Mastering Wireshark: Network Analysis, VoIP Troubleshooting, and Cybersecurity Monitoring

1. What is Wireshark?

Wireshark is a **network protocol analyzer** used for capturing and analyzing network traffic. It is widely used for:

• Network troubleshooting
• Security auditing
• Forensics analysis
• Performance monitoring

2. How to Install Wireshark

Download Wireshark from https://www.wireshark.org and follow the installation guide for your OS.

3. Understanding the Interface

After launching Wireshark, you will see:

• Capture Interfaces: List of available network connections
• Packet List: Overview of captured packets
• Packet Details: Deep protocol breakdown
• Packet Bytes: Raw hexadecimal data

4. Capturing Network Traffic

To start capturing packets:

1. Select a network interface (e.g., **Wi-Fi**, **Ethernet**).
2. Click the **Shark Fin** icon or use Ctrl + E.
3. Wireshark will now capture all network packets.

5. Applying Capture Filters

To **limit** which packets are captured, use capture filters:

host 192.168.1.1 - Capture packets from/to this IP
port 443 - Capture HTTPS traffic
tcp - Capture only TCP packets

6. Display Filters (Important for Analysis)

Display filters refine results to specific traffic types.

http - Show only HTTP traffic
ip.addr == 192.168.1.100 - Packets from/to this IP
dns - Show DNS query and response packets

7. Analyzing HTTP, DNS, and TCP Traffic

Inspecting HTTP Requests

To analyze **website traffic**, filter using:

http.request.method == "GET" - Show only GET requests
http contains "password" - Find requests with "password"

Analyzing DNS Queries

To detect malicious or unusual domain lookups:

dns.qry.name contains "malware.com"

Tracking TCP Connections

Follow **full TCP conversations**:

Follow TCP Stream - Right-click packet -> Follow Stream

8. Advanced Packet Analysis

Detecting Network Attacks

Monitor suspicious activities:

tcp.flags.syn == 1 and tcp.flags.ack == 0 - Scan detection
tcp.analysis.retransmission - Network retransmissions

Extracting Files from Captures

Recover transmitted files from HTTP, SMB, FTP:

File -> Export Objects -> HTTP

9. Wireshark for Security Professionals

Decrypting SSL/TLS Traffic

To analyze HTTPS traffic, set up **session key logging**:

Chrome: SSLKEYLOGFILE=C:\path\to\log.txt
Import keys in: Wireshark -> Preferences -> TLS

Monitoring for Malware and Phishing

Find malicious activity using DNS, HTTP, and TLS filters.

dns.qry.name contains "malicious.com" - Identify malware traffic
tls.handshake.type == 1 - Detect suspicious TLS handshakes

10. Automating Packet Analysis with TShark

Use **TShark** (Wireshark’s command-line tool) for automation.

tshark -i eth0 -w capture.pcap - Capture packets
tshark -r capture.pcap -Y "http" - Analyze HTTP traffic

11. Case Study: Investigating a Cyber Attack

A company's server was breached. Use Wireshark to analyze:

http.request.uri contains "login" - Check login attempts
ip.src != 192.168.1.0/24 - Exclude internal IPs
tcp contains "error" - Find failed login attempts

12. Wireshark Best Practices

• **Use capture filters** to limit packet size.
• **Mark important packets** using Ctrl + M.
• **Export relevant packets** before sharing PCAP files.

Wireshark Tutorial: Wireless, VoIP, and Performance Analysis

1. Capturing Wireless Traffic in Wireshark

Wireshark can capture and analyze wireless (Wi-Fi) packets, but some steps are required to do it properly.

Requirements:

• A Wi-Fi adapter that supports **monitor mode**.
• Linux or macOS (Windows has limited support for wireless packet capture).
• Enable **monitor mode** before capturing.

Steps to Capture Wi-Fi Traffic:

1. Open Wireshark and select your **Wi-Fi adapter**.
2. Enable **monitor mode** using:
   Linux: sudo airmon-ng start wlan0
   macOS: sudo airport en0 sniff
3. Start capturing packets in **Wireshark**.
4. Filter only **wireless packets**:
   wlan - Show only Wi-Fi packets
   wlan.ssid == "YourNetwork" - Packets from a specific SSID
   wlan.fc.type_subtype == 0x08 - Beacon frames only

2. Analyzing Wi-Fi Security and Hacking Attempts

Wireless networks can be **hacked using deauthentication attacks**. Wireshark helps detect such attempts.

Detecting Deauthentication Attacks:

wlan.fc.type_subtype == 0x0c - Deauthentication frames

Finding Rogue Access Points:

Hackers set up fake access points to steal credentials. To detect them:

wlan.ssid contains "Free Wi-Fi" - Detect fake SSIDs
wlan.ta == aa:bb:cc:dd:ee:ff - Track a specific MAC address

3. VoIP Traffic Analysis (SIP, RTP, and Call Quality)

Wireshark is widely used to **troubleshoot VoIP calls**.

Capturing VoIP Traffic:

Most VoIP calls use the **SIP (Session Initiation Protocol)** for signaling and **RTP (Real-time Transport Protocol)** for voice data.

sip - Capture SIP call setup messages
rtp - Capture RTP voice data
sip.Status-Code == 404 - Find failed calls

Analyzing Call Quality:

To check if voice calls are experiencing packet loss or jitter:

rtp.analysis - Analyze RTP stream statistics
Statistics -> RTP -> Stream Analysis

Extracting Audio from VoIP Calls:

1. Go to Telephony -> VoIP Calls.
2. Select a call and click **Play Streams**.
3. Save the call as an **audio file**.

4. Network Performance Troubleshooting

Wireshark helps diagnose **slow network issues** and **packet loss**.

Detecting Packet Loss:

tcp.analysis.lost_segment - Show lost packets

Finding High Latency:

Check for delayed packets using:

tcp.analysis.ack_rtt - Measure TCP response time

Spotting Bandwidth Hogs:

Statistics -> Conversations - Identify heavy traffic users

5. Debugging Application Performance Issues

Developers use Wireshark to debug **slow-loading websites, API failures, and database timeouts**.

Identifying Slow Websites:

http.time > 2 - Find HTTP requests taking longer than 2 seconds

Debugging API Failures:

Find requests that returned errors:

http.response.code >= 400 - Show all failed API calls

6. Automating Network Analysis with Wireshark Tools

Using TShark for Command-line Packet Capture

tshark -i wlan0 -w capture.pcap - Capture packets from Wi-Fi
tshark -r capture.pcap -Y "sip" - Extract SIP packets

Generating Reports with Wireshark Statistics

Statistics -> IO Graphs - Visualize network usage
Statistics -> Protocol Hierarchy - View traffic breakdown

Wireshark Tutorial: Malware Analysis, DNS Inspection, and TLS Decryption

1. Analyzing Suspicious Network Traffic

Wireshark can be used to detect and investigate **malware-infected systems** by analyzing network traffic.

Identifying Suspicious IPs:

ip.addr == 185.234.217.0/24 - Check if traffic is going to a suspicious IP range.
ip.geoip.country == "Russia" - Show traffic to specific countries.

Finding Unusual Ports:

Malware often communicates over **non-standard ports**. Use these filters:

tcp.port != 80 && tcp.port != 443 - Find non-web traffic.
tcp.port == 4444 - Detect Meterpreter backdoors.
tcp.port == 1337 - Some malware C2 servers use custom ports.

2. DNS Traffic Inspection for Threat Hunting

Attackers often use **DNS tunneling or C2 (Command & Control) servers** for communication.

Finding Large DNS Requests:

Some malware hides data in DNS queries. Find large requests with:

dns.length > 100 - Show long DNS queries.
dns.qry.name contains ".xyz" - Find requests to suspicious domains.

Detecting Fast Flux Domains:

Some malware rapidly changes IP addresses. Detect them with:

dns.flags.response == 1 && dns.count.answers > 5

3. Extracting Files from Network Traffic

Wireshark can **reconstruct transferred files** from captured packets.

Reconstructing HTTP Downloads:

http.request.uri contains ".exe" - Find malware downloads.
File -> Export Objects -> HTTP - Save the file.

Reconstructing FTP Transfers:

Check for files being transferred via FTP:

ftp-data - Show all FTP file transfers.

4. Decrypting TLS Traffic

Many cyberattacks use **encrypted channels**. Wireshark can decrypt **TLS/SSL traffic**.

Decrypting HTTPS with a Key Log File:

For browsers like **Firefox and Chrome**, enable logging:

export SSLKEYLOGFILE=~/tlskeys.log

Then, in Wireshark:

1. Go to Edit -> Preferences -> SSL.
2. Set the **(Pre)-Master-Secret log filename**.
3. Now filter **decrypted traffic** using:
   tls.handshake - Show TLS handshakes.
   tls.record.content_type == 23 - Show encrypted application data.

Decrypting TLS Traffic with a Private Key:

If you have a **server's private key**, you can decrypt its TLS traffic.

Edit -> Preferences -> SSL -> (Pre)-Master Secret Log File

5. Detecting Brute-Force Attacks and Exploits

Wireshark can identify **brute-force attempts and exploit payloads**.

Finding SSH Brute-Force Attacks:

Check for multiple failed logins:

ssh && tcp.analysis.retransmission - Show repeated login attempts.

Detecting SQL Injection Attempts:

Some web exploits are visible in HTTP requests:

http.request.uri contains "union select"

6. Using Wireshark for Incident Response

After a security incident, Wireshark helps analyze the attack.

Finding Initial Exploit:

Filter packets from the **time of compromise**:

frame.time >= "2025-02-01 10:00:00"

Tracing Attacker Communication:

Check for remote control traffic:

tcp.stream eq 5 - Follow a suspicious conversation.

7. Automating Threat Detection in Wireshark

Use **command-line Wireshark (TShark)** for automation.

Running Wireshark Filters in Terminal:

tshark -r traffic.pcap -Y "ip.geoip.country == 'China'"

Detecting Malware with Custom Scripts:

Extract malware traffic patterns:

tshark -r capture.pcap -Y "dns.qry.name contains 'malicious.com'"

8. Conclusion

Wireshark is a **powerful forensic tool** for analyzing **malware, suspicious DNS traffic, and encrypted TLS sessions**.

Next Steps: Capture network data, detect malicious activity, and decrypt TLS traffic using Wireshark.