Network Security February 5, 2026 22 min read

Wireshark for Security Professionals: Network Traffic Analysis Guide

From capturing packets to detecting malware callbacks—a practical guide to network forensics and security analysis with Wireshark.

Wireshark is the gold standard for network traffic analysis. Whether you're investigating a security incident, analyzing malware behavior, troubleshooting network issues, or capturing credentials during a penetration test, Wireshark gives you visibility into exactly what's happening on the wire.

This guide focuses on security applications—the filters, techniques, and patterns that matter for security professionals.

Capturing Traffic

Interface Selection

Before capturing, select the right interface:

Common Interface Types
# Linux - list interfaces
ip link show
tcpdump -D

# Common interfaces:
eth0       - Wired Ethernet
wlan0      - Wireless
lo         - Loopback (local traffic only)
docker0    - Docker bridge network
br-xxxxx   - Docker/container bridges
veth*      - Virtual Ethernet (containers)
any        - Capture on all interfaces (Linux)

Capture Filters vs Display Filters

Capture filters apply during capture, reducing file size but discarding non-matching packets permanently. Display filters apply after capture, hiding packets from view while preserving them in the file.

When to Use Each

Capture filters: Use when you know exactly what you need and storage is a concern (long-running captures, high-bandwidth networks).
Display filters: Use for analysis. Keep the full capture and filter as needed. You can't filter on what you didn't capture.

Capture Filter Syntax (BPF)
# Capture only specific host
host 192.168.1.100

# Capture traffic on specific port
port 80
port 443

# Capture traffic to/from a subnet
net 192.168.1.0/24

# Combine with and/or/not
host 192.168.1.100 and port 443
tcp and port 80
not arp and not icmp

# Capture only TCP SYN packets (new connections)
tcp[tcpflags] & (tcp-syn) != 0

# Capture HTTP traffic (port 80 or 8080)
tcp port 80 or tcp port 8080

Command-Line Capture with tshark

For headless servers or automated capture, use tshark (Wireshark's CLI):

tshark Capture Examples
# Basic capture to file
tshark -i eth0 -w capture.pcap

# Capture with filter
tshark -i eth0 -f "port 80" -w http_traffic.pcap

# Capture with ring buffer (rotate files, keep last 10)
tshark -i eth0 -b filesize:100000 -b files:10 -w capture.pcap

# Capture for specific duration (seconds)
tshark -i eth0 -a duration:3600 -w hourly_capture.pcap

# Capture with packet count limit
tshark -i eth0 -c 10000 -w sample.pcap

Essential Display Filters

Display filters are where Wireshark shines. Learn these patterns:

Basic Filter Syntax

Display Filter Basics
# Filter by IP address
ip.addr == 192.168.1.100           # Source OR destination
ip.src == 192.168.1.100            # Source only
ip.dst == 192.168.1.100            # Destination only

# Filter by subnet
ip.addr == 192.168.1.0/24

# Filter by protocol
tcp
udp
icmp
dns
http
tls
smb
ssh

# Filter by port
tcp.port == 443                    # Source OR destination
tcp.srcport == 443                 # Source only
tcp.dstport == 443                 # Destination only

# Combine with logic operators
ip.addr == 192.168.1.100 and tcp.port == 443
http or dns
not arp

HTTP Analysis Filters

HTTP Filters
# All HTTP traffic
http

# HTTP requests only
http.request

# HTTP responses only
http.response

# Specific HTTP methods
http.request.method == "GET"
http.request.method == "POST"
http.request.method == "PUT"

# Filter by URI
http.request.uri contains "login"
http.request.uri contains "api"
http.request.uri matches ".*\\.php$"

# Filter by host
http.host == "example.com"
http.host contains "evil"

# Filter by response code
http.response.code == 200
http.response.code == 401
http.response.code == 500
http.response.code >= 400        # All errors

# Filter by content type
http.content_type contains "json"
http.content_type contains "html"

# Forms and data
http.request.method == "POST" and http.content_type contains "form"

TLS/SSL Analysis

TLS Filters
# All TLS traffic
tls

# TLS handshake messages
tls.handshake

# Client Hello (shows SNI - Server Name Indication)
tls.handshake.type == 1

# Server Hello
tls.handshake.type == 2

# Certificate messages
tls.handshake.type == 11

# Filter by SNI (Server Name Indication)
tls.handshake.extensions_server_name contains "google"

# TLS version
tls.record.version == 0x0303      # TLS 1.2
tls.record.version == 0x0304      # TLS 1.3

# Find weak cipher usage
tls.handshake.ciphersuite == 0x0005   # TLS_RSA_WITH_RC4_128_SHA

DNS Analysis

DNS Filters
# All DNS traffic
dns

# DNS queries
dns.flags.response == 0

# DNS responses
dns.flags.response == 1

# Filter by queried name
dns.qry.name contains "evil"
dns.qry.name contains "malware"
dns.qry.name == "c2.attacker.com"

# Query types
dns.qry.type == 1                  # A record
dns.qry.type == 28                 # AAAA record
dns.qry.type == 15                 # MX record
dns.qry.type == 16                 # TXT record (often used for C2)

# NXDOMAIN responses (domain doesn't exist)
dns.flags.rcode == 3

# Long domain names (potential DNS tunneling)
dns.qry.name.len > 50

# Find DNS over non-standard ports
dns and not udp.port == 53

TCP Analysis

TCP Filters
# TCP connection establishment
tcp.flags.syn == 1 and tcp.flags.ack == 0    # SYN only (new connections)

# TCP connection termination
tcp.flags.fin == 1
tcp.flags.reset == 1               # Abrupt termination

# TCP problems
tcp.analysis.retransmission
tcp.analysis.duplicate_ack
tcp.analysis.lost_segment
tcp.analysis.out_of_order
tcp.analysis.zero_window

# Follow a specific TCP stream
tcp.stream eq 5                    # Stream number from right-click menu

# TCP payload contains string
tcp contains "password"
tcp contains "admin"

Security-Focused Analysis

Detecting Port Scans

Port Scan Detection Filters
# SYN scan (half-open) - many SYN packets, few full connections
tcp.flags.syn == 1 and tcp.flags.ack == 0

# Count unique destination ports per source IP
# (Use Statistics > Conversations or Statistics > Endpoints)

# RST responses (closed ports responding to scan)
tcp.flags.reset == 1

# ICMP port unreachable (UDP scan responses)
icmp.type == 3 and icmp.code == 3

# Xmas scan (FIN+PSH+URG)
tcp.flags.fin == 1 and tcp.flags.push == 1 and tcp.flags.urg == 1

# NULL scan (no flags)
tcp.flags == 0

Identifying Malware Callbacks

C2 Detection Patterns
# Beaconing: regular intervals of traffic
# Look for patterns in Statistics > IO Graph

# DNS tunneling indicators
dns.qry.name.len > 50              # Long subdomain names
dns.qry.type == 16                 # TXT records
dns and frame.len > 512            # Large DNS packets

# Unusual ports for common protocols
http and not tcp.port == 80 and not tcp.port == 8080
dns and not udp.port == 53

# Base64-like patterns in HTTP
http.request.uri matches "[A-Za-z0-9+/=]{20,}"

# Suspicious HTTP headers
http.user_agent contains "curl"
http.user_agent contains "python"
http.user_agent contains "wget"
http.user_agent == ""              # Empty User-Agent

# HTTP to IP addresses (no domain name)
http and ip.dst matches "^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+$"

# Connections to known bad ports
tcp.dstport == 4444                # Metasploit default
tcp.dstport == 1337
tcp.dstport == 31337

Credential Hunting

Finding Credentials
# HTTP Basic Auth (base64 encoded)
http.authorization

# HTTP POST login forms
http.request.method == "POST" and (http contains "password" or http contains "passwd" or http contains "login")

# FTP credentials (cleartext)
ftp.request.command == "USER"
ftp.request.command == "PASS"

# Telnet traffic (often cleartext)
telnet

# SMTP authentication
smtp.auth

# POP3 credentials
pop.request.command == "USER"
pop.request.command == "PASS"

# IMAP login
imap.request contains "LOGIN"

# LDAP bind requests
ldap.bindRequest

# SMB/NTLM authentication
ntlmssp.auth

# Kerberos
kerberos

Data Exfiltration Indicators

Exfiltration Detection
# Large outbound transfers
# Check Statistics > Conversations, sort by bytes

# DNS exfiltration (data in queries)
dns.qry.name.len > 50

# ICMP tunneling (data in ping packets)
icmp and frame.len > 100           # ICMP shouldn't be large

# HTTP POST with large body
http.request.method == "POST" and http.content_length > 10000

# File uploads
http.request.uri contains "upload"
http.content_type contains "multipart"

# Cloud storage uploads
http.host contains "dropbox"
http.host contains "drive.google"
http.host contains "onedrive"
tls.handshake.extensions_server_name contains "s3.amazonaws"

Following Streams

One of Wireshark's most powerful features is reconstructing complete conversations:

Right-click on any packet in a conversation
Select Follow > TCP Stream (or HTTP, TLS, UDP)
View the complete conversation in sequence

For HTTP streams, you'll see complete requests and responses. For TLS, you'll see encrypted data unless you have the keys.

Decrypting TLS Traffic

To decrypt TLS in Wireshark, you need either the server's private key (for RSA key exchange) or a SSLKEYLOGFILE from the client (for any key exchange). Modern TLS with ephemeral keys (ECDHE) requires SSLKEYLOGFILE. Set it in your browser or application, then configure in Wireshark: Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename.

Extracting Objects

Wireshark can extract files transferred over HTTP, SMB, TFTP, and other protocols:

Go to File > Export Objects
Select the protocol (HTTP, SMB, TFTP, etc.)
Browse transferred files and save them

This is invaluable for malware analysis—extract the payload that was downloaded, analyze it in a sandbox.

Malware Warning

Extracted files may be malicious. Never open them on a production system. Use isolated VMs, sandboxes, or dedicated analysis machines. Hash files and check against VirusTotal before deeper analysis.

Statistics and Analysis Views

Wireshark's Statistics menu provides powerful aggregate views:

Conversations

Statistics > Conversations shows all communication pairs. Sort by bytes to find large transfers, or by packets to find busy connections.

Endpoints

Statistics > Endpoints lists all hosts. Useful for identifying unknown or suspicious endpoints.

Protocol Hierarchy

Statistics > Protocol Hierarchy breaks down traffic by protocol. Unusual protocols or unexpected proportions can indicate tunneling or malicious activity.

I/O Graph

Statistics > I/O Graph shows traffic over time. Look for:

Regular spikes (beaconing)
Sudden bursts (data exfiltration)
Unusual time patterns

Command-Line Analysis with tshark

tshark excels at scripted analysis and large file processing:

tshark Analysis Commands
# Read pcap and apply filter
tshark -r capture.pcap -Y "http.request"

# Extract specific fields
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri

# Count packets by filter
tshark -r capture.pcap -Y "dns" | wc -l

# Extract all DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c | sort -rn

# List all unique destination IPs
tshark -r capture.pcap -T fields -e ip.dst | sort | uniq

# Extract HTTP objects
tshark -r capture.pcap --export-objects http,./extracted_files/

# Statistics: Protocol hierarchy
tshark -r capture.pcap -q -z io,phs

# Statistics: Conversations
tshark -r capture.pcap -q -z conv,tcp

# Follow TCP stream and extract data
tshark -r capture.pcap -q -z follow,tcp,ascii,0

Common Attack Patterns

ARP Spoofing / MITM

Detecting ARP Spoofing
# Duplicate IP with different MAC
arp.duplicate-address-detected

# ARP replies without request (gratuitous ARP)
arp.opcode == 2

# Look for MAC address changes for same IP
# Check ARP cache inconsistencies

# Enable ARP detection in:
# Analyze > Expert Information

SQL Injection Attempts

SQLi Detection
# Common SQLi patterns in HTTP
http contains "' OR "
http contains "1=1"
http contains "UNION SELECT"
http contains "DROP TABLE"
http.request.uri contains "%27"            # URL-encoded single quote
http.request.uri contains "SELECT"
http.request.uri contains "INFORMATION_SCHEMA"

Directory Traversal

Path Traversal Detection
# Path traversal attempts
http.request.uri contains ".."
http.request.uri contains "%2e%2e"         # URL-encoded ..
http.request.uri contains "/etc/passwd"
http.request.uri contains "C:\\"

Quick Reference: Filter Cheat Sheet

Purpose	Filter
Traffic to/from IP	`ip.addr == 192.168.1.100`
Traffic to/from subnet	`ip.addr == 10.0.0.0/8`
Exclude IP	`!(ip.addr == 192.168.1.1)`
HTTP requests	`http.request`
DNS queries	`dns.flags.response == 0`
TLS handshakes	`tls.handshake`
TCP SYN (new connections)	`tcp.flags.syn == 1 and tcp.flags.ack == 0`
TCP problems	`tcp.analysis.flags`
Contains string	`frame contains "password"`
Regex match	`http.host matches ".*\\.ru$"`

Conclusion

Wireshark is an essential tool for security professionals. The ability to see exactly what's happening on the network—reconstructing attacks, finding credentials, detecting exfiltration—provides evidence and insight that logs alone cannot.

Key takeaways:

Capture more than you think you need; filter during analysis
Learn display filter syntax—it's your primary analysis tool
Use Statistics views for aggregate analysis
Extract objects to analyze transferred files
Know common attack patterns and how to filter for them

For incident response and network forensics services, contact Brickell Technologies.

Tools & Resources

Wireshark - Download and official documentation
Display Filter Reference - Complete filter syntax
tcpdump - Command-line packet capture
Nmap - Generate traffic for analysis
NetworkMiner - Forensic analysis tool

Wireshark Network Security Packet Analysis Incident Response Forensics