This chapter covers Wireshark for penetration testers, focusing on how to leverage packet capture and analysis during assessments. Wireshark is a critical tool for network reconnaissance, traffic analysis, and vulnerability identification. On the PT0-002 exam, approximately 5-8% of questions relate to packet capture tools like Wireshark, particularly in Domain 5.1 (Tools & Scripts). You will be expected to know Wireshark's key features, display filters, and how to identify common attacks such as ARP spoofing, SYN floods, and credential harvesting from clear-text protocols.
Jump to a section
Wireshark is like a forensic detective's lab where every packet is a piece of evidence. Imagine a crime scene (the network) with thousands of conversations (sessions) happening simultaneously. The detective (Wireshark) uses a specialized tool (packet capture) to record every word spoken (packet) without interfering. Back in the lab, the detective sorts through evidence using filters: by speaker (IP address), by language (protocol), or by keywords (payload strings). The detective can reconstruct conversations by following TCP streams, just like piecing together a phone call from recorded snippets. Statistics like IO Graphs show the intensity of activity over time, similar to a timeline of events. The detective can also spot anomalies—like a sudden burst of SYN packets (a port scan) or repeated failed logins (brute force)—by using display filters (e.g., tcp.flags.syn == 1 and tcp.flags.ack == 0). Just as a detective must understand the chain of custody and avoid contaminating evidence, a pentester must capture packets ethically and analyze them without altering the original capture. Wireshark's color coding (default: green for TCP, light blue for UDP) is like evidence tags that help quickly identify packet types. The detective's lab is powerful but requires knowledge of what each piece of evidence means—similarly, Wireshark shows raw hex and ASCII, but the analyst must interpret the protocols. This analogy works mechanically because both involve capturing, filtering, reconstructing, and interpreting data streams to find the truth.
What is Wireshark and Why Pentesters Use It
Wireshark is a network protocol analyzer that captures and inspects packets in real time or from saved capture files (.pcapng). For pentesters, it is indispensable for: - Reconnaissance: Discovering hosts, services, and network topology. - Credential Harvesting: Sniffing unencrypted protocols (HTTP, FTP, Telnet, SMTP). - Protocol Analysis: Understanding application behavior and finding misconfigurations. - Attack Detection: Identifying ARP spoofing, DNS poisoning, or DoS attempts. - Exploit Verification: Confirming that an exploit resulted in the expected traffic.
Wireshark works by putting the network interface into promiscuous mode (or monitor mode for wireless) to capture all packets on the segment. It uses the libpcap/WinPcap/Npcap library to capture raw frames from the network adapter.
How Wireshark Captures and Displays Packets
When you start a capture, Wireshark opens a live capture interface. Each packet is timestamped and dissected into protocol layers. The main window has three panes: - Packet List Pane: Shows a summary of each packet (number, time, source, destination, protocol, length, info). - Packet Details Pane: Expands the packet into OSI layers (Frame, Ethernet, IP, TCP/UDP, Application). - Packet Bytes Pane: Shows the raw hex dump and ASCII representation.
Wireshark uses a powerful display filter language. For example:
- ip.addr == 192.168.1.1 filters packets to/from that IP.
- tcp.port == 80 filters HTTP traffic.
- http.request shows only HTTP GET/POST requests.
- !arp excludes ARP packets.
Filters are applied after capture, unlike capture filters (which use BPF syntax and are applied during capture to reduce file size). Common capture filters for pentesters:
- host 10.0.0.5 captures only traffic to/from that host.
- port 21 or port 22 captures FTP or SSH.
- not broadcast and not multicast reduces noise.
Key Features for Pentesters
#### 1. Follow TCP/UDP Stream
Right-click a packet and select "Follow" > "TCP Stream" to reassemble the entire conversation. This is invaluable for extracting credentials, files, or understanding application logic. The stream is displayed in ASCII or hex. You can also filter on a specific stream with tcp.stream eq 0.
#### 2. Statistics Menu - Statistics > Protocol Hierarchy: Shows the percentage of packets for each protocol. Useful for identifying unusual protocols (e.g., ICMP tunneling). - Statistics > Endpoints: Lists all IP addresses and MAC addresses seen. - Statistics > IO Graph: Plots packet rate over time. A sudden spike may indicate a scan or attack. - Statistics > Flow Graph: Visualizes the sequence of packets between hosts.
#### 3. Expert Information Access via Analyze > Expert Information. Wireshark automatically marks packets with notes (Chat, Note, Warning, Error). For example, a TCP retransmission is a Warning; a malformed packet is an Error. This helps quickly spot anomalies.
#### 4. Name Resolution Wireshark can resolve MAC addresses to vendor names (OUI), IP addresses to hostnames (DNS), and ports to service names. Enable in View > Name Resolution. Be cautious: DNS resolution sends queries and may alert defenders.
#### 5. Coloring Rules
Wireshark colors packets by protocol or condition. Default rules: TCP SYN is red, HTTP is green, UDP is light blue. You can create custom rules (e.g., color all packets with tcp.flags.syn == 1 red) to highlight attacks.
Identifying Common Attacks with Wireshark
#### ARP Spoofing
- Filter: arp
- Look for duplicate IP addresses with different MACs. Use arp.duplicate-address-detected or check arp.opcode == 2 (reply) for unsolicited ARP replies.
- A typical ARP spoofing attack: attacker sends fake ARP replies claiming to be the gateway. In Wireshark, you see multiple ARP replies for the same IP from different MACs.
#### SYN Flood
- Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0
- A SYN flood shows many SYN packets to the same port from different source IPs (spoofed) with no SYN-ACK responses. The IO Graph will show a spike.
- Use Statistics > Conversations to see the number of packets per conversation.
#### DNS Tunneling
- Filter: dns
- Look for DNS queries with long subdomains (e.g., base64encodeddata.example.com). High volume of TXT queries or large response sizes (>512 bytes) are suspicious.
- Check dns.qry.name for unusual lengths.
#### HTTP Credential Harvesting
- Filter: http.request.method == POST
- Follow TCP stream to see POST data. Look for username=, password=, or passwd=.
- Also filter http.authbasic for Basic Authentication headers (Base64-encoded credentials).
#### SMB Relay / Pass-the-Hash
- Filter: smb or smb2
- Look for SMB Session Setup requests. The NTLM challenge-response can be captured for offline cracking.
- Use ntlmssp filter to see NTLM authentication packets.
Advanced Wireshark Techniques
#### Using TShark (Command-Line Wireshark)
TShark is the CLI version, useful for scripting. Example: tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri extracts host and URI from HTTP requests.
#### Extracting Files from PCAP
- File > Export Objects > HTTP/SMB/etc. to extract files transferred over those protocols.
- For other protocols, use foremost or binwalk on the pcap.
- Example: Extract all HTTP objects: Wireshark > File > Export Objects > HTTP > Save All.
#### Decrypting TLS Traffic If you have the server's private key, configure Wireshark: Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename. Provide the key log file (e.g., from Firefox with SSLKEYLOGFILE environment variable). Then TLS streams will be decrypted.
#### Wireless Capture
For Wi-Fi, use monitor mode (if supported). Capture filters: wlan.fc.type == 0 for management frames, wlan.fc.type_subtype == 8 for beacons. Use airdecap-ng to decrypt WEP/WPA if you have the key.
Wireshark Performance Considerations
Capture Filters: Use BPF syntax to limit what is captured, reducing file size.
Ring Buffer: In capture options, enable ring buffer to split captures into multiple files and limit disk usage.
Display Filters: Applied after capture; they don't reduce file size but speed up analysis.
Large Captures: Use tshark for processing; it uses less memory. For huge captures, consider editcap to split files.
Wireshark and the PT0-002 Exam
The exam tests practical knowledge of Wireshark filters and attack identification. You may be given a screenshot of a Wireshark capture and asked to identify the attack or the filter used. Common scenarios:
Identifying a port scan (many SYN packets to different ports).
Identifying ARP spoofing (duplicate IPs).
Extracting credentials from HTTP POST.
Recognizing a SYN flood (high rate of SYNs with no ACKs).
Memorize these filters:
- tcp.flags.syn == 1 and tcp.flags.ack == 0 – SYN packets (scan, flood)
- tcp.flags.reset == 1 – RST packets (connection refused)
- icmp.type == 8 – Echo request (ping)
- arp.opcode == 2 – ARP reply
- http.request – HTTP requests
- dns.qry.type == 1 – DNS A queries
Also know how to follow streams, use IO Graphs, and export objects.
Start Packet Capture
Open Wireshark and select the correct network interface (e.g., eth0, wlan0). Under Capture Options, you can set a capture filter (BPF syntax) to reduce noise. For example, `host 192.168.1.1` captures only traffic to/from that IP. Click the blue shark fin button to start. Wireshark immediately begins capturing all packets on that interface. Observe the packet list pane populating in real time. The capture continues until you click the red stop button. For pentesting, consider using a ring buffer to avoid filling disk space: under Capture Options, enable 'Use multiple files' and set a file size limit (e.g., 10 MB) and ring buffer count (e.g., 2). This creates a rolling capture of the last 20 MB.
Apply Display Filter
After capturing or opening a .pcapng file, apply a display filter to isolate relevant traffic. Type the filter in the filter toolbar and press Enter. For example, `http.request` shows only HTTP GET/POST requests. Wireshark syntax uses protocol field names like `ip.src`, `tcp.port`, `dns.qry.name`. You can combine with logical operators: `and`, `or`, `not`. Example: `http.request and ip.src == 10.0.0.5`. The filter is applied instantly; packets not matching are hidden. To clear the filter, click the 'X' button. For exam, know that display filters are case-insensitive for protocol names but field names are lowercase. Use the Expression button to build complex filters.
Identify Suspicious Traffic
Look for anomalies in the packet list. Common indicators: many SYN packets to different ports (port scan), ARP replies without requests (spoofing), large DNS responses (tunneling), or repeated failed HTTP POSTs (brute force). Use color coding: default red for SYN, black for TCP problems, green for HTTP. You can also use Expert Information (Analyze > Expert Information) to see Wireshark's automatic notes. For example, a 'Warning' may indicate a TCP retransmission or duplicate ACK. A 'Note' may be a window update. Focus on 'Error' and 'Warning' entries. Also, use Statistics > IO Graph to see traffic spikes. For example, a SYN flood shows a flat line of high packet rate.
Follow TCP Stream
Right-click any packet in a TCP conversation and select 'Follow' > 'TCP Stream'. A new window opens showing the entire payload of that TCP stream, with client data in red and server data in blue. This is crucial for extracting credentials, commands, or files. You can choose ASCII, Hex, or Raw dump. For HTTP, you see the full request and response. For FTP, you see username/password in plaintext. You can also filter on a specific stream using `tcp.stream eq 0` in the display filter. To save the stream content, click 'Save as...' (ASCII) or 'Save as...' (Raw) for binary data. For exam, know that following streams is how you extract data from a capture.
Export Objects and Save Evidence
Wireshark can extract files transferred over HTTP, SMB, TFTP, and other protocols. Go to File > Export Objects > HTTP (or SMB, TFTP). A dialog lists all objects found in the capture. You can preview and save selected files. This is useful for extracting malware samples or documents. For evidence preservation, save the entire capture as a .pcapng file (File > Save As). You can also save only displayed packets after applying a filter: File > Export Specified Packets. When submitting evidence, always keep the original capture unchanged and work on copies. For exam, remember that Export Objects can recover files from HTTP and SMB traffic.
Scenario 1: Internal Penetration Test – Credential Sniffing
During an internal pentest, you are given network access (e.g., plugged into a switch port). You start Wireshark on a laptop and capture traffic on the local subnet. After a few minutes, you see HTTP POST requests to a web application. Following the TCP stream reveals a login form with username 'admin' and password 'P@ssw0rd'. You also capture FTP traffic where credentials are sent in plaintext. This is a common finding: many internal applications still use unencrypted protocols. In production, companies often have legacy systems that cannot be upgraded. A pentester must document the capture and demonstrate the risk. Misconfiguration: if the switch port is not in promiscuous mode (or if port security is enabled), you may only see broadcast traffic and your own packets. To mitigate, use ARP spoofing (with tools like Bettercap) to redirect traffic through your machine, but ensure you have authorization.
Scenario 2: External Penetration Test – TLS Decryption
You are testing an external web server. You capture traffic to the server but most is encrypted (HTTPS). To analyze application-layer data, you need the server's private key. If you have obtained the key (e.g., via misconfiguration), configure Wireshark: Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename. Point to the key log file. Now Wireshark decrypts TLS streams, allowing you to see HTTP requests and responses. In a real engagement, you might find sensitive data in the clear. Common scale: enterprise servers handle thousands of TLS connections; Wireshark can decrypt them if you have the session keys. However, Perfect Forward Secrecy (PFS) prevents decryption even with the private key if ephemeral Diffie-Hellman is used. In that case, you need the pre-master secret from the client, which can be captured via SSLKEYLOGFILE environment variable on the client.
Scenario 3: Red Team – Detecting Lateral Movement
During a red team exercise, you have compromised a workstation and need to detect lateral movement. You run Wireshark on the compromised host and capture outbound traffic. You notice SMB connections to multiple internal IPs on port 445. Using filter smb2, you see SMB2 Session Setup requests. Following the streams reveals NTLM authentication attempts. You can extract the NTLM challenge-response for offline cracking. This indicates the attacker is trying to move laterally using pass-the-hash. In production, monitoring SMB traffic is critical for detecting ransomware propagation. Performance: capturing on a busy server may drop packets; use a capture filter port 445 to reduce load. Misconfiguration: if the capture buffer is too small, packets may be dropped silently. Always check Wireshark's status bar for 'Dropped packets' count.
PT0-002 Exam Focus on Wireshark
Objective 5.1: Given a scenario, analyze a packet capture to identify an attack or extract information. The exam expects you to recognize common attacks from Wireshark screenshots or filter outputs.
Common Wrong Answers and Why Candidates Choose Them:
1. Choosing 'TCP SYN Flood' when seeing many SYN packets to different ports. Many candidates think any flood of SYNs is a SYN flood. However, a SYN flood typically targets a single port with many SYNs from spoofed IPs. A port scan shows SYNs to many ports from one IP. Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.dstport varying. The exam may show a capture with many SYNs to different ports; the correct answer is 'port scan', not 'SYN flood'.
2. Identifying ARP spoofing by seeing ARP requests. ARP requests are normal. ARP spoofing involves unsolicited ARP replies (opcode 2) with a fake MAC. Candidates often pick 'ARP request storm' instead of 'ARP spoofing'. The key is the opcode.
3. Assuming all HTTP traffic is malicious. HTTP is common; the exam might show a capture with HTTP POST containing credentials. The question asks 'What is the attacker doing?' The answer is 'credential harvesting', not 'web browsing'.
4. Confusing 'Follow TCP Stream' with 'Export Objects'. Follow stream shows the entire conversation; Export Objects extracts files. The exam may ask 'How to extract a file from HTTP traffic?' The correct answer is Export Objects, not Follow Stream.
Specific Numbers, Values, and Terms:
- Default capture file format: .pcapng (not .pcap, though both supported).
- Default color: TCP SYN packet is red.
- Filter for ARP replies: arp.opcode == 2.
- Filter for DNS A queries: dns.qry.type == 1.
- Filter for HTTP requests: http.request.
- Filter for TCP SYN: tcp.flags.syn == 1 and tcp.flags.ack == 0.
- Filter for TCP RST: tcp.flags.reset == 1.
- Filter for ICMP echo: icmp.type == 8.
Edge Cases and Exceptions: - Wireshark can decrypt TLS if the private key is provided, but not with PFS (ECDHE). - Capture filters use BPF syntax; display filters use Wireshark-specific syntax. The exam may test the difference. - On wireless, you need monitor mode to capture all frames; managed mode only captures your own traffic. - Wireshark on Windows may require Npcap; on Linux, libpcap.
How to Eliminate Wrong Answers: - Always check the protocol field values. For ARP, look at opcode. For TCP, look at flags. For DNS, look at query type and length. - Use the IO Graph: a flat high rate indicates a flood; a staircase pattern indicates a scan. - When asked about extracting data, 'Follow TCP Stream' gives text; 'Export Objects' gives files. If the question mentions 'file', choose Export Objects. - If the capture has many different source IPs with SYNs to a single port, it's a DDoS SYN flood. If one source IP sends SYNs to many ports, it's a port scan.
Wireshark display filter for SYN packets: tcp.flags.syn == 1 and tcp.flags.ack == 0
Wireshark display filter for ARP replies: arp.opcode == 2
Wireshark display filter for HTTP requests: http.request
Wireshark display filter for DNS A queries: dns.qry.type == 1
Follow TCP Stream reassembles the full conversation; Export Objects extracts files.
Wireshark can decrypt TLS only without PFS or with pre-master secret log.
Capture filters use BPF; display filters use Wireshark syntax.
To capture all traffic on a switched network, use ARP spoofing or port mirroring.
Expert Information (Analyze > Expert Information) highlights errors and warnings.
IO Graph (Statistics > IO Graph) helps visualize traffic patterns.
Default color: TCP SYN is red, HTTP is green, UDP is light blue.
Wireshark default capture file format is .pcapng.
Monitor mode is required to capture all wireless frames.
TShark is the command-line version of Wireshark for scripting.
Always check for dropped packets in the status bar.
These come up on the exam all the time. Here's how to tell them apart.
Wireshark Display Filter
Applied after capture, does not reduce file size
Uses Wireshark-specific field syntax (e.g., http.request, ip.addr)
Can combine with logical operators (and, or, not)
Case-insensitive for protocol names, but field names are lowercase
Examples: tcp.port == 80, http.request, !arp
Wireshark Capture Filter
Applied during capture, reduces file size and processing
Uses BPF syntax (e.g., port 80, host 10.0.0.1)
Limited to BPF primitives (host, port, net, proto, etc.)
Case-sensitive (e.g., 'tcp' not 'TCP')
Examples: port 80, host 10.0.0.1, not arp
Mistake
Wireshark can only capture traffic on the same subnet as the attacker's machine.
Correct
Wireshark can capture any traffic that reaches the network interface. On a switched network, it typically sees only broadcast and unicast traffic to its own MAC. However, using promiscuous mode and techniques like ARP spoofing or port mirroring, an attacker can capture traffic from other hosts. Additionally, on wireless networks in monitor mode, Wireshark can capture all frames within range.
Mistake
A display filter and a capture filter are the same thing.
Correct
They are different. A capture filter uses BPF syntax and is applied during capture to decide which packets are saved. It reduces file size and processing load. A display filter uses Wireshark's own syntax and is applied after capture to hide packets from view; it does not reduce file size. For example, capture filter `port 80` only captures HTTP packets; display filter `http.request` shows only HTTP requests but the file still contains all packets.
Mistake
Wireshark can decrypt all encrypted traffic if you have the server's private key.
Correct
Wireshark can decrypt TLS traffic only if the cipher suite does not use Perfect Forward Secrecy (PFS). With PFS (e.g., ECDHE-RSA), the session key is ephemeral and not recoverable from the private key alone. You need the pre-master secret, which can be logged from the client using SSLKEYLOGFILE. Additionally, Wireshark cannot decrypt SSH, IPsec (without keys), or other encrypted protocols without the appropriate key material.
Mistake
Seeing many SYN packets always indicates a SYN flood attack.
Correct
Many SYN packets can indicate a port scan, a SYN flood, or normal connection attempts. A port scan shows SYNs to many different ports from a single source IP, with no corresponding SYN-ACKs or RSTs. A SYN flood typically targets a single port with many SYNs from spoofed IPs, often with no response. Always check the destination port diversity and source IP consistency.
Mistake
Wireshark can capture all traffic on a network without any special configuration.
Correct
On a switched network, Wireshark by default captures only traffic destined to its own MAC address and broadcast/multicast traffic. To capture traffic between other hosts, you must either use a hub, configure port mirroring (SPAN) on the switch, use a network tap, or perform ARP spoofing. Additionally, on wireless networks, you need monitor mode to capture all frames, not just those from your own connection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the display filter `ip.addr == 192.168.1.1` to show packets where the source or destination IP is that address. For only source, use `ip.src == 192.168.1.1`; for only destination, `ip.dst == 192.168.1.1`. You can also combine with `and` to filter both directions. For capture filters, use `host 192.168.1.1`.
Go to File > Export Objects and select the protocol (e.g., HTTP, SMB, TFTP). A list of objects appears; you can preview and save them individually or all at once. This works for files transferred over those protocols. For other protocols, you may need to manually extract from the raw bytes using Follow Stream and save as Raw.
A capture filter is applied during packet capture using BPF syntax (e.g., `port 80`) and only packets matching the filter are saved. A display filter is applied after capture using Wireshark syntax (e.g., `http.request`) and hides non-matching packets from view, but the original capture file remains unchanged. Capture filters reduce file size; display filters do not.
If you have the server's private key, go to Edit > Preferences > Protocols > TLS and set the (Pre)-Master-Secret log filename to a file containing the private key (PEM format) or the key log file. For captures with PFS, you need the pre-master secret from the client, which can be logged using SSLKEYLOGFILE environment variable on the client. Then Wireshark will decrypt TLS streams.
Filter for `arp.opcode == 2` (ARP replies). Look for multiple ARP replies from different MAC addresses claiming the same IP address. You can also use the built-in detection: Analyze > Expert Information may show 'Duplicate IP address configured' warnings. Another method: use `arp.duplicate-address-detected` as a filter if available.
Use `tcp.flags.syn == 1 and tcp.flags.ack == 0`. This filters for packets with SYN flag set and ACK flag not set, which are the initial SYN packets in a TCP handshake. To include SYN-ACK (SYN and ACK), use `tcp.flags.syn == 1` alone.
After applying a display filter, go to File > Export Specified Packets. Choose 'Displayed' to save only the packets currently shown. You can also select a range or marked packets. The default format is .pcapng. This is useful for sharing a subset of a capture.
You've just covered Wireshark for Pentesters — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?