Skip to content

SentinelHunter/Wireshark

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

1 Commit
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

๐Ÿฆˆ Wireshark Mastery โ€” WCA-101 + SOC / IR / Network Forensics Field Guide

A single, deep, practical reference to take you from "I can open a pcap" to passing the Wireshark Certified Analyst (WCA-101) exam and working real cases in a SOC, Incident Response, or Network Forensics role.

Everything here is applied knowledge: filters you can paste, header fields you must know cold, attacker traffic patterns, and troubleshooting workflows.

Focus Level Wireshark License


How to use this guide

This document is deliberately structured to serve two goals at once:

Goal How this guide serves it
Pass WCA-101 Every major section is tagged with the official exam domain and weight (e.g. ๐ŸŽฏ Domain 5.10 โ€” TCP (17%)). If it's on the exam, it's flagged.
Do real SOC / IR / forensics work Look for the ๐Ÿ” Analyst Lens callouts โ€” these turn each protocol into detection logic, IOCs, and hunt queries.

Recommended path:

  1. Read top-to-bottom once for the mental model.
  2. Do every filter in this guide against a real capture (start your own with File โ†’ Capture, or download sample pcaps โ€” see Practice Resources).
  3. Come back and use the Cheat Sheets as working reference.

Legend used throughout: ๐ŸŽฏ = maps to a WCA-101 exam objective ย โ€ขย  ๐Ÿ” = SOC/IR/Forensics application ย โ€ขย  โš ๏ธ = common mistake / exam trap ย โ€ขย  ๐Ÿ’ก = pro tip


๐Ÿ“‹ Table of Contents

Part I โ€” Foundations

  1. The WCA-101 Exam, Decoded
  2. How Packets Flow Through a Network
  3. Installing & First Capture
  4. The Wireshark Interface (every pane explained)

Part II โ€” Capturing Like a Pro ย ๐ŸŽฏ Domain 2 (10%) 5. Capture Methods: TAP, SPAN, Endpoint, Multi-point 6. Capture Options, Ring Buffers & Limits 7. Promiscuous vs Monitor Mode 8. Command-Line Capture: dumpcap, tshark, tcpdump

Part III โ€” Filtering ย ๐ŸŽฏ Domain 3 (12%) 9. Capture Filters (BPF) 10. Display Filters โ€” Complete Reference 11. Operators, Membership, and the ! Trap 12. Filter Buttons, Macros & the "incomplete results" trap

Part IV โ€” Interface Mastery ย ๐ŸŽฏ Domain 4 (5%) 13. Columns, Coloring Rules & the Minimap 14. Profiles โ€” your most underrated tool 15. Protocol Preferences & "Decode As"

Part V โ€” Key Features ย ๐ŸŽฏ Domain 1 (10%) 16. Find Packet, Marks, Comments & Time References 17. Name Resolution & Capture File Properties 18. Statistics: Protocol Hierarchy, Conversations, Endpoints, I/O Graph 19. Following Streams & Exporting Objects

Part VI โ€” Protocol Deep Dives ย ๐ŸŽฏ Domain 5 (43%) 20. Ethernet 5.1 21. ARP 5.2 22. IPv4 5.3 23. ICMPv4 5.4 24. IPv6 & ICMPv6 5.5โ€“5.6 25. UDP 5.7 26. DHCPv4 (DORA) 5.8 27. DNS 5.9 28. TCP โ€” the big one 5.10 (17%)

Part VII โ€” Application Layer & Troubleshooting ย ๐ŸŽฏ Domain 6 (20%) 29. HTTP / HTTPS / TLS 30. Troubleshooting Methodology & Scenarios 31. The Expert Information System

Part VIII โ€” Security Operations ย ๐Ÿ” SOC / IR / Forensics 32. Threat Hunting in pcap 33. Malware, C2 & Beaconing Detection 34. Data Exfiltration & DNS Tunneling 35. Network Forensics & Evidence Handling 36. A Repeatable IR Triage Workflow

Part IX โ€” Reference 37. Master Cheat Sheet 38. 30-Day Study Plan 39. Practice Resources


Part I โ€” Foundations

1. The WCA-101 Exam, Decoded

The Wireshark Certified Analyst (WCA-101) is the official Wireshark Foundation certification, launched June 2025, authored by Chris Greer and Ross Bagurdes with input from Gerald Combs (Wireshark's creator).

Exam facts

Attribute Detail
Questions 50โ€“60
Question types Multiple choice/selection, matching, fill-in-the-blank
Time 120 minutes
Delivery Kryterion / Webassessor โ€” testing center or online, human-proctored (webcam + mic)
Allowed Pen/pencil + blank paper only. No notes, devices, or software.
Retake One attempt per 15 days
Validity 3 years (renew by retaking)
Practice exam ~US $29 via Webassessor (worth it โ€” gives per-question feedback)

Exam domains & weightings (memorize this table)

# Domain Weight
1.0 Utilize key features of Wireshark 10%
2.0 Methods of capturing traffic 10%
3.0 Capture and display filters 12%
4.0 Configure/adapt the Wireshark interface 5%
5.0 Common network protocols 43%
โ€” โ†ณ of which TCP alone (17%)
โ€” โ†ณ non-TCP protocols (27%)
6.0 Troubleshoot common protocol issues 20%

โš ๏ธ Where the exam is won or lost: Domains 5 (protocols, 43%) and 6 (troubleshooting, 20%) are 63% of your score, and TCP alone is 17% and scored separately. If your TCP and troubleshooting are weak, you fail regardless of everything else. Spend your study time proportionally.

๐Ÿ” Good news for security folks: the exam's protocol depth is your forensics/IR foundation. You cannot detect a malicious TCP session, a beacon, or DNS tunneling if you don't first understand what normal looks like at the byte level. This guide teaches "normal" and "malicious" side by side.


2. How Packets Flow Through a Network

๐ŸŽฏ Domain 5/6 explicitly test "describe packet flow through a data network" and "determine network topology only using information in a packet capture." This mental model is the backbone of everything.

Encapsulation โ€” the nesting doll

Every packet Wireshark shows you is a set of nested headers. Data is wrapped as it goes down the sending stack and unwrapped going up the receiving stack.

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Ethernet Header โ”‚ IP Header โ”‚ TCP Header โ”‚  Application Data   โ”‚  Ethernet FCS
โ”‚  (Layer 2)      โ”‚ (Layer 3) โ”‚ (Layer 4)  โ”‚  (Layer 7)          โ”‚  (dropped by NIC)
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
   Dest/Src MAC     Dest/Src IP  Dest/Src Port   HTTP / DNS / TLS...
   EtherType        TTL, Proto   Seq/Ack, Flags

Wireshark's Packet Details pane shows exactly this stack, one expandable tree per layer, top (Frame) to bottom (application).

What changes at each hop (critical for topology & TTL analysis)

As a packet crosses a router (Layer 3 hop):

Field Changes at each router? Why it matters
Source/Dest MAC โœ… Yes โ€” rewritten every hop MAC is only locally significant. The MAC you see is the last device that forwarded the frame to your capture point.
Source/Dest IP โŒ No (unless NAT) End-to-end identity. NAT is the exception (see ยง22).
TTL โœ… Decremented by 1 each router Lets you estimate hop distance from the capture point.
IP Total Length / payload โŒ No (unless fragmentation) โ€”

๐Ÿ’ก The single most useful topology trick: Look at the TTL of arriving packets and compare to the sender's typical OS default (Windows = 128, Linux/macOS = 64, many network devices = 255). If a Linux host's packets arrive with TTL 61, they crossed 64 โˆ’ 61 = 3 routers to reach your capture point. ๐ŸŽฏ Domain 5.3: "Predict most likely distance, in hops, from the capturing device."

Layer 2 vs Layer 3 delivery โ€” the switch/router divide

  • Same subnet (Layer 2): Host ARPs for the destination's MAC, frames go switchโ†’switch, IP unchanged, MAC = actual destination.
  • Different subnet (Layer 3): Host ARPs for its default gateway's MAC, sends the frame to the router's MAC (but the destination IP is the far-away host). The router then forwards on. This is why dest MAC โ‰  dest IP owner when talking off-subnet โ€” a classic exam matching question.

๐Ÿ” Forensics application: In a capture, if you see a host sending to many external IPs but always to the same destination MAC, that MAC is the gateway/router. Mapping MACโ†”IP relationships reconstructs the local topology from a single pcap โ€” exactly what you do when you're handed an unknown capture in an IR case.


3. Installing & First Capture

Install

  • Windows / macOS: download from wireshark.org/download. On Windows, install Npcap (bundled) โ€” it's the packet capture driver. Check "Install Npcap in WinPcap API-compatible mode" if older tools need it.
  • Linux: sudo apt install wireshark (Debian/Ubuntu) or sudo dnf install wireshark. During install, allow non-root capture so you don't have to run Wireshark as root (it adds you to the wireshark group; log out/in after).
  • Never run Wireshark as root/admin for routine work โ€” the dissectors parse hostile input; a capture-only helper (dumpcap) runs with elevated rights instead. This is a security best practice and a forensics integrity practice.

Your first capture in 30 seconds

  1. Launch Wireshark โ†’ the Welcome screen lists interfaces, each with a live sparkline showing traffic. Pick the busy one (usually Wi-Fi or Ethernet/eth0).
  2. Double-click it โ†’ capture starts, packets stream in.
  3. Type http in the display filter bar, press Enter โ†’ only HTTP shows.
  4. Click the red โน Stop button.
  5. File โ†’ Save As โ†’ choose pcapng (the modern default) or pcap (max compatibility).

โš ๏ธ Exam trap โ€” pcap vs pcapng ๐ŸŽฏ Domain 1: pcapng (next-gen) supports multiple interfaces in one file, per-packet comments, capture metadata, and nanosecond timestamps. pcap (legacy libpcap) is simpler and more portable to old tools but lacks comments/metadata. Wireshark defaults to pcapng. If a tool "loses your comments," you saved as pcap.


4. The Wireshark Interface

๐ŸŽฏ Domain 4.0: "Identify key components of the GUI." Know every pane by name.

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Menu bar   |   Main toolbar (start/stop/restart, navigation)          โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  [ Display filter bar ]  โ† type filters here; green=valid, red=invalid โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ โ”ƒ PACKET LIST PANE (top)                                             โ”ƒ โ”‚  โ† minimap
โ”‚ โ”ƒ  No. | Time | Source | Destination | Protocol | Length | Info      โ”ƒ โ”‚     (colored
โ”‚ โ”ƒ  1     0.000  10.0.0.5   10.0.0.1     TCP        74   [SYN] ...      โ”ƒ โ”‚     sidebar)
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  PACKET DETAILS PANE (middle) โ€” expandable protocol tree               โ”‚
โ”‚   โ–ธ Frame 1: 74 bytes on wire                                          โ”‚
โ”‚   โ–ธ Ethernet II, Src: ..., Dst: ...                                    โ”‚
โ”‚   โ–ธ Internet Protocol Version 4, Src: ..., Dst: ...                    โ”‚
โ”‚   โ–ธ Transmission Control Protocol, Src Port: ..., Dst Port: ...        โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  PACKET BYTES PANE (bottom) โ€” raw hex + ASCII                          โ”‚
โ”‚   0000  00 1a 2b 3c 4d 5e ...   ..+<M^....                             โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Status bar: expert severity dot | profile | packet counts            โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

The three panes you live in

Pane What it is Analyst use
Packet List (top) One row per packet. Columns are customizable. 90% of triage happens here โ€” scan Info + colors.
Packet Details (middle) The decoded protocol tree for the selected packet. Click any field โ†’ its bytes highlight below and its filter name shows in the status bar.
Packet Bytes (bottom) Raw hex + ASCII. Confirm ground truth; spot cleartext creds, hidden strings, exfil.

๐Ÿ’ก The link between panes is a superpower. Click a field in the Details pane โ†’ the exact bytes highlight in the Bytes pane, and the bottom-left status bar shows the display filter field name (e.g. tcp.flags.syn). This is how you learn filter syntax without memorizing it โ€” click the field you care about, read its name, right-click โ†’ Apply as Filter.

โš ๏ธ Exam trap โ€” brackets [ ] ๐ŸŽฏ Domain 1: "Distinguish actual bytes captured from fields generated by dissectors." Anything Wireshark shows in square brackets โ€” like [SYN, ACK], [Stream index: 0], [iRTT], [Bytes in flight], [Calculated window size] โ€” is generated by Wireshark, not real bytes on the wire. You will get a question about this. Fields not in brackets came from the packet itself.


Part II โ€” Capturing Like a Pro ย ๐ŸŽฏ Domain 2 (10%)

5. Capture Methods

๐ŸŽฏ "Compare and contrast the benefits of different methods for traffic capture." This is a guaranteed exam question. Learn the trade-offs.

Method How Sees Pros Cons / Gotchas
Direct on endpoint Run Wireshark on the host itself Only that host's own traffic Zero extra hardware; easy Only one host; capture process can alter/observe its own traffic; misses dropped-before-stack frames
Port Mirror (SPAN) Switch copies traffic from port(s)/VLAN to a monitor port Everything on mirrored ports/VLAN No inline device; flexible Switch drops mirrored frames under load (oversubscription); may drop errored frames, strip VLAN tags, and doesn't guarantee timing accuracy
Network TAP Passive hardware inserted inline on a link 100% of link traffic, both directions Most reliable & complete; passive (fails safely); preserves errors & timing Costs money; must be placed inline (brief link cut to install); full-duplex TAP presents 2 streams to merge
Infrastructure device Capture on router/firewall itself (e.g. debug, embedded capture) Traffic transiting that device No extra gear; good vantage point Can burden the device; limited buffer; often post-routing (MACs rewritten)
Multi-point capture Capture at several locations simultaneously Same flow from multiple vantage points Locate where loss/latency is introduced; compare in vs out Must time-sync captures (NTP/PTP); more data to correlate

๐Ÿ’ก TAP vs SPAN โ€” the exam's favorite comparison: A TAP is passive hardware that copies every bit including errors and never drops under load; a SPAN/mirror is a switch software feature that is convenient but can drop packets, drop errors, and reorder when the switch is busy. For forensics/evidence, prefer a TAP โ€” completeness and integrity matter.

๐Ÿ” Analyst placement strategy: Where you capture determines what you can prove.

  • Suspected exfiltration? Capture at the internet egress (outside the firewall / on the TAP feeding your NDR).
  • Lateral movement? Capture east-west at distribution/core or on the segment of interest โ€” north-south egress won't show it.
  • Endpoint compromise, host-only case? Direct capture on the host (but assume malware may hide from a host-based capture; a network vantage is harder to evade).

6. Capture Options, Ring Buffers & Limits

Open with Capture โ†’ Options (or the โš™ gear). Key controls:

Interface & mode

  • Pick interface(s) โ€” you can select multiple in one capture (pcapng only).
  • Promiscuous mode checkbox (see ยง7).
  • Snap length (snaplen): bytes captured per packet. Default = full packet. Set it small (e.g. 96) to capture headers only on high-volume links to save disk โ€” but you'll lose payload (bad for forensics/object extraction).
  • Buffer size: kernel capture buffer; raise it on busy links to avoid drops.

Output / autostop / ring buffer

๐ŸŽฏ "Limit capture by file size, packets, or duration" and "Implement a Ring Buffer."

Long, unattended captures (a common SOC/forensics need โ€” "capture until the intermittent problem recurs") use ring buffers so you never fill the disk:

Capture โ†’ Options โ†’ Output tab:
  โ”Œ Output format: pcapng
  โ”œ File: /captures/case42.pcapng
  โ”œ [โœ“] Create a new file automatically after:
  โ”‚       [ 100 ] megabytes        โ† or after N seconds / packets
  โ”” [โœ“] Use a ring buffer with [ 20 ] files
  • Ring buffer with N files: Wireshark writes case42_00001_<timestamp>.pcapng, rolls to _00002, ... and when it reaches file N it overwrites the oldest. You always keep the most recent N files worth of traffic. Perfect for "let it run for days, grab the window around the incident."
  • Autostop conditions (Options โ†’ Stop capture automatically after): stop after X files / packets / seconds / MB. Combine: "stop after 1 hour OR 1 GB."
Control Where Use case
Files (ring) Output tab Continuous monitoring without filling disk
Autostop: packets Options Grab exactly N packets then stop
Autostop: duration Options Time-boxed capture (e.g. 60s baseline)
Autostop: filesize Options Cap a single file's size

๐Ÿ’ก Start / Stop / Restart ๐ŸŽฏ: the toolbar has all three. Restart (โŸณ) stops and immediately starts a fresh capture โ€” handy to clear a noisy buffer right before triggering the behavior you want to record.

๐Ÿ” Forensics tip: For an evidence capture, prefer dumpcap (see ยง8) over the GUI โ€” it's leaner, less likely to drop, and doesn't run the (attackable) dissectors while capturing. Capture broad (no filter), preserve the original file untouched, and analyze a copy.


7. Promiscuous vs Monitor Mode

๐ŸŽฏ "Describe the purpose of using promiscuous or monitor mode during a capture." Know the difference precisely โ€” it's a classic fill-in-the-blank.

Mode Layer What it does Without it
Promiscuous mode Wired (and Wi-Fi, associated) NIC keeps all frames it hears, not just those addressed to its own MAC or broadcast/multicast NIC drops frames not destined to it โ€” you'd only see your own host's traffic
Monitor mode (rfmon) Wireless only Radio captures 802.11 frames from all nearby networks without associating to any AP; sees management/control frames, beacons, other SSIDs You only see traffic of the network you're joined to, already decrypted to look like Ethernet

Key nuances:

  • Promiscuous mode on a switched network shows little extra โ€” a switch only forwards unicast to the correct port. You still only see broadcast/multicast + your own traffic unless you're on a SPAN port, TAP, or hub. This surprises people: "I enabled promiscuous mode but still only see my traffic" โ†’ because the switch is filtering, not your NIC.
  • Monitor mode is for Wi-Fi analysis (rogue AP hunting, deauth attacks, capturing WPA handshakes). Support is OS/driver dependent โ€” best on Linux/macOS; often unavailable on Windows without special adapters.

๐Ÿ” SOC/IR use of monitor mode: detecting deauthentication floods (wlan.fc.type_subtype == 0x0c), rogue/evil-twin APs (unexpected BSSIDs beaconing your SSID), and capturing the 4-way handshake for authorized WPA2 audits.


8. Command-Line Capture

๐ŸŽฏ "Capture traffic using command line tools." You must know what each tool is for.

Tool Role Notes
dumpcap The actual capture engine Wireshark & tshark call it under the hood. Leanest, least likely to drop. Use it for evidence-grade captures.
tshark Terminal Wireshark Full dissection, display filters, statistics โ€” no GUI. For scripting, remote boxes, huge files.
tcpdump Classic *nix sniffer Ubiquitous on servers; uses BPF (capture-filter) syntax; output is pcap you open in Wireshark.
editcap / mergecap / capinfos pcap surgery split/slice, merge, and summarize capture files.

Recipes you should know

# Capture 60s on eth0 to a ring buffer of 10x100MB files (unattended, disk-safe)
dumpcap -i eth0 -b filesize:100000 -b files:10 -w /captures/case.pcapng

# tcpdump on a remote server: only host 10.0.0.9, don't resolve names, full packets
tcpdump -i any host 10.0.0.9 -nn -s0 -w /tmp/host9.pcap

# tshark: read a file, apply a DISPLAY filter, print custom columns
tshark -r case.pcapng -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri

# tshark: live capture with a CAPTURE filter (BPF), stop after 1000 packets
tshark -i eth0 -f "tcp port 443" -c 1000 -w tls.pcapng

# capinfos: quick stats about a capture (great first step on unknown evidence)
capinfos case.pcapng

# editcap: slice out a time window from a huge evidence file (UTC)
editcap -A "2026-07-13 14:00:00" -B "2026-07-13 14:05:00" big.pcapng window.pcapng

# mergecap: combine multi-point captures into one time-ordered file
mergecap -w combined.pcapng site-a.pcapng site-b.pcapng

โš ๏ธ -f vs -Y in tshark โ€” -f is a capture filter (BPF, applied before capture, like tcpdump). -Y is a display filter (Wireshark syntax, applied after dissection). Mixing them up is a classic mistake.

๐Ÿ” Forensics workflow with the CLI: capinfos first (hashes, packet count, time range, interfaces) โ†’ editcap to carve the relevant window โ†’ analyze the copy in Wireshark โ†’ keep the original + its SHA256 untouched for chain of custody (ยง35).


Part III โ€” Filtering ย ๐ŸŽฏ Domain 3 (12%)

Filtering is the skill that separates people who use Wireshark from people who drown in it. There are two completely different filter languages โ€” mixing them up is the #1 beginner error.

Capture filters vs Display filters โ€” the fundamental split

๐ŸŽฏ "Compare and contrast Display Filters and Capture Filters." Guaranteed question.

Capture Filter Display Filter
When applied Before capture โ€” decides what's written to disk After capture โ€” decides what's shown
Syntax BPF (Berkeley Packet Filter), same as tcpdump Wireshark's own richer language
Reversible? โŒ No โ€” filtered-out packets are gone forever โœ… Yes โ€” just clear the filter, all packets return
Example host 10.0.0.5 and tcp port 443 ip.addr == 10.0.0.5 && tcp.port == 443
Where Capture โ†’ Options (or bar on Welcome screen) The main filter bar (green when valid)
Use it to Reduce volume on busy links; protect disk/privacy Zoom in on already-captured data

โš ๏ธ The golden rule: For forensics/IR, capture broadly, filter on display. A capture filter that's too tight throws away evidence you can never recover. Only use capture filters when volume genuinely forces it (e.g. multi-gig links, long unattended runs).

9. Capture Filters (BPF)

BPF is primitive-based: [protocol] [direction] [type] value, combined with and / or / not.

host 192.168.1.10            # traffic to OR from that IP
src host 192.168.1.10        # only from
dst host 192.168.1.10        # only to
net 10.0.0.0/8               # a whole subnet
port 53                      # TCP or UDP port 53
tcp port 443                 # TCP 443 only
udp port 53                  # DNS over UDP
portrange 1000-2000          # a range
ether host 00:1a:2b:3c:4d:5e # a MAC address
vlan 100                     # VLAN-tagged traffic, VLAN 100
tcp[13] & 2 != 0             # SYN bit set (byte 13 = flags, 0x02 = SYN)
not arp and not stp          # exclude noise
host 10.0.0.5 and tcp port 443   # combine with 'and'

๐Ÿ’ก BPF has no ==. It's host X, port Y, not ip.addr == X. If you type ip.addr == into the capture filter box, it's invalid. That word-based feel is how you remember you're in BPF land.

๐Ÿ” Useful evidence capture filters:

  • Everything to/from a suspect host: host 10.10.10.66
  • Exclude your own management noise: not host <your-jumpbox> and not port 22
  • Only a subnet under investigation: net 172.16.5.0/24

10. Display Filters โ€” Complete Reference

This is Wireshark's rich language. Format: protocol.field operator value.

The essential fields (know these cold for the exam)

# ---- Addressing ----
ip.addr == 10.0.0.5              # src OR dst is this IP  (see !  trap below)
ip.src == 10.0.0.5               # source only
ip.dst == 8.8.8.8                # destination only
eth.addr == 00:11:22:33:44:55    # MAC src or dst
ipv6.addr == 2001:db8::1

# ---- Ports & transport ----
tcp.port == 443                  # src or dst TCP 443
udp.port == 53
tcp.srcport == 49152
tcp.dstport == 80

# ---- Protocol name = "this layer is present" ----
tcp        udp        icmp       arp
dns        http       tls        dhcp       ftp        smb2

# ---- TCP analysis (the money filters โ€” see ยง28) ----
tcp.flags.syn == 1 && tcp.flags.ack == 0     # SYN only (connection attempts)
tcp.analysis.retransmission                  # retransmits
tcp.analysis.duplicate_ack                   # dup ACKs
tcp.analysis.zero_window                     # receiver stalled
tcp.analysis.flags                           # ALL expert TCP issues at once

# ---- Application ----
http.request.method == "POST"
http.response.code == 200
dns.qry.name contains "evil"
tls.handshake.type == 1          # ClientHello

Operators โ€” two syntaxes, same meaning

Meaning C-style English Example
equal == eq ip.src == 10.0.0.1
not equal != ne tcp.port != 80
greater > gt frame.len > 1000
less < lt tcp.window_size < 1000
โ‰ฅ / โ‰ค >= <= ge le ip.ttl <= 64
AND && and ip.src==X && tcp.port==443
OR || or dns || http
NOT ! not !arp

The power operators (these win exam questions and hunts)

contains   # byte-sequence / substring match (case-sensitive)
   http.user_agent contains "curl"
   frame contains "password"          # raw bytes anywhere in frame

matches    # regex (PCRE), case-insensitive with (?i)
   http.host matches "(?i)\\.(ru|cn|top)$"
   dns.qry.name matches "^[a-f0-9]{32}\\."   # hex-label DNS tunneling

in         # membership set  ๐ŸŽฏ explicitly on the exam
   tcp.port in {80 443 8080}
   ip.addr in {10.0.0.1 10.0.0.2 10.0.0.3}
   http.response.code in {400..599}    # ranges work too

[n:m]      # slice bytes: offset n, length m
   eth.dst[0:3] == 00:1a:2b            # match an OUI (vendor)
   frame[100:4] == aa:bb:cc:dd

๐ŸŽฏ Membership filters (tcp.port in {80,443}) are called out by name in Domain 3. They're cleaner than tcp.port==80 || tcp.port==443 and you will see one.

Building filters without typing โ€” the three GUI methods ๐ŸŽฏ

๐ŸŽฏ "Use multiple methods to create a display filter (manual entry, right click, drag/drop)."

  1. Manual entry โ€” type in the bar (autocomplete helps).
  2. Right-click a field in Packet Details โ†’ Apply as Filter โ†’ Selected (or Prepare as Filter to edit before applying). Sub-options: ...and Selected, ...or Selected, ...and not Selected build compound filters click-by-click.
  3. Drag & drop โ€” drag a field from the Details pane straight into the filter bar to append it.

๐Ÿ’ก Apply as Filter builds the filter and runs it; Prepare as Filter puts it in the bar so you can tweak it first. Also: right-click โ†’ Apply as Column turns any field into a permanent Packet List column (huge for triage โ€” see ยง13).

11. Operators, Membership, and the ! Trap

๐ŸŽฏ Domain 3 explicitly: "Identify the behavior of using ! (not) in different parts of filter logic by explaining the implicit 'any' and 'all' qualifiers." This is one of the most misunderstood topics in all of Wireshark and a favorite exam question. Read this twice.

The problem: ip.addr matches either field

ip.addr is true if src OR dst matches. Fields like this have an implicit "any" qualifier: "match if any address field equals X."

Now negate it. People write this to mean "exclude host 10.0.0.5":

ip.addr != 10.0.0.5      # โš ๏ธ DOES NOT do what you think

Because ip.addr != 10.0.0.5 expands to "is there any address field that is not 10.0.0.5?" In a packet 10.0.0.5 โ†’ 8.8.8.8, the dst (8.8.8.8) is "not 10.0.0.5", so the any test is true โ€” the packet is shown. You fail to exclude the host you wanted gone.

The fix: negate the whole expression

!(ip.addr == 10.0.0.5)     # โœ… correct: "not (any field is 10.0.0.5)"

This reads as "show packets where it is not the case that any address is 10.0.0.5" โ†’ truly excludes every packet touching 10.0.0.5.

The rule to memorize

You want โŒ Wrong (implicit any) โœ… Right
Exclude all traffic with host X ip.addr != X !(ip.addr == X)
Exclude a port entirely tcp.port != 80 !(tcp.port == 80)

๐Ÿ’ก Mental model: field != value means "at least one instance of this field โ‰  value" (any). !(field == value) means "no instance of this field == value" (all/none). When negating multi-instance fields (addresses, ports, which appear twice per packet), always wrap the equality in !( ).

๐Ÿ” Why analysts get burned by this: you're triaging an incident, you try to filter out a known-good host with ip.addr != 10.0.0.5, the noise doesn't go away, and you waste ten minutes. Now you know: !(ip.addr == 10.0.0.5).

Combining excludes cleanly (common IR pattern)

# Hide known-good chatter to reveal the anomalies
!(ip.addr == 10.0.0.1) && !(arp || dns || stp || nbns)

12. Filter Buttons, Macros & Traps

Filter buttons ๐ŸŽฏ "Create a button for easy access to a display filter"

Type a filter, then click the + at the right end of the filter bar โ†’ name it โ†’ it becomes a one-click button under the filter bar. Buttons are per-profile, so your "SOC" profile can carry a whole toolbar of hunt filters.

Great buttons to pre-build for SOC/IR:

Retransmits   โ†’  tcp.analysis.retransmission
Resets        โ†’  tcp.flags.reset == 1
SYN-no-SYNACK โ†’  tcp.flags.syn==1 && tcp.flags.ack==0
BigDNS        โ†’  dns && frame.len > 300
HTTP-POST     โ†’  http.request.method == "POST"
Cleartext-pw  โ†’  frame contains "password" || frame contains "passwd"

๐Ÿ’ก You can group buttons with // in the name (e.g. TCP//Retransmits) to make dropdown menus once you have many.

The "incomplete or excess results" trap ๐ŸŽฏ

๐ŸŽฏ "Identify situations where a display filter will show incomplete or excess results (e.g. filter for HTTP but don't see the TCP handshake)."

Display filters match per-packet on the layers present in that packet. Consequences:

  • Filter http โ†’ you lose the TCP handshake. The SYN/SYN-ACK/ACK and the pure-ACKs carry no HTTP layer, so they're hidden. You see requests/responses but not the connection setup or the ACKs. To see the whole conversation, right-click a packet โ†’ Follow โ†’ TCP Stream (auto-builds tcp.stream == N) or filter by the stream/port instead of the app protocol.
  • Reassembled data appears "in the wrong packet." With TCP reassembly on, a big HTTP response is shown against the last TCP segment that completed it; filtering http shows that one packet, not all the segments that carried the bytes.
  • Excess results from ip.addr/tcp.port โ€” the "any" behavior means a filter can catch more than you intended (see ยง11).

๐Ÿ’ก The fix nearly every time: when a display filter shows a confusing subset, switch to the conversation view: tcp.stream == N (from Follow Stream) shows every packet of that flow โ€” handshake, data, ACKs, teardown โ€” regardless of which app layer is present.


Part IV โ€” Interface Mastery ย ๐ŸŽฏ Domain 4 (5%)

13. Columns, Coloring Rules & Minimap

Columns โ€” "the importance of columns in troubleshooting" ๐ŸŽฏ

The default columns waste screen space. Custom columns put the exact evidence you need one glance away.

Two ways to add a column ๐ŸŽฏ "use multiple methods to add a column":

  1. Right-click a field in Packet Details โ†’ Apply as Column.
  2. Preferences โ†’ Appearance โ†’ Columns โ†’ +, set Type = Custom, and enter a field expression.

High-value columns to add (per-profile):

Column field Shows Why
tcp.stream Stream index Instantly group packets by conversation
tcp.analysis.ack_rtt ACK round-trip time Spot latency at a glance
ip.ttl TTL Topology/hop distance; spoofing hints
tcp.window_size Calculated window Spot zero-window / flow-control stalls
dns.qry.name Queried domain DNS triage without opening packets
http.host + http.request.uri Web target See where hosts are browsing/beaconing
frame.time_delta_displayed ฮ” from previous displayed packet Measure gaps between filtered packets (beacon intervals!)

๐Ÿ’ก Right-align numeric columns and drag to reorder. Column layouts are saved per profile โ€” build a "TCP-Troubleshooting" profile with latency/window columns and a "SOC-Hunt" profile with DNS/HTTP/host columns.

Coloring rules โ€” "highlight packets" ๐ŸŽฏ

View โ†’ Coloring Rules. Rules are display-filter expressions evaluated top-to-bottom; first match wins, and it colors the row in the Packet List. Wireshark ships with sensible defaults (black on red = TCP problems/resets, etc.).

Build custom rules for hunting:

# Name                Filter                                   Color
C2-suspect-ports   โ†’  tcp.port in {4444 1337 8443 9001}        red bg
Long-DNS           โ†’  dns && frame.len > 300                   orange bg
Cleartext-creds    โ†’  frame contains "password"                magenta bg
Outbound-to-rare   โ†’  ip.dst != 10.0.0.0/8 && tcp.flags.syn==1 yellow bg

โš ๏ธ Exam note: coloring rule = a display filter that colors rather than hides. Order matters (first match wins). You can temporarily disable/reorder rules. Colorize Conversation (right-click โ†’ Colorize Conversation) is a separate, quick, temporary way to tint all packets of one flow without writing a rule. ๐ŸŽฏ Domain 4 lists both.

Minimap (colored sidebar) ๐ŸŽฏ

The thin vertical strip to the right of the Packet List is the minimap (a.k.a. intelligent scrollbar). It renders the coloring of the whole capture in miniature, so a band of red = a cluster of TCP problems you can click straight to. Combined with good coloring rules, it lets you see where trouble is in a 500k-packet file without scrolling. ๐ŸŽฏ "Use the minimap to quickly locate packets of interest."

14. Profiles

๐ŸŽฏ "Describe the value of profiles. Create/modify/copy a profile." Underrated, absolutely on the exam.

A profile is a saved bundle of your entire working environment: columns, coloring rules, filter buttons, layout, capture filters, preferences, and "recent" display filters. Switch profiles to instantly reconfigure Wireshark for a task.

  • Switch/create: bottom-right of the status bar shows the current profile (e.g. Default). Right-click it โ†’ New / Copy / Manage Profiles. Copying an existing profile is the fast way to start.
  • Why it matters: you keep separate mental toolkits โ€” e.g. Default, TCP-Perf, SOC-Hunt, VoIP, DFIR-Casework โ€” each with its own columns, colors, and buttons, and you don't clutter one setup with another's noise.

๐Ÿ” A ready-made "DFIR" profile = stream-index & host columns + C2/cleartext coloring rules + a filter-button toolbar of hunt queries + name resolution off (ยง17). Set it up once, reuse on every case. Profiles live in the Wireshark config folder (Help โ†’ About โ†’ Folders โ†’ Personal configuration) and can be copied to a USB stick / git repo and dropped onto any analyst's machine.

15. Protocol Preferences & "Decode As"

Protocol preferences ๐ŸŽฏ "understand the importance of protocol preferences"

Edit โ†’ Preferences โ†’ Protocols (or right-click a protocol in Details โ†’ Protocol Preferences). These change how Wireshark dissects, which changes what you see. The ones that bite analysts:

Preference Effect When to change
TCP โ†’ Relative sequence numbers Show seq/ack starting at 0 (readable) vs raw Keep on for reading; turn off to match absolute values in another tool
TCP โ†’ Allow subdissector to reassemble TCP streams Reassemble app data across segments Turn off to see raw per-segment data; on for clean HTTP/TLS
TCP โ†’ Calculate conversation timestamps Enables tcp.time_delta / tcp.time_relative Turn on for beacon-interval & per-flow timing analysis
IPv4 โ†’ Validate checksum Flags bad IP checksums Off by default because checksum offload makes locally-captured outbound packets show bad checksums that aren't real (see below)

โš ๏ธ Checksum-offload trap: On the sending host, the NIC computes TCP/IP checksums after Wireshark captures the packet (hardware offload). So your outbound packets show "checksum incorrect" even though the wire is fine. Don't chase this ghost โ€” it's why checksum validation is off by default. A real bad checksum on inbound traffic is a different story.

"Decode As" ๐ŸŽฏ

Right-click a packet โ†’ Decode As... tells Wireshark to dissect traffic on a nonstandard port with a chosen dissector. Example: an app runs HTTP on TCP 8081; Wireshark shows it as generic "TCP." Decode As โ†’ HTTP โ†’ now port 8081 is fully dissected as HTTP for this session.

๐Ÿ” Huge for malware analysis: C2 loves oddball ports (HTTP on 8443, TLS on 4444). Decode As forces the right dissector so you can actually read the beacon. You can also use it to decode custom protocols or push a dissector onto a port the malware picked to evade naive tooling.


Part V โ€” Key Features ย ๐ŸŽฏ Domain 1 (10%)

16. Find, Marks, Comments & Time

Find Packet ๐ŸŽฏ

Ctrl+F opens the Find bar. Search by Display filter, Hex value, String, or Regex, and choose the pane to search (Packet list / details / bytes). String search across bytes is how you locate a filename, username, or IOC string anywhere in a capture.

Find โ†’ String โ†’ "confidential" โ†’ search Packet bytes  โ†’ jumps to any packet containing it
Find โ†’ Display filter โ†’ tcp.flags.reset==1            โ†’ next RST

Mark / Unmark & Ignore ๐ŸŽฏ

  • Mark (Ctrl+M): flags packets of interest (they turn black). Marks let you export only marked packets to a new evidence file (see below) and jump between them (Ctrl+Shift+N / โ†‘).
  • Ignore (Ctrl+D): hides a packet from analysis without deleting it.

Packet & file comments ๐ŸŽฏ

  • Packet comment: right-click a packet โ†’ Packet Comment (or Edit menu). Adds an analyst note stored in the pcapng. Invaluable for casework: annotate "โ† first beacon" or "โ† exfil starts here."
  • Capture file comment: Statistics โ†’ Capture File Properties has a comments box for case-level notes (analyst, case #, source).
  • โš ๏ธ Comments require pcapng โ€” save as pcap and they vanish.

Time reference & time formats ๐ŸŽฏ "Set/Unset time reference; apply different time formats"

  • Set Time Reference (Ctrl+T): marks a packet as t=0; all following packets' times are shown relative to it (that packet shows *REF*). Perfect for measuring "how long after the SYN did X happen."
  • Time display formats โ€” View โ†’ Time Display Format:
    • Seconds Since Beginning of Capture (default relative)
    • Seconds Since Previous Displayed Packet โ€” the delta view; gaps jump out (great for spotting beacon intervals and stalls)
    • UTC Date and Time of Day โ€” use this for forensics/reporting so timestamps are unambiguous across time zones
    • Seconds Since Epoch โ€” for correlating with logs

๐Ÿ’ก ฮ” time is a hunt tool. Filter to a suspected C2 conversation, set time format to Seconds Since Previous Displayed Packet (or add column frame.time_delta_displayed), and if you see a metronome โ€” e.g. a packet every ~60.00s ยฑ jitter โ€” that regularity screams automated beaconing, not human browsing (ยง33).

17. Name Resolution & File Properties

Name resolution ๐ŸŽฏ "describe how Wireshark applies name resolution; configure it"

View โ†’ Name Resolution (and Preferences โ†’ Name Resolution) toggles three layers:

Layer Turns... Source Caution
MAC (Resolve physical addresses) 00:1a:2b:... โ†’ Cisco_3c:4d:5e Built-in OUI/manuf database Only shows vendor, not device
Transport (Resolve transport names) 443 โ†’ https services file Port name is a guess by number
Network (Resolve network addresses) 8.8.8.8 โ†’ dns.google DNS lookups โš ๏ธ Generates traffic!

โš ๏ธ Forensics/OPSEC warning: enabling network name resolution makes Wireshark send DNS queries for every IP in the capture โ€” from your analysis box. On a live incident this can tip off an attacker (reverse lookups of their infrastructure) and pollute your own capture if you're analyzing live. For DFIR, keep network resolution OFF; rely on the capture's own DNS packets to map names to IPs. Wireshark can also read a hosts file for offline resolution.

Capture File Properties ๐ŸŽฏ

Statistics โ†’ Capture File Properties (or click the leftmost status-bar icon) โ€” your first stop on any unknown capture. It shows:

  • File name, length, format (pcap/pcapng), hashes (SHA256/SHA1/MD5) โ† evidence integrity!
  • First/last packet time & capture duration
  • Number of interfaces, their names, link type, snaplen, capture filter used
  • Packet count, avg pps, avg packet size, data byte totals
  • The capture/file comments

๐Ÿ” The SHA256 here is your chain-of-custody anchor. Record it before analysis; anyone can re-verify the evidence file is unaltered.

18. Statistics Tools

The Statistics menu is where triage gets fast. Master these five.

Protocol Hierarchy ๐ŸŽฏ

Statistics โ†’ Protocol Hierarchy โ€” a tree of every protocol in the capture with % of packets and bytes. Your 10-second "what is even in this file?" view.

๐Ÿ” Hunt use: unexpected protocols jump out โ€” why is there IRC, TFTP, or a big slice of unknown TCP on a corporate LAN? A large "Data" or non-standard-port TCP percentage often = tunneled/covert traffic. Right-click any row โ†’ Apply as Filter to drill in.

Conversations ๐ŸŽฏ

Statistics โ†’ Conversations โ€” every pair that talked, tabbed by layer (Ethernet / IPv4 / IPv6 / TCP / UDP), with packets, bytes, duration, and bytes Aโ†’B vs Bโ†’A. Sort by bytes to find the top talkers instantly.

๐Ÿ” The exfiltration finder: sort the TCP/IPv4 tab by Bytes Bโ†’A (or the direction leaving your network). A workstation that sent hundreds of MB outbound to one external IP is your exfil candidate. Right-click the row โ†’ Apply as Filter โ†’ Selected โ†’ Aโ†”B to isolate it. Columns also show Duration โ€” a long-lived, low-volume conversation can be a C2 channel.

Endpoints ๐ŸŽฏ

Statistics โ†’ Endpoints โ€” per-host totals (not pairs). The IPv4 tab can add GeoIP country/city/ASN columns if you've loaded MaxMind databases (Preferences โ†’ Name Resolution โ†’ GeoIP). Sort by packets/bytes to rank hosts; map view shows geographic spread.

๐Ÿ” GeoIP turns Endpoints into a quick "are we talking to countries we have no business talking to?" check โ€” a fast IR signal.

I/O Graph ๐ŸŽฏ "create and interpret an I/O graph (packets/s or bits/s) for a display filter"

Statistics โ†’ I/O Graph โ€” throughput over time. Add multiple lines, each driven by a display filter, and choose the Y-axis unit (packets/s, bytes/s, bits/s, or an aggregate like MAX/AVG of a field).

Line 1: all traffic            (bits/s)   โ†’ overall load
Line 2: tcp.analysis.retransmission (pkts/s) โ†’ do retransmits spike with load?
Line 3: tcp.flags.syn==1       (pkts/s)   โ†’ SYN flood / scan bursts
Line 4: dns                    (pkts/s)   โ†’ DNS volume anomalies

๐Ÿ” Reading it: overlaying "throughput" with "retransmissions" shows if loss rises under load (congestion). A flat, evenly-spaced sawtooth of small outbound packets = beaconing. A wall of SYNs = scan or SYN flood. You can click a point on the graph to jump to that packet.

Others worth knowing

  • Statistics โ†’ DNS, HTTP, Statistics โ†’ Flow Graph (sequence diagram of a conversation โ€” beautiful for explaining a handshake/teardown), Statistics โ†’ TCP Stream Graphs (see ยง28), Statistics โ†’ Service Response Time (per-protocol latency).

19. Following Streams & Exporting Objects

Follow Stream ๐ŸŽฏ "Use Follow TCP/UDP stream"

Right-click a packet โ†’ Follow โ†’ TCP Stream (also HTTP, TLS, UDP, HTTP/2, QUIC). Wireshark:

  1. Reassembles the whole conversation's payload into a readable window (client text in one color, server in another).
  2. Auto-applies the filter tcp.stream == N so the Packet List now shows only that flow.

Use it to read an entire HTTP exchange, an FTP session, an SMTP email, or a cleartext protocol end-to-end. The dropdown lets you show ASCII, Hex Dump, C arrays, Raw, or one direction only.

๐Ÿ” DFIR gold: Follow TCP Stream on a suspicious flow reveals cleartext credentials (FTP/Telnet/HTTP Basic), HTTP beacon bodies, exfiltrated data, and C2 commands in one pane. "Show data as Raw" + Save lets you carve the exact bytes out for a malware sandbox.

Export Objects ๐ŸŽฏ "Export objects from packet captures"

File โ†’ Export Objects โ†’ HTTP / SMB / TFTP / FTP-DATA / IMF (email)... lists every file/object Wireshark reconstructed from the capture (URL, hostname, content type, size). Select one โ†’ Save, or Save All to dump every transferred file.

๐Ÿ” This is core network forensics. From a pcap you can recover the actual downloaded malware binary, exfiltrated documents, or served web pages, then hash them and detonate them in a sandbox. Export Objects โ†’ HTTP on a drive-by capture literally hands you the payload. (For HTTPS you first need the TLS keys โ€” see ยง29.)

Export specified packets ๐ŸŽฏ

File โ†’ Export Specified Packets (or Export PDU) lets you save a subset โ€” Displayed (current filter), Marked, Range, or Selected โ€” to a new file. This is how you carve a clean, minimal evidence file for a report or to hand to another analyst without shipping the whole multi-GB capture.


Part VI โ€” Protocol Deep Dives ย ๐ŸŽฏ Domain 5 (43%)

This is the single largest domain. Learn the header fields, the normal behavior, and โ€” for each โ€” the filters and what abuse looks like. Fields you must be able to name on sight are in bold.

20. Ethernet ย ๐ŸŽฏ 5.1

The Layer-2 frame that carries everything on a LAN.

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Dest MAC (6B) โ”‚ Src MAC (6B)   โ”‚ EtherType โ”‚  Payload (46โ€“1500)โ”‚  FCS 4B โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Fields to know cold

Field Size Notes
Destination MAC 6 bytes Who the frame is for on this LAN segment
Source MAC 6 bytes Who sent it (last hop)
EtherType 2 bytes What's inside: 0x0800 = IPv4, 0x86DD = IPv6, 0x0806 = ARP, 0x8100 = 802.1Q VLAN
FCS (CRC) 4 bytes Frame check sequence โ€” usually NOT shown in Wireshark (see below)

Exam-favorite facts

  • Minimum frame = 64 bytes (so runts/collisions are detectable); if payload < 46 bytes it's padded. Maximum standard frame = 1518 bytes (1500 MTU payload + 14 header + 4 FCS). Jumbo frames exceed this. ๐ŸŽฏ "Describe minimum and maximum frame sizes."
  • Why the CRC/FCS is missing ๐ŸŽฏ: the NIC validates and strips the FCS before handing the frame to the OS/Wireshark. So Wireshark normally never sees it. Frames with a bad FCS are usually dropped by the NIC entirely (unless the adapter is set to pass errors). This is a guaranteed question.
  • MAC address types ๐ŸŽฏ "distinguish Unicast, Broadcast, Multicast":
    • Broadcast = ff:ff:ff:ff:ff:ff (all ones) โ†’ everyone on the segment.
    • Multicast = the least-significant bit of the first octet = 1 (e.g. 01:00:5e:... for IPv4 multicast, 33:33:... for IPv6). Filter: eth.dst[0] & 1.
    • Unicast = that bit = 0 โ†’ one specific NIC.
    • The 2nd-least-significant bit of the first octet = the U/L bit; if 1 the MAC is locally administered (e.g. randomized/spoofed) rather than a real burned-in vendor address.
  • VLAN tags (802.1Q) ๐ŸŽฏ "how the frame header is modified for VLAN tags": a 4-byte tag is inserted after Src MAC, EtherType becomes 0x8100, the tag carries the VLAN ID (12 bits, 0โ€“4095) and priority (PCP), and the original EtherType follows. Filter: vlan / vlan.id == 100.

Filters

eth.addr == 00:1a:2b:3c:4d:5e     # this MAC as src or dst
eth.dst == ff:ff:ff:ff:ff:ff      # broadcasts
eth.dst[0] & 1                    # multicast/broadcast (group bit set)
eth.type == 0x0806                # ARP frames
vlan.id == 20                     # VLAN 20
eth.src[0:3] == 00:1a:2b          # match a vendor OUI

21. ARP ย ๐ŸŽฏ 5.2

Address Resolution Protocol maps a known IPv4 address โ†’ unknown MAC on the local segment. Pure Layer 2/3 glue; no ARP crosses a router.

How it works

  1. Host needs to send to 10.0.0.9 on its subnet but doesn't know its MAC.
  2. ARP Request โ€” a broadcast (dst = ff:ff:ff:ff:ff:ff): "Who has 10.0.0.9? Tell 10.0.0.5."
  3. ARP Reply โ€” a unicast back to the asker: "10.0.0.9 is at aa:bb:cc:dd:ee:ff." ๐ŸŽฏ "difference between broadcast ARP and unicast ARP" โ†’ request is broadcast, reply is unicast.

Types you must recognize ๐ŸŽฏ

Type Filter Purpose
Request (op=1) arp.opcode == 1 Ask for a MAC
Reply (op=2) arp.opcode == 2 Answer with a MAC
Gratuitous ARP arp.isgratuitous == 1 (or arp.src.proto_ipv4 == arp.dst.proto_ipv4) Host announces/updates its own mapping (IP failover, duplicate-IP detection, boot)
ARP probe arp.dst.proto_ipv4 == 0.0.0.0-style sender Check if an IP is already in use before claiming it

Filters

arp                               # all ARP
arp.opcode == 1                   # requests
arp.opcode == 2                   # replies
arp.src.hw_mac == 00:11:22:33:44:55
arp.dst.proto_ipv4 == 10.0.0.9    # who's asking for this IP
arp.duplicate-address-detected    # Wireshark expert: possible ARP spoofing!

๐Ÿ” ARP is a top LAN-attack signal. arp.duplicate-address-detected and a flood of gratuitous ARPs claiming the gateway's IP with a new MAC = ARP spoofing / MITM (someone poisoning caches to intercept traffic). A burst of ARP requests sweeping every host in a subnet = reconnaissance/scanning. ๐ŸŽฏ Domain 6: "identify communication issues using ARP" โ€” also, if a host ARPs for an IP and gets no reply, that host is down or off-subnet โ€” a fast way to spot dead gateways.

22. IPv4 ย ๐ŸŽฏ 5.3

The Layer-3 packet that gets data across networks.

 0        4        8            16                             31
โ”Œโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚Ver โ”‚IHL โ”‚  DSCP  โ”‚Total Lengthโ”‚  Identification  โ”‚Flagsโ”‚FragOffโ”‚
โ”œโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  TTL   โ”‚  Protocol โ”‚ Header Checksum โ”‚     Source IP Address   โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚      Destination IP Address   โ”‚        Options (if IHL>5)     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Header fields you must know ๐ŸŽฏ

Field Filter Meaning / exam point
Version ip.version 4
Total Length ip.len Whole packet (header+data) in bytes
Identification (IP ID) ip.id Unique-ish per packet; ties fragments together; strategies vary by OS (incrementing, random) โ€” useful to fingerprint a sender or spot a spoofer/NAT ๐ŸŽฏ "IP identification strategies"
Flags ip.flags DF (Don't Fragment), MF (More Fragments)
Fragment Offset ip.frag_offset Where this fragment sits in the original ๐ŸŽฏ
TTL ip.ttl Decremented each router; hits 0 โ†’ router drops & sends ICMP Time Exceeded
Protocol ip.proto 1 = ICMP, 6 = TCP, 17 = UDP (memorize)
Header Checksum ip.checksum Covers header only
Src / Dst IP ip.src / ip.dst End-to-end identity

Address ranges to memorize ๐ŸŽฏ "public, private, multicast, APIPA ranges"

Range Type Notes
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Private (RFC1918) Not routable on the internet โ†’ NAT'd
169.254.0.0/16 APIPA / link-local Auto-assigned when DHCP fails โ€” a red flag!
224.0.0.0/4 (224โ€“239) Multicast One-to-many
127.0.0.0/8 Loopback localhost
everything else Public Internet-routable

๐Ÿ’ก APIPA (169.254.x.x) in a capture = the host couldn't reach a DHCP server. That's a direct troubleshooting clue (ยง26, Domain 6).

TTL โ†’ hop distance ๐ŸŽฏ "predict distance in hops"

Common initial TTLs: Windows = 128, Linux/macOS = 64, routers/Cisco = 255. Observed TTL subtracted from the nearest higher default = hops traversed. Arriving TTL 117 from a Windows host โ†’ 128 โˆ’ 117 = 11 hops away.

NAT ๐ŸŽฏ "how NAT works and why it matters for capture/analysis"

NAT rewrites private source IP:port โ†’ the router's public IP:port on the way out (and reverses inbound). Implications for you:

  • Capture location changes what you see: inside the NAT you see real private IPs; outside, every internal host looks like one public IP โ€” you lose per-host visibility. Capture inside to attribute traffic to a specific workstation.
  • Many hosts behind one IP complicates attribution in IR โ€” correlate with NAT/firewall logs.

Fragmentation ๐ŸŽฏ

If a packet exceeds the path MTU and DF isn't set, routers split it: same IP ID, MF=1 on all but the last, increasing Fragment Offset. Wireshark reassembles and shows [Reassembled in frame N]. Filter fragments: ip.flags.mf == 1 || ip.frag_offset > 0.

๐Ÿ” Unusual heavy fragmentation, tiny fragments, or overlapping offsets can be IDS/firewall evasion or a crafted-packet attack.

Filters

ip.addr == 8.8.8.8
ip.src == 10.0.0.0/8 && ip.dst != 10.0.0.0/8    # internal โ†’ external (egress)
ip.ttl < 64                                     # already traversed routers
ip.flags.df == 1                                # Don't Fragment set
ip.addr == 169.254.0.0/16                       # APIPA โ€” DHCP failure
ip.proto == 6                                   # TCP

23. ICMPv4 ย ๐ŸŽฏ 5.4

ICMP is IP's diagnostic/error courier (ip.proto == 1). No ports.

Message types to know ๐ŸŽฏ "identify ICMP message types and their purpose"

Type/Code Name Meaning
8 / 0 Echo Request / Reply ping โ€” reachability & RTT
3 Destination Unreachable code 0 net, 1 host, 3 port unreachable, 4 frag needed+DF (PMTU black hole!), 13 admin filtered (firewall)
5 Redirect Router says "use a better gateway"
11 Time Exceeded TTL hit 0 (this powers traceroute)
4 Source Quench (deprecated) congestion

The killer exam skill ๐ŸŽฏ "identify the IP packet which triggered an ICMP error"

An ICMP error message (types 3, 5, 11) embeds the IP header + first 8 bytes of the original offending packet in its payload. Expand the ICMP packet in Wireshark and you'll see the original IP/TCP/UDP header nested inside โ€” that tells you which flow caused the error (e.g. which UDP packet got "port unreachable"). This is frequently tested.

Filters

icmp                                   # all ICMP
icmp.type == 8                         # echo requests (pings out)
icmp.type == 0                         # echo replies
icmp.type == 3 && icmp.code == 3       # port unreachable (service down/closed UDP)
icmp.type == 3 && icmp.code == 4       # fragmentation needed (PMTU issues)
icmp.type == 11                        # TTL exceeded (traceroute / routing loop)

๐Ÿ” SOC/IR angle: big ICMP Echo packets or a steady ping stream with data payloads can be an ICMP tunnel/covert channel or exfil (normal pings are tiny & uniform โ€” check data.len). A flood of Type 3 Code 3 from one host = a UDP port scan hitting closed ports. Type 11 everywhere = a routing loop. Type 3 Code 4 black-holing = broken Path MTU Discovery (a real "some sites hang" bug).

24. IPv6 & ICMPv6 ย ๐ŸŽฏ 5.5โ€“5.6

IPv6 address types ๐ŸŽฏ "identify Link Local, Global Unicast, Multicast"

Type Prefix Notes
Link-Local fe80::/10 Auto-configured, never routed off-link; used for neighbor discovery
Global Unicast 2000::/3 (e.g. 2001:...) Internet-routable, like a public IPv4
Unique Local fc00::/7 (usually fd00::/8) Private, like RFC1918
Multicast ff00::/8 e.g. ff02::1 all-nodes, ff02::2 all-routers
Loopback ::1 localhost

IPv6 has no broadcast โ€” it uses multicast instead. No IP-header checksum, no fragmentation by routers (host-only via extension headers).

ICMPv6 & Neighbor Discovery ๐ŸŽฏ 5.6

ICMPv6 does far more than ICMPv4 โ€” it replaces ARP and handles autoconfiguration via NDP (Neighbor Discovery Protocol):

Message Type Replaces / does
Neighbor Solicitation (NS) 135 "Who has this IPv6?" (= ARP request)
Neighbor Advertisement (NA) 136 "I have it, here's my MAC" (= ARP reply)
Router Solicitation (RS) 133 "Are there routers?"
Router Advertisement (RA) 134 Router announces prefix/gateway (SLAAC autoconfig)
icmpv6.type == 135     # Neighbor Solicitation
icmpv6.type == 136     # Neighbor Advertisement
icmpv6.type == 134     # Router Advertisement

๐Ÿ” Rogue RA attack: a malicious host sending Router Advertisements (type 134) can hijack IPv6 default routing (MITM) โ€” a real threat even on "IPv4-only" networks that left IPv6 enabled. Hunt for RAs from unexpected MACs.

25. UDP ย ๐ŸŽฏ 5.7

Connectionless, no handshake, no reliability, tiny 8-byte header.

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Src Port   โ”‚ Dst Port   โ”‚  Length    โ”‚ Checksum   โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
Field Filter
Source Port udp.srcport
Dest Port udp.dstport
Length udp.length
Checksum udp.checksum

Exam points ๐ŸŽฏ

  • Higher-layer protocols on UDP: DNS(53), DHCP(67/68), TFTP(69), SNMP(161), NTP(123), Syslog(514), RTP/VoIP, QUIC(443). ๐ŸŽฏ "identify higher layer protocols which use UDP"
  • Why UDP for multicast/broadcast ๐ŸŽฏ: TCP is strictly point-to-point (a handshake needs one specific peer). Broadcast/multicast is one-to-many, so it must be connectionless โ†’ UDP. That's why streaming, discovery (mDNS, SSDP), and routing multicasts use UDP.
  • UDP "stream id" & conversation timestamps ๐ŸŽฏ: Wireshark assigns udp.stream indexes and, with conversation timestamps enabled, udp.time_delta โ€” you can Follow UDP Stream and measure per-flow timing just like TCP (useful for DNS/VoIP analysis).
udp.port == 53                    # DNS
udp.stream == 3                   # a specific UDP conversation
udp.length > 512                  # oversized UDP (EDNS, tunneling, amplification)

๐Ÿ” UDP is the backbone of amplification DDoS (DNS, NTP, memcached, SSDP): tiny spoofed request โ†’ huge reply to the victim. Spot it as many large UDP responses to one dst from many servers on ports 53/123/1900.

26. DHCPv4 (DORA) ย ๐ŸŽฏ 5.8

How hosts get an IP. Runs on UDP: client 68 โ†’ server 67. Filter: dhcp (older Wireshark: bootp).

The 4 phases โ€” DORA ๐ŸŽฏ "identify and describe the 4 phases"

Step Message Direction Meaning
D Discover client โ†’ broadcast "Any DHCP servers out there?"
O Offer server โ†’ client "You can have 10.0.0.55"
R Request client โ†’ broadcast "I'll take that one" (broadcast so other servers know)
A ACK server โ†’ client "Confirmed, here's your lease + options"
dhcp.option.dhcp == 1     # Discover
dhcp.option.dhcp == 2     # Offer
dhcp.option.dhcp == 3     # Request
dhcp.option.dhcp == 5     # ACK
dhcp.option.dhcp == 6     # NAK

The two purposes of a DHCP Request ๐ŸŽฏ

  1. In DORA โ€” accepting an offered address (broadcast).
  2. Lease renewal โ€” an already-configured host unicasts a Request directly to its server to extend the lease (no Discover/Offer needed). Same message type, different context โ€” a classic exam distinction.

DHCP options to know ๐ŸŽฏ "identify DHCP options"

Option Name Filter
1 Subnet Mask dhcp.option.subnet_mask
3 Router (gateway) dhcp.option.router
6 DNS Server(s) dhcp.option.domain_name_server
51 Lease Time dhcp.option.ip_address_lease_time
53 Message Type dhcp.option.dhcp
50 Requested IP dhcp.option.requested_ip_address
12 Hostname dhcp.option.hostname

APIPA โ†” DHCP ๐ŸŽฏ

If Discover gets no Offer (server down, VLAN/relay misconfig, exhausted pool), the client falls back to APIPA 169.254.x.x and has no gateway/DNS โ†’ "connected but no internet." Seeing DHCP Discovers with no Offers plus APIPA addresses is the textbook diagnosis. ๐ŸŽฏ Domain 6

๐Ÿ” DFIR value of DHCP: Option 12 (hostname) and the client MAC in DHCP packets let you map IP โ†’ hostname โ†’ MAC โ†’ vendor at a point in time โ€” essential for attributing an IP to a physical device during an incident. A rogue DHCP server (unexpected host sending Offers) is an attack that can redirect DNS/gateway for MITM โ€” hunt dhcp.option.dhcp == 2 from any non-authorized server.

27. DNS ย ๐ŸŽฏ 5.9

Name โ†” IP resolution. Mostly UDP 53 (TCP 53 for zone transfers & large/>512B responses). Filter: dns.

Request vs reply ๐ŸŽฏ

  • dns.flags.response == 0 = query; == 1 = response.
  • Match a query to its reply by Transaction ID (dns.id) โ€” Wireshark links them and shows [Time: ...] (the DNS response time โ€” a latency signal).

Record types to recognize ๐ŸŽฏ "distinguish DNS record types"

Type # Meaning
A 1 name โ†’ IPv4
AAAA 28 name โ†’ IPv6
CNAME 5 alias โ†’ canonical name
MX 15 mail server
NS 2 authoritative name server
PTR 12 IP โ†’ name (reverse)
TXT 16 arbitrary text (SPF/DKIMโ€ฆ and tunneling/exfil)
SOA 6 zone authority
SRV 33 service location (AD uses heavily)
dns.flags.response == 0                  # queries only
dns.qry.name == "example.com"
dns.qry.type == 1                        # A queries
dns.qry.type == 16                       # TXT (watch for abuse)
dns.flags.rcode == 3                     # NXDOMAIN (name doesn't exist)
dns.qry.name contains "dropbox"          # find traffic to a service
dns.time > 0.5                           # slow DNS responses (>500ms)

๐Ÿ” DNS is a hunter's goldmine (covered deeply in ยง34):

  • NXDOMAIN storms (dns.flags.rcode == 3) โ€” malware DGA cycling through random domains looking for its live C2.
  • Long/hex/base32 labels in dns.qry.name + heavy TXT โ€” DNS tunneling / exfiltration.
  • DNS with no matching process / to a non-corporate resolver โ€” possible C2 or policy evasion.
  • DNS is often your only record of what domain an IP belonged to at incident time โ€” capture it, keep it.

28. TCP โ€” the big one ย ๐ŸŽฏ 5.10 (17%, scored separately)

TCP alone is 17% of the exam and graded on its own. Plus most of Domain 6 (troubleshooting, 20%) is TCP analysis. Realistically ~a third of your score lives here. Master it.

The TCP header

 0                   16                  31
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Source Port     โ”‚  Destination Port โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚         Sequence Number              โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚      Acknowledgment Number           โ”‚
โ”œโ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚Off โ”‚ Rsv โ”‚ Flags โ”‚   Window Size     โ”‚
โ”œโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚    Checksum      โ”‚  Urgent Pointer   โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚      Options (MSS, SACK, WS, ...)     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

TCP flags ๐ŸŽฏ "how TCP flags establish and tear down a session"

Flag Filter Purpose
SYN tcp.flags.syn == 1 Synchronize โ€” open a connection, exchange initial seq numbers
ACK tcp.flags.ack == 1 Acknowledge received data
FIN tcp.flags.fin == 1 Graceful close โ€” "I'm done sending"
RST tcp.flags.reset == 1 Abrupt reset โ€” kill the connection now
PSH tcp.flags.push == 1 Push buffered data to the app immediately
URG tcp.flags.urg == 1 Urgent pointer valid (rare)

The 3-way handshake ๐ŸŽฏ "describe the components of a 3-way handshake"

Client                                   Server
  โ”‚โ”€โ”€โ”€โ”€โ”€ SYN  (seq=0)  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถโ”‚   "let's talk; my ISN=X"
  โ”‚โ—€โ”€โ”€โ”€โ”€ SYN, ACK (seq=0, ack=1) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”‚   "ok; my ISN=Y, I got your SYN"
  โ”‚โ”€โ”€โ”€โ”€โ”€ ACK  (seq=1, ack=1)  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถโ”‚   "great, connected"
        โ”€โ”€ connection ESTABLISHED โ”€โ”€
  • Each side picks a random Initial Sequence Number (ISN). The SYN and FIN flags each consume one sequence number (that's why the ACK is ISN+1 even though no data was sent).
  • Filter for all connection attempts: tcp.flags.syn == 1 && tcp.flags.ack == 0.

iRTT โ€” initial Round-Trip Time ๐ŸŽฏ "explain how iRTT is measured"

Wireshark measures iRTT as the time between the SYN and the ACK that completes the handshake (SYN โ†’ SYN/ACK โ†’ final ACK). It appears as [iRTT] in the SYN packet's TCP tree (in brackets = Wireshark-generated). Because it's captured before any application delay, iRTT is your clean baseline for network latency on that path. Column/filter: tcp.analysis.initial_rtt.

๐Ÿ’ก High iRTT (say 150 ms) tells you the network path itself is slow before the app even responds โ€” it separates network latency from server slowness (huge for Domain 6).

MSS โ€” Maximum Segment Size ๐ŸŽฏ "describe and calculate MSS"

  • MSS = the largest TCP payload (data only) per segment, advertised in a SYN option by each side.
  • Classic math: standard Ethernet MTU 1500 โˆ’ 20 (IP header) โˆ’ 20 (TCP header) = MSS 1460 bytes. Memorize this. (With TCP options/tunnels the effective MSS is smaller โ€” e.g. VPNs.)
  • Each side can advertise a different MSS; the sender must respect the receiver's advertised MSS. Filter: tcp.options.mss_val == 1460.

Sequence & Acknowledgment numbers ๐ŸŽฏ "how seq/ack maintain reliability"

  • Sequence number = byte offset of the first data byte in this segment within the stream.
  • Acknowledgment number = the next byte the receiver expects (i.e., "I have everything up to ackโˆ’1"). ACKs are cumulative.
  • Reliability loop: sender numbers every byte; receiver ACKs the next expected byte; missing bytes โ†’ the ACK number stops advancing โ†’ sender retransmits.
  • Relative sequence numbers (Wireshark default) restart each stream at 0 so they're readable; toggle off in TCP preferences to see the real ISN-based values. ๐ŸŽฏ

Teardown methods ๐ŸŽฏ "different methods TCP sessions are torn down"

  1. Graceful (4-way / FIN): each side sends FIN, the other ACKs it โ†’ FIN,ACK ร—2. Sometimes seen as 3 packets when a side piggybacks FIN+ACK.
  2. Abrupt (RST): one side sends RST โ€” connection dies immediately, no cleanup. Common when a port is closed, an app crashes, a firewall kills a flow, or a load balancer trims idle connections.
tcp.flags.fin == 1                # graceful closes
tcp.flags.reset == 1              # resets (investigate these!)

TCP Options ๐ŸŽฏ "explain TCP options and their purpose (EOL, NOP, MSS, SACK, DSACK, Window Scaling)"

Option Purpose
MSS Advertise max segment size (SYN only)
Window Scaling (WS) Multiplier that lets the 16-bit window exceed 65,535 bytes โ€” essential for high-bandwidth/high-latency (BDP) links. Negotiated in SYN; if one side doesn't support it, no scaling for the whole connection
SACK (Selective ACK) Lets a receiver say "I got bytes 1โ€“1000 and 2001โ€“3000 but not 1001โ€“2000" so the sender resends only the gap, not everything after it
DSACK (Duplicate SACK) Reports that a duplicate segment arrived (helps distinguish real loss from spurious retransmits)
NOP No-op padding to align options on 4-byte boundaries
EOL End of options list
Timestamps (TSval/TSecr) Better RTT measurement & PAWS

Window size & flow control ๐ŸŽฏ (and Domain 6)

  • The Window Size field = how many more bytes the receiver can buffer right now. It's the receiver throttling the sender (flow control).
  • Wireshark shows [Calculated window size] = raw field ร— the negotiated window scale factor (brackets = generated).
  • Zero Window (tcp.analysis.zero_window): receiver says "stop, my buffer is full" โ†’ transfer stalls until it sends a Window Update. A frequent cause of "the network is slow" that's actually a slow/overloaded receiving application not draining its socket.
  • Low window + high RTT = throughput killer ๐ŸŽฏ Domain 6: max throughput โ‰ˆ Window / RTT (Bandwidth-Delay Product). A small window over a long-latency path caps speed no matter how fast the link โ€” you'll see the sender constantly waiting for ACKs.

The TCP analysis (expert) filters โ€” memorize these ๐ŸŽฏ

These are Wireshark-generated flags (brackets in the tree), your bread and butter for Domain 6:

tcp.analysis.flags                 # EVERYTHING flagged below, at once
tcp.analysis.retransmission        # sender resent (loss suspected)
tcp.analysis.fast_retransmission   # resent after 3 dup ACKs (didn't wait for timeout)
tcp.analysis.duplicate_ack         # receiver re-ACKing โ†’ it's missing a segment
tcp.analysis.dup_ack_num           # the Nth dup ACK
tcp.analysis.lost_segment          # Wireshark saw a gap (a segment never captured)
tcp.analysis.out_of_order          # segments arrived out of sequence
tcp.analysis.zero_window           # receiver buffer full โ†’ stall
tcp.analysis.window_full           # sender has filled the receiver's window
tcp.analysis.window_update         # receiver re-opened its window
tcp.analysis.keep_alive            # idle-connection keepalive
tcp.analysis.ack_rtt              # time from segment to its ACK (latency!)

DUP ACKs, SACK & finding the missing bytes ๐ŸŽฏ

๐ŸŽฏ "Describe the purpose of a DUP ACK" and "Identify the byte range of missing segments based on a DUP ACK with SACK or DSACK." This is one of the hardest exam skills โ€” here's how.

  • A duplicate ACK is the receiver repeating "I still only have up to byte N" โ€” it keeps re-ACKing the same number because a segment is missing and everything after it is arriving out of order. 3 dup ACKs trigger the sender's fast retransmit.
  • With SACK enabled, each dup ACK also carries SACK blocks โ€” the ranges the receiver did receive beyond the gap. The hole between the ACK number and the first SACK-left-edge is the missing byte range.

Worked example:

ACK number (cumulative) = 5001      โ†’ receiver has bytes up to 5000
SACK block Left Edge     = 6001
SACK block Right Edge    = 7001      โ†’ receiver also has 6001โ€“7000
โˆด MISSING segment = bytes 5001 โ€“ 6000   (the gap between 5001 and 6001)

The sender only needs to resend 5001โ€“6000, not everything from 5001 onward โ€” that's SACK's whole point. Filters: tcp.options.sack_le / tcp.options.sack_re.

Retransmissions โ€” network loss vs. something else

  • Retransmission after RTO timeout, or Fast Retransmission after 3 dup ACKs โ†’ both mean the sender believes data was lost.
  • Where you capture matters: retransmits seen near the sender but the originals reaching the receiver fine = the ACKs are being lost on the return path, or you're upstream of the loss. Multi-point capture (ยง5) pins down where loss happens.

TCP Stream Graphs ๐ŸŽฏ "describe what each line represents in a TCP stream graph"

Statistics โ†’ TCP Stream Graphs:

Graph X / Y Read it for
Time / Sequence (Stevens) time / seq number A smooth climbing line = healthy throughput; flat spots = stalls; step-backs = retransmits
Time / Sequence (tcptrace) adds ACK line & window Gap between data and the window line closing in = flow-control limited
Throughput time / bytes-per-interval Where speed dips
Round Trip Time seq / RTT Latency spikes per segment
Window Scaling time / window size Watch the receive window shrink toward zero (zero-window stalls)

๐Ÿ’ก On a Stevens graph, a staircase that flattens then jumps is classic loss+recovery; a line that can't climb because the window ceiling (tcptrace) sits right on top of it is a window-limited transfer, not a loss problem โ€” different fix entirely.

Reassembly, stream id & timestamps ๐ŸŽฏ

  • TCP reassembly (Allow subdissector to reassemble preference): Wireshark stitches segments so the app layer (HTTP/TLS) is shown decoded against the final segment. Turn it off to inspect raw per-segment bytes. ๐ŸŽฏ "describe the purpose of TCP reassembly."
  • tcp.stream = Wireshark's per-connection index (generated). tcp.stream == 4 isolates one whole conversation โ€” the single most useful TCP filter for triage. ๐ŸŽฏ "describe the TCP stream id."
  • Conversation timestamps (tcp.time_relative, tcp.time_delta) = time since the stream's first packet / since the previous packet in this stream. Enable in TCP preferences; add as columns to measure per-flow timing and beacon intervals. ๐ŸŽฏ

๐Ÿ” TCP for security:

  • Port scans: many SYNs to many ports, replies are SYN/ACK (open) or RST/ACK (closed). tcp.flags.syn==1 && tcp.flags.ack==0 + Conversations reveals a scanner instantly.
  • RST storms: bursts of tcp.flags.reset==1 = blocked/killed connections (firewall, IPS, or a service refusing) โ€” or a RST-injection attack.
  • C2 over TCP: long-lived, low-and-slow conversations on odd ports; use Conversations (duration) + ฮ”time for beaconing.
  • Failed handshakes: SYNs with no SYN/ACK = host down, port filtered, or connectivity broken (Domain 6).

Part VII โ€” Application Layer & Troubleshooting ย ๐ŸŽฏ Domain 6 (20%)

29. HTTP / HTTPS / TLS

HTTP (cleartext) ๐ŸŽฏ

Runs on TCP 80 (and any port โ€” use Decode As). Filter: http.

http.request                      # all requests
http.request.method == "GET"
http.request.method == "POST"     # uploads / form data / API calls / exfil
http.response.code == 200         # OK
http.response.code >= 400         # client/server errors
http.host == "example.com"
http.user_agent contains "python-requests"   # non-browser client
http.request.uri contains "/admin"

Key headers to read: Host (which site), User-Agent (which client โ€” mismatches reveal bots/malware), Referer, Set-Cookie, Content-Type, Server. Follow โ†’ HTTP Stream reads the whole exchange; Export Objects โ†’ HTTP pulls the transferred files.

Server slowness vs. network slowness ๐ŸŽฏ Domain 6 โ€” "distinguish server performance from slow transfer times"

This is a flagship exam/real-world skill. In an HTTP GET:

Client โ”€โ”€ GET /page โ”€โ”€โ–ถ Server
                         (โฑ time server takes to respond = SERVER think time)
Client โ—€โ”€โ”€ 200 OK โ”€โ”€โ”€โ”€โ”€  Server
  • http.time = time from the request to the full response โ€” includes both server processing and transfer.
  • Compare against iRTT (ยง28) and tcp.analysis.ack_rtt:
    • Big gap before the server's first response byte, but ACKs are fast โ†’ server is slow (app/DB think time), network is fine.
    • First byte comes quickly but the transfer drags with retransmissions / zero-windows โ†’ network or client problem, server is fine.
  • High RTT hurts request/response protocols most ๐ŸŽฏ: HTTP, SMB, SQL do many small round trips; each one pays the RTT. On a 200 ms-RTT link, 50 sequential round-trips = 10 s of pure waiting regardless of bandwidth. This is why "the app is slow over the WAN but fine on LAN." Low window + high RTT compounds it (BDP throughput cap, ยง28).

HTTPS / TLS ๐ŸŽฏ

Filter: tls. You can see the handshake even though content is encrypted:

tls.handshake.type == 1           # ClientHello โ€” contains SNI (server name!)
tls.handshake.type == 2           # ServerHello
tls.handshake.type == 11          # Certificate
tls.handshake.extensions_server_name == "example.com"   # SNI = which site
tls.record.version
  • SNI (tls.handshake.extensions_server_name) in the ClientHello reveals which domain the client is contacting even though the payload is encrypted โ€” a critical hunting field.
  • The certificate (handshake type 11) shows the server's cert subject/issuer โ€” self-signed or weird certs on odd ports are a C2 signal.
  • Decrypting TLS: if you control an endpoint, set the env var SSLKEYLOGFILE before launching the browser/app; point Wireshark to that keylog file (Preferences โ†’ Protocols โ†’ TLS โ†’ (Pre)-Master-Secret log filename). Wireshark then decrypts the session and Export Objects / Follow HTTP Stream work on the plaintext. (Server RSA private keys also work for non-PFS ciphers, but modern ECDHE requires the keylog.)

๐Ÿ” JA3/JA3S fingerprints (derived from ClientHello/ServerHello fields) identify specific TLS clients โ€” many malware families have known JA3 hashes even though the traffic is encrypted. Wireshark exposes the raw fields; NDR tools compute the hash.

30. Troubleshooting Methodology & Scenarios ๐ŸŽฏ Domain 6 (20%)

A repeatable method

  1. Scope it โ€” Statistics โ†’ Conversations/Endpoints: who's involved, how much, how long.
  2. Isolate the flow โ€” Follow Stream / tcp.stream == N.
  3. Check the handshake โ€” present? iRTT high? SYNs with no SYN/ACK?
  4. Run the expert โ€” tcp.analysis.flags; look for retransmits, dup ACKs, zero windows, resets.
  5. Separate the layers โ€” network latency (iRTT, ack_rtt) vs app latency (http.time, gaps before response) vs flow control (window).
  6. Confirm root cause & prove it โ€” annotate packets, export the minimal evidence.

Scenario playbook

Symptom in capture Likely cause Confirm with
SYN, SYN, SYN (no SYN/ACK) Host down / port filtered / firewall drop tcp.flags.syn==1 && tcp.flags.ack==0; check for ICMP type 3
SYN โ†’ RST/ACK Port closed / service not listening tcp.flags.reset==1
Many retransmissions + dup ACKs Packet loss on the path tcp.analysis.retransmission, I/O graph vs load
Zero-window / window-full Receiver app not reading its socket tcp.analysis.zero_window; TCP window graph
Fast first byte, slow big transfer Loss/congestion or small windowร—RTT Stevens stream graph flat spots
Slow first byte, fast transfer Server/app think time Gap before response; iRTT is low
Everything slow only over WAN High RTT ร— chatty protocol / small window iRTT, throughput = window/RTT
APIPA 169.254 addresses DHCP failure ip.addr==169.254.0.0/16, DHCP Discovers w/ no Offer
Duplicate-IP / gratuitous ARP flood IP conflict or ARP spoofing arp.duplicate-address-detected
ICMP type 3 code 4 black hole Broken Path MTU Discovery icmp.type==3 && icmp.code==4

๐ŸŽฏ Domain 6 also lists: "determine network topology only using information in a packet capture" โ€” combine MACโ†”IP mappings (ยง2), TTL hop counts (ยง22), gateway MAC identification, DHCP option-3 gateways, and ARP tables to sketch the LAN. And "identify potential issues using ARP, DHCP, and ICMP" โ€” the three "infrastructure health" protocols above.

31. The Expert Information System ๐ŸŽฏ

Analyze โ†’ Expert Information (or the colored dot, bottom-left of the status bar) aggregates every issue Wireshark noticed, grouped by severity:

Severity Color Examples
Error red Malformed packets, checksum errors, dissector failures
Warning yellow Retransmissions, zero window, out-of-order, connection resets
Note cyan Dup ACKs, keep-alives, fast retransmits, window updates
Chat blue/grey Connection setup (SYN), FIN, window changes

Click any group โ†’ expand โ†’ click a specific item โ†’ jumps to that packet. It's a prioritized worklist for a capture: start at Errors/Warnings.

๐Ÿ’ก The status-bar dot shows the highest severity present โ€” a red dot means at least one error is lurking. Double-click it to open the Expert window. For troubleshooting, this + tcp.analysis.flags is the fastest path from "here's a capture" to "here's the problem."


Part VIII โ€” Security Operations ย ๐Ÿ” SOC / IR / Forensics

Everything so far taught you normal. This part turns that into detection. The same skills that pass WCA-101 are exactly what you use to hunt an intrusion in a pcap โ€” you're just looking for deviations from the baselines above. Nothing here is offensive tooling; it's all defensive analysis of traffic you're authorized to inspect.

32. Threat Hunting in pcap

The hunter's first five moves on an unknown capture

  1. Statistics โ†’ Capture File Properties โ€” record SHA256, time range, size (evidence integrity + scope).
  2. Statistics โ†’ Protocol Hierarchy โ€” what protocols exist? Anything weird (IRC, TFTP, unknown TCP, lots of "Data")?
  3. Statistics โ†’ Conversations (sort by bytes, and by duration) โ€” top talkers + long-lived low-volume flows.
  4. Statistics โ†’ Endpoints (+ GeoIP) โ€” talking to unexpected countries/ASNs?
  5. DNS overview โ€” dns.flags.response==0 โ€” what names are being resolved? Any DGA/tunneling smell?

High-signal hunting filters (build these as filter buttons / a "SOC-Hunt" profile)

# --- Reconnaissance / scanning ---
tcp.flags.syn==1 && tcp.flags.ack==0            # connection attempts (port scan source)
tcp.flags.reset==1                              # closed-port/blocked responses (scan target)
icmp.type==8                                    # ping sweep
arp.opcode==1                                   # ARP scan of a subnet

# --- Suspicious egress ---
ip.src==10.0.0.0/8 && ip.dst!=10.0.0.0/8 && tcp.flags.syn==1   # internalโ†’external new conns
tcp.port in {4444 1337 3333 8443 9001 6666 6667}               # common C2/backdoor/IRC ports
!( tcp.port in {80 443 53 25 123 22} ) && ip.dst!=10.0.0.0/8   # unusual outbound ports

# --- Cleartext exposure ---
http.authorization                              # HTTP Basic creds
ftp.request.command in {"USER","PASS"}          # FTP creds
telnet                                          # telnet is all cleartext
frame contains "password"                       # brute string search

# --- Odd clients ---
http.user_agent contains "curl" || http.user_agent contains "python" || http.user_agent contains "powershell"
tls.handshake.extensions_server_name matches "(?i)\\.(top|xyz|tk|ru|cn)$"

Common MITRE-style behaviors โ†” what you see in Wireshark

Attacker behavior pcap signature
Recon / scanning SYN sprays, ICMP echo sweeps, ARP sweeps, RST/ACK replies
Initial access (drive-by/download) HTTP GET of an .exe/.dll/.js, odd User-Agent; Export Objects โ†’ HTTP recovers it
C2 / beaconing Regular-interval small flows, long-lived low-volume conversations, self-signed TLS on odd ports (ยง33)
Lateral movement East-west SMB (smb2), RDP (3389), WMI/DCOM (135 + high ports), PsExec named pipes, Kerberos anomalies
Credential access Cleartext creds, LLMNR/NBT-NS poisoning traffic (llmnr, nbns), Kerberoasting (many TGS requests)
Exfiltration Large outbound to one external IP, DNS/ICMP tunneling, HTTP POST of big bodies (ยง34)

33. Malware, C2 & Beaconing Detection

Beaconing = malware "phoning home" on a schedule to fetch commands. It's periodic and usually low-volume โ€” the opposite of bursty human browsing.

How to spot a beacon in Wireshark

  1. Statistics โ†’ Conversations โ†’ sort by Duration and look for flows that live for the whole capture but move little data.
  2. Isolate the suspect flow (ip.dst == <suspect> or tcp.stream == N).
  3. Add a frame.time_delta_displayed column (or set time format to Seconds Since Previous Displayed Packet).
  4. Look for regular intervals โ€” e.g. a connection every 60.0 s ยฑ small jitter. Human traffic is irregular; a metronome is automation.
  5. I/O Graph the flow (packets/s) โ€” beacons show an evenly spaced comb of spikes.

Corroborating signals

  • Tiny, uniform request sizes with occasional larger responses (command pull vs. task delivery).
  • TLS with a self-signed or mismatched certificate, or no SNI, on a non-standard port (tls && tcp.port != 443).
  • HTTP beacons: repetitive GET/POST to the same URI, unusual User-Agent, checkin-looking paths.
  • Destination reputation: endpoint IP in an unexpected ASN/country (Endpoints + GeoIP), freshly-registered domain in DNS.
# Isolate + time a suspected beacon
ip.addr == 203.0.113.66 && tcp
# then add column frame.time_delta_displayed and watch the interval

๐Ÿ’ก Wireshark shows you the evidence; tools like RITA, Zeek, or your NDR quantify beacon regularity across huge datasets. Use Wireshark to confirm and characterize a beacon your SIEM/NDR flagged, then pull the exact bytes for the malware team.

34. Data Exfiltration & DNS Tunneling

Bulk exfiltration

  • Conversations โ†’ sort by bytes leaving your network. One workstation pushing hundreds of MB to a single external IP (especially over HTTPS/FTP/an odd port) is the classic pattern.
  • HTTP POST with large bodies to an unusual host: http.request.method=="POST" && ip.dst!=10.0.0.0/8 โ€” inspect Content-Length and Follow Stream.
  • Off-hours transfers (correlate timestamps), or steady low-and-slow uploads designed to stay under DLP thresholds.

DNS tunneling / exfil โ€” the hunter's favorite ๐Ÿ”

DNS is often allowed straight out, so malware hides data inside DNS. Signatures:

  • Very long query names with encoded (hex/base32/base64) subdomains: dns.qry.name looks like a3f9c2...e1.tunnel.evil.com, often near the 253-char limit.
  • High volume of unique subdomains under one parent domain (each query smuggles a chunk of data).
  • Heavy use of TXT / NULL / CNAME record types for data return.
  • Requests to one domain vastly outnumbering any web/other traffic to it.
dns.qry.name.len > 50                            # abnormally long names
dns.qry.type == 16                               # TXT (data channel)
dns && frame.len > 300                           # oversized DNS
dns.qry.name matches "(?i)[a-f0-9]{16,}"         # long hex label (encoded payload)
dns.flags.rcode == 3                             # NXDOMAIN storms (DGA hunting)
dns.count.answers == 0 && dns.flags.response==1  # empty answers (tunnel control)

ICMP tunneling

Normal pings are small and uniform. Large or variable ICMP Echo payloads carrying data = covert channel: icmp && data.len > 48. Follow the pattern across the conversation and Follow Stream to read the payload.

๐Ÿ” The mindset: exfil hides in allowed protocols (DNS, HTTPS, ICMP). You detect it by volume, regularity, entropy, and record-type anomalies against the baseline โ€” exactly the "normal" you learned in Part VI.

35. Network Forensics & Evidence Handling

When a capture is evidence, process matters as much as analysis.

Chain of custody & integrity

  • Hash first, analyze the copy. Record SHA256 (Statistics โ†’ Capture File Properties, or capinfos -H file.pcapng) before touching the file. Work on a copy; keep the original read-only.
  • Document: who captured it, where (capture point/TAP/SPAN), when (UTC), with what tool/version, and why. Wireshark's capture file comment (Statistics โ†’ Capture File Properties) and per-packet comments live inside the pcapng and travel with the evidence.
  • Timestamps: set View โ†’ Time Display โ†’ UTC Date and Time of Day for reports so times are unambiguous and correlate with logs/SIEM.
  • Preserve completeness: capture with dumpcap (no dissection, fewer drops), full snaplen (no truncation), no capture filter if you can afford it โ€” you can't analyze evidence you filtered away.

Reconstructing the story

  • Export Objects (HTTP/SMB/FTP/TFTP/IMF) โ†’ recover the actual malware, exfiltrated files, emails, or served pages. Hash recovered files; submit to sandbox/AV; match to threat intel.
  • Follow Stream (Raw) โ†’ carve exact byte ranges (payloads, C2 commands, credentials) into standalone files.
  • DNS + TLS SNI + HTTP Host โ†’ rebuild which domains/IPs were contacted and when โ€” the network narrative.
  • DHCP (hostname/MAC) + ARP โ†’ attribute an IP to a specific device at incident time.
  • File โ†’ Export Specified Packets (Displayed/Marked/Range) โ†’ produce a minimal, court-ready subset instead of shipping the whole capture.

Tie it together

A defensible forensic report says: "At 14:03:11 UTC host WKSTN-07 (MAC .., per DHCP option 12) resolved evil.example (DNS txn 0x4a1b โ†’ 203.0.113.66), opened TCP stream 42 to it, and over 6 minutes POSTed 240 MB (Conversations bytes Aโ†’B). The transferred archive was recovered via Export Objects (SHA256 ..). Evidence file case42.pcapng SHA256 .., captured on the egress TAP with dumpcap 4.x." Every claim above is a filter/feature you now know.

36. IR Triage Workflow

A repeatable 10-minute first pass when someone drops a pcap on your desk mid-incident:

1.  capinfos / Capture File Properties   โ†’ hash, duration, size, capture point
2.  Protocol Hierarchy                   โ†’ what's in here? anything abnormal?
3.  Endpoints (+GeoIP)                    โ†’ unexpected external destinations/countries
4.  Conversations, sort by bytes         โ†’ top talkers = exfil candidates
    Conversations, sort by duration      โ†’ long low-volume = C2 candidates
5.  DNS queries (dns.flags.response==0)   โ†’ DGA / tunneling / bad domains
6.  Expert Information                    โ†’ errors/resets/retransmits worth noting
7.  Isolate suspects (tcp.stream==N)      โ†’ Follow Stream, read the exchange
8.  Export Objects                        โ†’ recover payloads, hash them
9.  Mark + comment key packets            โ†’ annotate the timeline
10. Export Specified Packets (Marked)     โ†’ hand a clean evidence subset up the chain

๐Ÿ’ก Bake steps into a profile: pre-made columns (tcp.stream, dns.qry.name, http.host, frame.time_delta_displayed), coloring rules for C2 ports/cleartext, and a filter-button toolbar of the hunt queries in ยง32. Then triage is click, click, click.


Part IX โ€” Reference

๐Ÿ“‘ Master Cheat Sheet

Display filter quick reference

# ADDRESSING
ip.addr == x            ip.src == x           ip.dst == x
eth.addr == x           ipv6.addr == x        !(ip.addr == x)   # true exclude

# PORTS / PROTO
tcp.port == 443         udp.port == 53        tcp.port in {80 443 8080}
tcp  udp  icmp  arp  dns  http  tls  dhcp  smb2  ftp

# TCP HEALTH (Domain 6 gold)
tcp.analysis.flags               # all issues
tcp.analysis.retransmission      tcp.analysis.duplicate_ack
tcp.analysis.zero_window         tcp.analysis.lost_segment
tcp.analysis.out_of_order        tcp.flags.reset == 1
tcp.flags.syn==1 && tcp.flags.ack==0     # SYN only
tcp.stream == N                  # isolate one conversation

# OPERATORS
==  !=  >  <  >=  <=      &&  ||  !      contains   matches   in   [n:m]

# STRINGS / RECON
frame contains "password"        http.request.method == "POST"
dns.qry.name contains "evil"     tls.handshake.extensions_server_name == "x"

BPF capture filter quick reference

host x          src host x      dst host x      net 10.0.0.0/8
port 53         tcp port 443    udp port 53     portrange 1000-2000
ether host x    vlan 100        not arp         host x and tcp port 443

Numbers to memorize

Thing Value
IP Protocol IDs ICMP=1, TCP=6, UDP=17
EtherTypes IPv4=0x0800, IPv6=0x86DD, ARP=0x0806, VLAN=0x8100
Default TTLs Windows=128, Linux/macOS=64, routers=255
MSS (Ethernet) 1500 โˆ’ 20 โˆ’ 20 = 1460
Ethernet frame min 64, max 1518 bytes (1500 MTU)
DHCP ports client 68 โ†” server 67
DNS UDP 53 (TCP 53 for zone transfer / large)
Private ranges 10/8, 172.16/12, 192.168/16
APIPA 169.254.0.0/16 (DHCP failed)
IPv6 link-local / multicast fe80::/10 / ff00::/8
ICMP echo request=8, reply=0; TTL exceeded=11; unreachable=3
DORA msg types Discover=1, Offer=2, Request=3, ACK=5, NAK=6
TCP throughput โ‰ˆ Window / RTT (BDP)

Keyboard shortcuts

Key Action
Ctrl+F Find packet
Ctrl+M Mark packet
Ctrl+T Set/unset time reference
Ctrl+D Ignore packet
Ctrl+โ†’ / โ† Expand / collapse detail tree
Ctrl+. / , Next / previous packet in conversation
Ctrl+G Go to packet number
Ctrl+Shift+N Next marked packet

The bracket rule (exam!)

Anything in [ ] โ€” [SYN, ACK], [iRTT], [Stream index], [Bytes in flight], [Calculated window size], [Reassembled in ...] โ€” is Wireshark-generated, not bytes on the wire.


๐Ÿ“… 30-Day Study Plan

Week Focus Do this
1 โ€” Foundations Packet flow, interface, capture (Domains 1,2,4) Install; capture your own traffic; add custom columns; build a profile; learn every pane. Read ยง1โ€“19.
2 โ€” Filters + L2/L3 Filters, Ethernet, ARP, IP, ICMP (Domains 3, 5.1โ€“5.4) Drill display + BPF filters on sample pcaps; master the ! trap; do TTL hop-counting; recognize ARP/ICMP types. Read ยง9โ€“24.
3 โ€” TCP (the 17%) TCP end-to-end + UDP/DHCP/DNS (5.7โ€“5.10) Handshake, teardown, seq/ack, options, window, retransmits, dup-ACK+SACK gap math, stream graphs. Do this until it's automatic. Read ยง25โ€“28.
4 โ€” Troubleshoot + Security + Review Domain 6 + your SOC/IR use Work the scenario playbook (ยง30); run the IR triage flow on malware-traffic pcaps; take the official $29 practice exam; re-drill weak areas. Read ยง29โ€“36.

Daily habit: open a real capture and answer one question ("what's the slowest flow?", "any retransmits?", "what domains were resolved?"). Hands-on beats re-reading.

Two weeks out: you should be able to, from memory, (1) draw the TCP handshake with seq/ack, (2) list ICMP/DHCP/DNS types, (3) compute MSS and hop distance, (4) explain the ! any/all trap, and (5) name what each stream-graph line means.


๐Ÿงช Practice Resources

Practice on real packets โ€” reading about Wireshark โ‰  using it.

  • Wireshark sample captures: wiki.wireshark.org/SampleCaptures โ€” protocols of every kind.
  • Malware-Traffic-Analysis.net โ€” free, dated exercises with real malware pcaps + questions + answers. The place to build SOC/IR pcap skills.
  • PacketLife.net captures and CloudShark samples โ€” bite-sized protocol examples.
  • Capture your own โ€” the best lab is your own machine: browse, ping, nslookup, download a file, and watch it happen live.
  • Official WCA practice exam (~US $29 via Webassessor) โ€” closest thing to the real questions, with per-item feedback.
  • Official objectives PDF โ€” wireshark.org/certifications โ†’ download the WCA-101 objectives and check off each bullet.
  • Endorsed training: Packet Pioneer (Chris Greer), Network Nerd, SCOS, SYN-bit.

โš ๏ธ Avoid "exam dump" sites promising real questions โ€” they violate exam policy, are often wrong, and won't teach you the hands-on analysis the WCA actually tests. Learn the packets; the questions take care of themselves.


โœ… Final pre-exam checklist

  • I can draw the 3-way handshake and label seq/ack numbers.
  • I can compute MSS (1460) and hop distance from TTL.
  • I can explain why ip.addr != x fails and !(ip.addr == x) works.
  • I know Discover/Offer/Request/ACK and the two meanings of a DHCP Request.
  • I can find the missing byte range from a dup ACK + SACK block.
  • I can tell server slowness from network slowness in an HTTP flow.
  • I know what every [bracketed] field means (generated, not on wire).
  • I can name ICMP types 0/8/3/11 and ICMPv6 NS/NA/RS/RA.
  • I know TAP vs SPAN vs endpoint capture trade-offs.
  • I can run Conversations/Endpoints/Protocol Hierarchy/IO Graph and interpret them.
  • I can capture with a ring buffer and export specified packets.
  • I can find a beacon, spot DNS tunneling, and recover a file with Export Objects.

๐Ÿ“œ License

Released under CC BY 4.0 โ€” free to share and adapt with attribution.

Wiresharkยฎ is a registered trademark of the Wireshark Foundation. This is an independent study guide, not an official Wireshark Foundation product. Exam facts were current as of mid-2026 โ€” always confirm details at wireshark.org/certifications before you register.

Now stop reading and go open a capture. ๐Ÿฆˆ

About

Master Wireshark

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors