๐ฏ Lab Objectives
- Select the correct capture interface and start a live capture
- Write display filters to isolate specific traffic
- Follow TCP and HTTP streams to read full conversations
- Extract cleartext credentials from FTP, Telnet, and HTTP
- Identify suspicious traffic patterns and anomalies
- Use tshark and tcpdump for command-line packet capture
Step 1 โ Starting a Capture
Open Wireshark and select your active network interface. Use eth0 for wired, wlan0 for wireless, or lo for loopback traffic.
# Launch Wireshark (GUI)
sudo wireshark &
# Or capture and open a file
sudo tcpdump -i eth0 -w capture.pcap
wireshark capture.pcap
# List available interfaces
sudo wireshark -D
sudo tshark -DIn the Wireshark GUI, double-click an interface to start capturing immediately. The green shark-fin button starts capture; the red square stops it. Always save your captures as
.pcap or .pcapng files.Step 2 โ Display Filters
Display filters narrow down what you see without affecting what's been captured. They use a different syntax to capture filters.
# Filter by protocol
http
dns
ftp
ssh
tcp
udp
icmp
arp
# Filter by IP address
ip.addr == 192.168.1.1
ip.src == 10.10.10.5
ip.dst == 8.8.8.8
# Filter by port
tcp.port == 80
tcp.port == 22 or tcp.port == 23
udp.port == 53
# HTTP GET requests only
http.request.method == "GET"
http.request.method == "POST"
# HTTP responses with specific status codes
http.response.code == 200
http.response.code == 401
# Search packet contents
frame contains "password"
frame contains "login"
# DNS queries for a specific domain
dns.qry.name contains "google"
# Combine filters with and/or
ip.src == 192.168.1.100 and http
tcp.port == 80 or tcp.port == 443
# Show only TCP SYN packets (connection attempts)
tcp.flags.syn == 1 and tcp.flags.ack == 0Step 3 โ Capture Filters
Capture filters are applied before packets are stored โ use them on busy networks to reduce file size. They use BPF (Berkeley Packet Filter) syntax, different from display filters.
# Only capture HTTP traffic
port 80
# Only from/to a specific host
host 192.168.1.1
# Specific subnet
net 192.168.1.0/24
# Exclude SSH (so your own session isn't captured)
not port 22
# Only TCP SYN packets
tcp[tcpflags] == tcp-syn
# DNS traffic only
udp port 53Step 4 โ Following TCP Streams
Following a stream reconstructs the full conversation between client and server โ letting you read the data as plaintext.
4
Right-click any packet โ Follow โ TCP Stream
Or use the menu: Analyze โ Follow โ TCP Stream. The stream shows client data in red and server responses in blue.
# Keyboard shortcut: select a packet and press Ctrl+Alt+Shift+T
# For HTTP traffic specifically:
# Analyze โ Follow โ HTTP Stream
# This decodes chunked encoding and shows clean HTTP
# Export HTTP objects (images, files, downloads):
# File โ Export Objects โ HTTPStep 5 โ Extracting Credentials
Cleartext protocols like FTP, Telnet, HTTP Basic Auth, and POP3 transmit passwords in plaintext โ easily captured.
# Find FTP credentials
ftp
# Look for USER and PASS commands in packet list
# Filter Telnet
telnet
# Follow TCP stream โ entire session is plaintext
# HTTP Basic Authentication
http.authorization
# Authorization header contains base64-encoded user:password
# Decode it:
echo "dXNlcjpwYXNzd29yZA==" | base64 -d
# user:password
# HTTP POST login forms
http.request.method == "POST"
# Follow stream โ look for username= and password= in body
# POP3 email credentials
pop
# USER and PASS commands visible in stream
# SMTP credentials
smtp
# AUTH LOGIN followed by base64-encoded credentialsStep 6 โ Protocol Analysis
# ARP โ detect ARP poisoning/spoofing
arp
# Two different MACs claiming same IP = ARP spoofing
arp.duplicate-address-detected
# DNS โ spot data exfiltration or suspicious lookups
dns
# Very long subdomain queries can indicate DNS tunnelling
dns.qry.name.len > 50
# ICMP โ ping sweeps, tunnelling
icmp
icmp.type == 8 # echo requests
icmp.type == 0 # echo replies
# TCP RST storms (port scan detection)
tcp.flags.reset == 1
# Statistics โ Protocol Hierarchy
# Shows breakdown of all protocols in capture โ great for overview
# Statistics โ Conversations
# Shows all connections sorted by bytes โ find heaviest talkersStep 7 โ tshark (CLI Wireshark)
tshark is the command-line version of Wireshark. Essential for remote servers and scripting.
# Capture on eth0, 100 packets
sudo tshark -i eth0 -c 100
# Save to file
sudo tshark -i eth0 -w capture.pcap
# Read a capture file with display filter
tshark -r capture.pcap -Y "http"
# Extract specific fields
tshark -r capture.pcap -Y "http.request" \
-T fields -e ip.src -e http.host -e http.request.uri
# Find POST data
tshark -r capture.pcap -Y "http.request.method==POST" \
-T fields -e http.file_data
# Extract all DNS queries
tshark -r capture.pcap -Y "dns.flags.response==0" \
-T fields -e dns.qry.name | sort -uStep 8 โ tcpdump Basics
# Capture all traffic on eth0
sudo tcpdump -i eth0
# Capture and save to file
sudo tcpdump -i eth0 -w /tmp/capture.pcap
# Show packet contents in ASCII
sudo tcpdump -i eth0 -A
# Filter by host
sudo tcpdump -i eth0 host 192.168.1.1
# Filter HTTP traffic and show ASCII
sudo tcpdump -i eth0 -A -s 0 'tcp port 80'
# Capture DNS
sudo tcpdump -i eth0 udp port 53
# Don't resolve hostnames (-n) and show full packets (-X)
sudo tcpdump -i eth0 -nX -s 0 port 21๐ Wireshark Display Filter Reference
| Filter | Description |
|---|---|
http | All HTTP traffic |
dns | All DNS traffic |
ftp | FTP control channel |
ftp-data | FTP data transfers |
ip.addr == x.x.x.x | Traffic to/from IP |
tcp.port == 80 | Traffic on port 80 |
frame contains "pass" | Packets with "pass" string |
http.request.method == "POST" | HTTP POST requests |
tcp.flags.syn == 1 | TCP SYN packets |
tcp.flags.reset == 1 | TCP RST packets |
arp.duplicate-address-detected | ARP spoofing indicator |
!(arp or dns or icmp) | Exclude noisy protocols |
Lab Complete! You can now capture, filter, and analyse network traffic. Move on to CCNA subnetting to build the networking foundation behind what you're capturing.