Beginner Networks Updated on Jun 25, 2025

Traffic sniffing with Wireshark

Sniffing is the capture of packets traversing a network. It is an essential technique for both security analysts and attackers. Security professionals use sniffing in authorized environments to troubleshoot issues and detect threats.

What is Wireshark

Wireshark is an open source network protocol analyzer. It captures packets in real time and decodes hundreds of protocols, displaying every header field.

To install:

# Linux (Debian/Ubuntu)
sudo apt install wireshark

# macOS
brew install --cask wireshark

Capture on a specific interface

# Via CLI with tshark (Wireshark's command-line version)
tshark -i eth0 -w capture.pcap

# Stop after 100 packets
tshark -i eth0 -c 100 -w capture.pcap

In the GUI: select the network interface → click the capture button (blue shark).

Essential display filters

# Filter by protocol
http
dns
tcp
udp

# Filter by IP
ip.addr == 192.168.1.50
ip.src == 192.168.1.10
ip.dst == 192.168.1.1

# Filter by port
tcp.port == 80
tcp.port == 443

# Combine filters
http and ip.src == 192.168.1.50

# See only HTTP packets that may contain credentials
http.request.method == "POST" and http contains "password"

Analyzing an HTTP request

On unencrypted traffic, Wireshark shows the full content:

Packet 142 — HTTP POST /login
  Host: example.com
  Content-Type: application/x-www-form-urlencoded
  Body: username=john&password=secret123

This shows why HTTPS is mandatory — without it, anyone on the local network can read this.

Reconstruct a TCP session

In Wireshark: right-click a TCP packet → “Follow → TCP Stream”. This rebuilds the full conversation between client and server.

Client → Server:
GET /admin HTTP/1.1
Cookie: session=eyJhbGciOiJIUzI1NiJ9...

Server → Client:
HTTP/1.1 200 OK
<html>Admin panel...</html>

Capture filters (before capturing)

Unlike display filters, capture filters reduce the volume collected:

# Capture only DNS
port 53

# Capture only traffic from one host
host 192.168.1.50

# Capture HTTP and HTTPS
port 80 or port 443

Defensive use: what to look for

Unencrypted traffic with credentials (HTTP, FTP, Telnet)
Suspicious DNS queries (randomly generated domains → DGA)
Connections to unknown external IPs
UDP traffic spikes (possible DNS-based exfiltration)
Anomalous ARP packets (possible ARP spoofing)

Remember: capturing traffic on networks you are not authorized to monitor is illegal. Always obtain written permission before any analysis.