Wireshark is the world's most widely used network protocol analyzer, and it is an indispensable tool in the hacker's arsenal. Whether you are debugging a failed exploit, analyzing malware communication, or hunting for credentials in captured traffic, Wireshark gives you the ability to see exactly what is happening on the wire. In this hands-on lesson, you will learn to capture, filter, and analyze packets like a professional.
Wireshark is pre-installed on Kali Linux and available for all major operating systems. When you open it, you will see a list of available network interfaces. Select the active interface and click the shark fin icon to start capturing. You will immediately see packets flowing in real-time โ this can be overwhelming at first, which is why display filters are your best friend.
Display filters are the most important Wireshark skill. They let you focus on exactly the traffic you care about. Here are the filters every hacker should memorize:
| Filter | Purpose |
|---|---|
| tcp.port == 80 | Show only HTTP traffic |
| ip.addr == 192.168.1.100 | Show all traffic to/from a specific IP |
| ip.src == 10.0.0.5 | Show traffic from a specific source |
| tcp.flags.syn == 1 && tcp.flags.ack == 0 | Show only SYN packets (port scan detection) |
| dns | Show all DNS queries and responses |
| http.request | Show only HTTP requests (not responses) |
| tcp contains "password" | Search for a string in TCP payload |
| arp | Show all ARP traffic |
| tcp.stream eq 0 | Follow a specific TCP stream |
| !(arp || dns || dhcp) | Exclude noisy protocols |
One of Wireshark's most powerful features is the ability to reconstruct an entire TCP conversation. Right-click any packet in a stream and select 'Follow โ TCP Stream.' This reassembles all the data exchanged in that connection, which is invaluable for extracting credentials, analyzing malware C2, or understanding protocol behavior.
๐ก If you see plaintext credentials in a TCP stream, that is a critical finding in a penetration test. Many legacy protocols (FTP, Telnet, HTTP, SMTP) transmit credentials in cleartext. Always document these findings with screenshots.
Wireshark is GUI-based, but sometimes you need to capture packets on a remote server or headless system. tcpdump is the command-line equivalent and is available on virtually every Unix-like system.
One of the most practical uses of Wireshark for hackers is analyzing your own scans to understand what they look like on the wire. This helps you understand what the target's IDS/IPS sees and how to modify your technique.
What a SYN Scan Looks Like in Wireshark:
Packet 1: [SYN] Src: 192.168.1.100:45678 โ Dst: 10.0.0.5:22
Packet 2: [SYN-ACK] Src: 10.0.0.5:22 โ Dst: 192.168.1.100:45678 โ Port OPEN
Packet 3: [SYN] Src: 192.168.1.100:45679 โ Dst: 10.0.0.5:80
Packet 4: [SYN-ACK] Src: 10.0.0.5:80 โ Dst: 192.168.1.100:45679 โ Port OPEN
Packet 5: [SYN] Src: 192.168.1.100:45680 โ Dst: 10.0.0.5:443
Packet 6: [RST] Src: 10.0.0.5:443 โ Dst: 192.168.1.100:45680 โ Port CLOSED
Filter to see SYN packets: tcp.flags.syn == 1 && tcp.flags.ack == 0Wireshark can extract files that were transferred over the network. If someone downloaded a file over HTTP or transferred it via FTP, you can reconstruct the original file from the packet capture. Go to File โ Export Objects โ HTTP to see all files in the capture.
โ ๏ธ Capturing traffic on networks you do not own may violate wiretapping laws. Even on authorized engagements, be aware of privacy regulations (GDPR, HIPAA) that may apply to captured data. Always define capture scope in your rules of engagement.
Verify exercises to earn โ 150 XP and unlock next lab level.