export Objects.

  • Choose the protocol (e.g., HTTP, SMB) from which you want to extract objects.

• Use Case: Retrieve files downloaded over HTTP or documents shared over SMB.

Leveraging Wireshark's Statistics

Wireshark provides various statistical tools to help analyze traffic patterns and identify issues.

• Protocol Hierarchy:

  • Navigate to Statistics > Protocol Hierarchy.

  • Purpose: Shows the distribution of protocols in the captured traffic.

• Conversations:

  • Go to Statistics > Conversations.

  • Purpose: Lists all the conversations between endpoints.

• Endpoints:

  • Access via Statistics > Endpoints.

  • Purpose: Provides details about all endpoints involved in the capture.

• I/O Graphs:

  • Found under Statistics > IO Graphs.

  • Purpose: Visualize traffic over time.

• Flow Graph:

  • Navigate to Statistics > Flow Graph.

  • Purpose: Visual representation of packet flows between hosts.

Marking and Annotating Packets

Marking packets can help highlight important data for later review.

• Mark a Packet:

  • Right-click on the packet and select Mark Packet.

  • Alternatively, press Ctrl+M.

• View Only Marked Packets:

  • Go to View > Show Marked Packets.

Enabling Name Resolution

Name resolution translates numeric addresses into human-readable names.

• Enable or Disable Name Resolution:

  • Navigate to View > Name Resolution.

  • Options include:

    • Resolve MAC Addresses: Translates MAC addresses to vendor names.

    • Resolve Network Addresses: Converts IP addresses to domain names.

    • Resolve Transport Names: Translates port numbers to service names.

Utilizing Expert Information

Wireshark's Expert Information window provides insights into anomalies and potential issues within the captured traffic.

• Access Expert Information:

  • Go to Analyze > Expert Information.

• Benefits:

  • Highlights warnings, errors, and notes.

  • Helps quickly identify network problems.

Creating Display Filter Macros

Display filter macros allow you to save and reuse complex filters.

• Create a Macro:

  • Navigate to Analyze > Display Filter Macros.

  • Define a new macro with a name and filter expression.

• Use Case: Simplify repetitive filtering tasks.

Adjusting Preferences and Settings

Customizing Wireshark's settings can enhance your analysis experience.

• Access Preferences:

  • Go to Edit > Preferences.

• Customization Options:

  • Protocols: Configure protocol-specific settings.

  • Layouts: Adjust the interface layout.

  • Appearance: Change fonts, colors, and styles.

Essential Keyboard Shortcuts

Keyboard shortcuts can significantly speed up your workflow.

Capture Control

• Start/Stop Capture:

  • Press Ctrl+E.

• Open Capture File:

  • Press Ctrl+O.

• Save Capture File:

  • Press Ctrl+S.

• Reload File:

  • Press Ctrl+R.

Navigation

• Next Packet:

  • Press the Down Arrow key.

• Previous Packet:

  • Press the Up Arrow key.

• Go to Specific Packet:

  • Press Ctrl+G.

• Find Packet:

  • Press Ctrl+F.

View Control

• Expand All Protocol Layers:

  • Press Shift+Right Arrow.

• Collapse All Protocol Layers:

  • Press Shift+Left Arrow.

• Zoom In:

  • Press Ctrl and +.

• Zoom Out:

  • Press Ctrl and -.

Saving and Managing Filters

Saving filters allows for quick access and reuse in future sessions.

• Save a Display Filter:

  • Enter your filter expression in the filter bar.

  • Click the + icon next to the filter bar.

  • Provide a name and save the filter.

• Manage Saved Filters:

  • Access saved filters from the drop-down menu in the filter bar.

Command-Line Usage with Wireshark and tshark

Wireshark isn't limited to the graphical interface; you can also use it via the command line.

Starting Wireshark from the Command Line

• Start Capture on a Specific Interface:

  wireshark -i <interface> -k

  • -i: Specifies the interface.

  • -k: Starts capturing immediately.

• Capture and Save to a File:

  wireshark -i <interface> -k -w <filename>

  • -w: Writes the capture to a file.

Using tshark (Terminal-Based Wireshark)

• List Available Interfaces:

  tshark -D

• Capture Traffic on an Interface:

  tshark -i <interface>

• Read from a Capture File:tshark -r file.pcap

• Apply a Display Filter:tshark -Y "http"

• Save Captured Traffic to a File:tshark -w output.pcap

Extracting Files from Packet Data

Wireshark can reconstruct and extract files transmitted over certain protocols.

• Export Objects from Traffic:

  • Go to File > Export Objects.

  • Select the protocol (e.g., HTTP, SMB).

  • Choose the files or objects you want to save.

Navigating the Packet Details Pane

The Packet Details Pane provides in-depth information about each packet.

• Interacting with Protocol Layers:

  • Click the + or - icons to expand or collapse protocol layers.

• Applying Filters from Fields:

  • Right-click on a field.

  • Choose Apply as Filter or Prepare as Filter.

Interpreting the Packet Bytes Pane

This pane displays the raw data of the selected packet.

• Hexadecimal View: Shows the packet data in hexadecimal format.

• ASCII View: Displays the ASCII representation alongside the hex data.

• Use Case: Useful for analyzing unknown protocols or checking data integrity.

Using Bookmarks for Efficient Analysis

Bookmarks help you keep track of important packets during analysis.

• Add a Bookmark:

  • Mark a packet (using Ctrl+M).

  • Use bookmarks to navigate between significant packets quickly.

Working with Configuration Profiles

Profiles allow you to save different configurations for various analysis scenarios.

• Create a New Profile:

  • Go to Edit > Configuration Profiles.

  • Click New to create a profile.

• Switch Between Profiles:

  • Profiles can be selected from the bottom-right corner of the Wireshark window.

Importing and Exporting Profiles

Share your customized settings and filters with others or use them on different machines.

• Export a Profile:

  • Navigate to your profile directory.

  • Copy the profile folder to share or backup.

• Import a Profile:

  • Place the profile folder into the Wireshark profiles directory.

Decrypting Encrypted Traffic

Wireshark can decrypt certain types of encrypted traffic if you have the appropriate keys.

• Decrypt SSL/TLS Traffic:

  • Go to Edit > Preferences > Protocols > TLS.

  • Provide the necessary keys or passwords.

• Use Case: Analyze HTTPS traffic when you have access to the server's private key.

Exploring Advanced Statistics

Delve deeper into network performance and behavior with advanced statistics.

• Service Response Time:

  • Navigate to Statistics > Service Response Time.

  • Purpose: Measure the time between request and response for various protocols.

• HTTP Statistics:

  • Go to Statistics > HTTP.

  • Purpose: Analyze HTTP requests, responses, and errors.

Advanced tshark Command-Line Usage

Enhance your command-line network analysis with advanced tshark options.

• Export Specific Fields:tshark -r file.pcap -T fields -e frame.number -e ip.src -e ip.dst

  • -T fields: Specifies field output.

  • -e: Defines which fields to include.

• Apply Multiple Filters:tshark -r file.pcap -Y "http and ip.src == 192.168.1.1"

Exporting Data from Wireshark

Save packet data in various formats for reporting or further analysis.

• Export Specified Packets:

  • Go to File > Export Specified Packets.

• Export Packet Dissections:

  • Navigate to File > Export Packet Dissections.

  • Formats: Plain text, CSV, XML, JSON.

Optimizing Capture Options

Fine-tune your capture settings to optimize performance and relevance.

• Access Capture Options:

  • Go to Capture > Options.

• Key Settings:

  • Interface Selection: Choose the network interface to capture from.

  • Capture Filters: Define what traffic to capture.

  • File Management: Set file size limits and ring buffer options.

Filtering by Packet Length

Focus on packets of specific sizes to identify anomalies or specific types of traffic.

• Filter Packets Exactly 128 Bytes Long:frame.len == 128

• Filter Packets 64 Bytes or Smaller:frame.len <= 64

• Filter Packets Larger Than 1024 Bytes:frame.len > 1024

Analyzing Wireless Traffic

Wireshark can capture and analyze wireless (Wi-Fi) traffic with the right setup.

• Capture Wireless Traffic:

  • Note: Requires a compatible wireless adapter and appropriate permissions.

• Wireless Traffic Filters:

  • All Wireless Packets:wlan

  • Packages for a Specific SSID:wlan.ssid == "network_name"

  • Packets from a Specific BSSID:

    wlan.bssid == AA:BB:CC:DD:EE:FF

Capturing USB Traffic

Analyze USB communications between devices and your computer.

• Capture USB Traffic:

  • Note: Available on certain operating systems and may require additional setup.

• USB Traffic Filters:

  • All USB Packets:usb

  • Packets from a Specific USB Device:usb.device_address == 2

Tips and Tricks for Efficient Analysis

Enhance your Wireshark skills with these helpful tips.

• Filter Expression Dialog:

  • Open with Ctrl+Shift+F to build complex filters with assistance.

• Field Descriptions:

  • Hover over fields in the Packet Details Pane to see descriptions.

• Capture File Properties:

  • Access via Statistics > Capture File Properties for metadata about the capture.

Understanding Filter Syntax

Get familiar with the syntax used in Wireshark's filters.

Operators

• Equality:==

• Inequality:!=

• Greater Than:>

• Less Than:<

• Contains:contains

• Matches (Regular Expressions):matches

Examples:

• Filter with a Regular Expression:frame matches "regex_pattern"

• Filter for HTTP POST Requests:http.request.method == "POST"

Filtering by Protocol Fields

Target specific protocol fields in your filters.

• DNS Queries for a Domain:dns.qry.name == "example.com"

• SMTP Authentication Attempts:smtp.req.parameter == "AUTH"

Identifying Errors and Warnings

Detect and troubleshoot network issues by filtering error packets.

TCP Errors

• Filter for TCP Errors:tcp.analysis.flags

ICMP Errors

• Destination Unreachable Messages:icmp.type == 3

ARP Issues

• Detect Duplicate Address Detection:arp.duplicate-address-detected

Working with IPv6 Filters

Analyze IPv6 traffic with dedicated filters.

• All IPv6 Packets:ipv6

• Packets from a Specific IPv6 Address:ipv6.addr == 2001:db8::1

Applying Filters from Packet Details

Quickly create filters based on packet contents.

• Apply a Filter from a Field:

  • Right-click on the field in the Packet Details Pane.

  • Choose Apply as Filter > Selected.

• Prepare a Filter:

  • Right-click on the field.

  • Select Prepare as Filter > Selected to edit before applying.

Exporting Data with tshark

Use tshark to extract specific data from capture files via the command line.

• Export Specific Fields to a File:tshark -r file.pcap -T fields -e frame.number -e ip.src -e ip.dst > output.txt

Customizing Packet Coloring

Create custom coloring rules to highlight packets that meet specific criteria.

• Add a New Coloring Rule:

  • Go to View > Coloring Rules.

  • Click New to create a rule.

  • Define the filter expression and choose colors.

• Example:

  • Filter:tcp.analysis.retransmission

  • Purpose: Highlight retransmitted TCP packets.

Tailoring Wireshark's Appearance

Adjust the look and feel of Wireshark to suit your preferences.

• Change Appearance Settings:

  • Go to Edit > Preferences > Appearance.

• Customization Options:

  • Fonts: Change the font type and size.

  • Colors: Adjust background and text colors.

  • Layout: Modify pane arrangements and split orientations.

Wireshark is an indispensable tool for anyone involved in network administration, security analysis, or IT troubleshooting. By mastering its features and functionalities, you can gain deep insights into network operations, diagnose issues efficiently, and enhance overall network performance. Keep exploring, practicing, and experimenting with Wireshark to unlock its full potential.