Wireshark is the go-to tool for anyone diving into the world of network analysis, cybersecurity, or even Capture The Flag (CTF) challenges. Whether you’re troubleshooting, learning the ropes, or preparing for a red team engagement, this Wireshark cheat sheet is your one-stop guide to getting things done efficiently.
What is Wireshark?
Wireshark is a free and open-source packet analyzer. It captures and inspects data traveling across a network in real-time. Think of it as a microscope for network traffic—it reveals what’s happening under the hood, packet by packet.
Key Use Cases:
- Debugging network issues.
- Identifying malicious traffic or attacks.
- Analyzing performance bottlenecks.
- Reverse engineering protocols.
Getting Started
| Action | Shortcut/Steps | Description |
|---|---|---|
| Start Capture | Ctrl + E or click the shark fin icon | Begin capturing network traffic in real-time. |
| Stop Capture | Ctrl + E | Stop capturing traffic. |
| Open Saved Capture | Ctrl + O | Load .pcap or .pcapng files for analysis. |
| Save Capture | Ctrl + S | Save current session for later. |
Filters Syntax
Filters are your most powerful tool in Wireshark, letting you isolate exactly what you need from the noise.
| Filter Type | Syntax Example | Description |
|---|---|---|
| Protocol | http, dns, tcp, udp | Show packets for a specific protocol. |
| IP Address | ip.addr == 192.168.1.1 | Match packets involving a specific IP. |
| Source IP | ip.src == 192.168.1.1 | Show packets from a specific IP. |
| Destination IP | ip.dst == 192.168.1.1 | Show packets to a specific IP. |
| Port | tcp.port == 80 | Filter packets on a specific port (e.g., HTTP). |
| Text in Packets | frame contains "password" | Find packets with specific text or keywords. |
| Logical Operators | (ip.src == 192.168.1.1) && (tcp.port == 80) | Combine filters with &&, ` |
Common Filters
| Use Case | Filter Syntax | Description |
|---|---|---|
| Find Slow Connections | tcp.analysis.retransmission | Identify retransmitted packets. |
| Track HTTPS Handshakes | tls.handshake.type == 1 | Spot ClientHello packets in SSL/TLS. |
| Search for HTTP POSTs | http.request.method == "POST" | Analyze login forms and data submissions. |
| Spot Malicious Domains | dns.qry.name contains "suspicious.com" | Find DNS queries to malicious sites. |
| Analyze ICMP Traffic | icmp | Display all ping and ICMP traffic. |
Wireshark Features
| Feature | How to Access | Description |
|---|---|---|
| Follow Streams | Right-click a packet > Follow > TCP Stream | View a full conversation for analysis. |
| Protocol Hierarchy | Statistics > Protocol Hierarchy | Breakdown of protocols in your capture. |
| Export Packets | File > Export Specified Packets | Save specific packets for sharing or debugging. |
| IO Graph | Statistics > IO Graph | Visualize traffic over time. |
Wireshark Shortcuts
| Action | Shortcut | Description |
|---|---|---|
| Start/Stop Capture | Ctrl + E | Toggle live packet capture. |
| Search Packets | Ctrl + F | Find specific packets by content or fields. |
| Clear Filter | Ctrl + / | Reset your filter bar to show all traffic. |
| Jump to Packet | Ctrl + G | Go to a specific packet number. |
| Save Profile | Edit > Configuration Profiles | Save layouts, filters, and settings. |
Pro Tips for Wireshark Power Users
- Customize Coloring Rules:
- Go to
View > Coloring Rulesto highlight traffic patterns. For example, make TCP resets stand out in red.
- Go to
- Use Profiles:
- Save your favorite filters and layouts under
Edit > Configuration Profiles. Switch profiles for different tasks.
- Save your favorite filters and layouts under
- Leverage Capture Filters:
- Capture only what you need to save space and improve performance. Example:
port 80to capture only HTTP traffic.
- Capture only what you need to save space and improve performance. Example:
Wireshark Cheat Sheet Recap
Wireshark is an incredibly powerful tool for network professionals, ethical hackers, and CTF enthusiasts. By mastering filters, using statistics tools, and leveraging shortcuts, you can quickly analyze even the most complex captures.
Make Wireshark a part of your daily toolkit, and you’ll soon uncover insights hiding in plain sight. Happy packet hunting! 🦈
Leave a Reply