Thiago Teixeira
EN | PT

Wireshark

Wireshark Foundation

Industry-standard graphical packet analyser with deep protocol dissection.

Network Recon & Monitoring Free & Open Source GUI Practiced in lab Cross-platform
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

Wireshark is the reference tool for packet capture and protocol analysis. A CySA+ analyst uses it daily to investigate suspicious flows, decode application protocols, extract files from streams, and build IOCs from captured C2 traffic.

Why it matters:

  • Over 3,000 protocol dissectors — HTTP, TLS, SMB, DNS, Kerberos, RDP, MQTT, industrial protocols (Modbus, S7).
  • Display filters are precise and chainable: tcp.port == 443 && tls.handshake.type == 1.
  • Follow Stream reconstructs an entire TCP/UDP conversation in a readable form.
  • Export Objects pulls files transferred over HTTP/SMB/FTP straight from a PCAP — great for malware retrieval.
  • Statistics → Conversations / IO Graphs / Expert Info highlight beaconing patterns and protocol anomalies.

Use cases

  • Investigating suspected C2 beaconing patterns
  • Decoding TLS with pre-master-secret logs for malware analysis
  • Extracting suspicious files from captured HTTP/SMB streams
  • Validating IDS alerts against the raw packets

Example

# Common display filters
http.request.method == "POST" and ip.dst == 10.0.0.5
dns.qry.name contains "evil.com"
tcp.flags.syn == 1 and tcp.flags.ack == 0   # SYN scans