MENU

On This Page

  1. Working with PCAP Files
  2. Reconstructing TCP Streams
  3. Analyzing FTP Transfers (Passive Mode)
  4. DNS Traffic Inspection
  5. Decrypting TLS Traffic
  6. See Also

Wireshark: Practical Network Analysis and Forensics

Wireshark is the most widely used network protocol analyzer, enabling deep inspection of hundreds of protocols. It's essential for penetration testers, forensic analysts, and defenders to understand network behavior, detect anomalies, and reconstruct sessions from packet captures (.pcap files).

This guide covers practical techniques for analyzing TCP streams, DNS traffic, and encrypted TLS sessions - helping you uncover hidden data and reduce your organization's attack surface by identifying exposed services.

Working with PCAP Files

Wireshark allows you to open and analyze .pcap files containing recorded network traffic.

Use display filters to focus on specific protocols or conversations:

tcp.port == 21
ip.addr == 192.168.1.10
http.request.method == "POST"

Reconstructing TCP Streams

To view the full content of a TCP session:

  1. Right-click a TCP packet.
  2. Select Follow > TCP Stream.

This opens a new window showing the complete bidirectional conversation, reconstructed from the packet stream.

Useful for:

  • Inspecting unencrypted protocols (HTTP, Telnet, FTP)
  • Extracting credentials and commands
  • Understanding application logic
Telnet is insecure: All data, including usernames, passwords, and commands, is transmitted in plaintext. Anyone with access to the pcap can extract sensitive information.

Analyzing FTP Transfers (Passive Mode)

In passive FTP, file transfer occurs over two separate TCP connections:

  1. Control connection (port 21): Sends commands (USER, PASS, RETR).
  2. Data connection: Established dynamically for file transfer.

To isolate the data stream in Wireshark:

tcp.stream eq 0  // Control stream
tcp.stream eq 1  // Data stream

If the transferred file is a .zip archive, you can extract and decode its body using uudecode or export the raw data via Wireshark's "Export Packet Bytes" feature.

DNS Traffic Inspection

DNS typically uses UDP, but large responses (e.g., DNSSEC, zone transfers) use TCP.

To force TCP for DNS queries (e.g., during testing):

dig +tcp example.com

In Wireshark, filter DNS over TCP:

dns && tcp

Look for:

  • Zone transfer attempts (AXFR)
  • DNS tunneling (unusual query sizes or domains)
  • Excessive failed lookups (possible C2 communication)

Decrypting TLS Traffic

Wireshark can decrypt TLS sessions if you have the server's private key.

To configure:

  1. Right-click a TLS packet.
  2. Go to Protocol Preferences > TLS > (Pre)-Master-Secret log filename.
  3. Or add the RSA private key under Keys.

Alternatively, set the environment variable SSLKEYLOGFILE in your browser or client to log session keys for later decryption.

Note: This only works for non-ephemeral cipher suites (e.g., not with DHE or ECDHE unless keys are logged).

See Also

Published on Aug 21, 2025