Wireshark

Wireshark is the world's most popular network protocol analyzer. It captures and analyzes network traffic in real-time or from saved capture files, supporting hundreds of protocols.

Key Features

• Live capture from multiple interfaces
• Deep inspection of hundreds of protocols
• Powerful display filters
• VoIP and streaming analysis
• Decryption support (SSL/TLS with keys)
• Export capabilities

Common Display Filters

# Filter by protocol
http
tcp
dns

# Filter by IP
ip.addr == 192.168.1.1
ip.src == 10.0.0.1
ip.dst == 10.0.0.2

# Filter by port
tcp.port == 80
tcp.port == 443

# HTTP specific
http.request.method == "POST"
http.response.code == 200
http.host contains "example"

# Combining filters
http && ip.addr == 192.168.1.1
tcp.port == 80 || tcp.port == 443

CLI Tool (tshark)

# Capture to file
tshark -i eth0 -w capture.pcap

# Read and filter
tshark -r capture.pcap -Y "http.request"

# Extract specific fields
tshark -r capture.pcap -T fields -e http.host -e http.request.uri

Security Uses

• Analyze malware communications
• Debug application protocols
• Detect cleartext credentials
• Examine attack traffic patterns
• Verify encryption implementation

See Also

• Man-in-the-Middle
• Burp Suite