A single, deep, practical reference to take you from "I can open a pcap" to passing the Wireshark Certified Analyst (WCA-101) exam and working real cases in a SOC, Incident Response, or Network Forensics role.
Everything here is applied knowledge: filters you can paste, header fields you must know cold, attacker traffic patterns, and troubleshooting workflows.
This document is deliberately structured to serve two goals at once:
| Goal | How this guide serves it |
|---|---|
| Pass WCA-101 | Every major section is tagged with the official exam domain and weight (e.g. ๐ฏ Domain 5.10 โ TCP (17%)). If it's on the exam, it's flagged. |
| Do real SOC / IR / forensics work | Look for the ๐ Analyst Lens callouts โ these turn each protocol into detection logic, IOCs, and hunt queries. |
Recommended path:
- Read top-to-bottom once for the mental model.
- Do every filter in this guide against a real capture (start your own with
File โ Capture, or download sample pcaps โ see Practice Resources). - Come back and use the Cheat Sheets as working reference.
Legend used throughout:
๐ฏ= maps to a WCA-101 exam objective ย โขย๐= SOC/IR/Forensics application ย โขยโ ๏ธ= common mistake / exam trap ย โขย๐ก= pro tip
Part I โ Foundations
- The WCA-101 Exam, Decoded
- How Packets Flow Through a Network
- Installing & First Capture
- The Wireshark Interface (every pane explained)
Part II โ Capturing Like a Pro ย ๐ฏ Domain 2 (10%)
5. Capture Methods: TAP, SPAN, Endpoint, Multi-point
6. Capture Options, Ring Buffers & Limits
7. Promiscuous vs Monitor Mode
8. Command-Line Capture: dumpcap, tshark, tcpdump
Part III โ Filtering ย ๐ฏ Domain 3 (12%)
9. Capture Filters (BPF)
10. Display Filters โ Complete Reference
11. Operators, Membership, and the ! Trap
12. Filter Buttons, Macros & the "incomplete results" trap
Part IV โ Interface Mastery ย ๐ฏ Domain 4 (5%)
13. Columns, Coloring Rules & the Minimap
14. Profiles โ your most underrated tool
15. Protocol Preferences & "Decode As"
Part V โ Key Features ย ๐ฏ Domain 1 (10%)
16. Find Packet, Marks, Comments & Time References
17. Name Resolution & Capture File Properties
18. Statistics: Protocol Hierarchy, Conversations, Endpoints, I/O Graph
19. Following Streams & Exporting Objects
Part VI โ Protocol Deep Dives ย ๐ฏ Domain 5 (43%)
20. Ethernet 5.1
21. ARP 5.2
22. IPv4 5.3
23. ICMPv4 5.4
24. IPv6 & ICMPv6 5.5โ5.6
25. UDP 5.7
26. DHCPv4 (DORA) 5.8
27. DNS 5.9
28. TCP โ the big one 5.10 (17%)
Part VII โ Application Layer & Troubleshooting ย ๐ฏ Domain 6 (20%)
29. HTTP / HTTPS / TLS
30. Troubleshooting Methodology & Scenarios
31. The Expert Information System
Part VIII โ Security Operations ย ๐ SOC / IR / Forensics
32. Threat Hunting in pcap
33. Malware, C2 & Beaconing Detection
34. Data Exfiltration & DNS Tunneling
35. Network Forensics & Evidence Handling
36. A Repeatable IR Triage Workflow
Part IX โ Reference 37. Master Cheat Sheet 38. 30-Day Study Plan 39. Practice Resources
The Wireshark Certified Analyst (WCA-101) is the official Wireshark Foundation certification, launched June 2025, authored by Chris Greer and Ross Bagurdes with input from Gerald Combs (Wireshark's creator).
| Attribute | Detail |
|---|---|
| Questions | 50โ60 |
| Question types | Multiple choice/selection, matching, fill-in-the-blank |
| Time | 120 minutes |
| Delivery | Kryterion / Webassessor โ testing center or online, human-proctored (webcam + mic) |
| Allowed | Pen/pencil + blank paper only. No notes, devices, or software. |
| Retake | One attempt per 15 days |
| Validity | 3 years (renew by retaking) |
| Practice exam | ~US $29 via Webassessor (worth it โ gives per-question feedback) |
| # | Domain | Weight |
|---|---|---|
| 1.0 | Utilize key features of Wireshark | 10% |
| 2.0 | Methods of capturing traffic | 10% |
| 3.0 | Capture and display filters | 12% |
| 4.0 | Configure/adapt the Wireshark interface | 5% |
| 5.0 | Common network protocols | 43% |
| โ | โณ of which TCP alone | (17%) |
| โ | โณ non-TCP protocols | (27%) |
| 6.0 | Troubleshoot common protocol issues | 20% |
โ ๏ธ Where the exam is won or lost: Domains 5 (protocols, 43%) and 6 (troubleshooting, 20%) are 63% of your score, and TCP alone is 17% and scored separately. If your TCP and troubleshooting are weak, you fail regardless of everything else. Spend your study time proportionally.
๐ Good news for security folks: the exam's protocol depth is your forensics/IR foundation. You cannot detect a malicious TCP session, a beacon, or DNS tunneling if you don't first understand what normal looks like at the byte level. This guide teaches "normal" and "malicious" side by side.
๐ฏ Domain 5/6 explicitly test "describe packet flow through a data network" and "determine network topology only using information in a packet capture." This mental model is the backbone of everything.
Every packet Wireshark shows you is a set of nested headers. Data is wrapped as it goes down the sending stack and unwrapped going up the receiving stack.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Ethernet Header โ IP Header โ TCP Header โ Application Data โ Ethernet FCS
โ (Layer 2) โ (Layer 3) โ (Layer 4) โ (Layer 7) โ (dropped by NIC)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Dest/Src MAC Dest/Src IP Dest/Src Port HTTP / DNS / TLS...
EtherType TTL, Proto Seq/Ack, Flags
Wireshark's Packet Details pane shows exactly this stack, one expandable tree per layer, top (Frame) to bottom (application).
As a packet crosses a router (Layer 3 hop):
| Field | Changes at each router? | Why it matters |
|---|---|---|
| Source/Dest MAC | โ Yes โ rewritten every hop | MAC is only locally significant. The MAC you see is the last device that forwarded the frame to your capture point. |
| Source/Dest IP | โ No (unless NAT) | End-to-end identity. NAT is the exception (see ยง22). |
| TTL | โ Decremented by 1 each router | Lets you estimate hop distance from the capture point. |
| IP Total Length / payload | โ No (unless fragmentation) | โ |
๐ก The single most useful topology trick: Look at the TTL of arriving packets and compare to the sender's typical OS default (Windows = 128, Linux/macOS = 64, many network devices = 255). If a Linux host's packets arrive with TTL 61, they crossed 64 โ 61 = 3 routers to reach your capture point.
๐ฏ Domain 5.3: "Predict most likely distance, in hops, from the capturing device."
- Same subnet (Layer 2): Host ARPs for the destination's MAC, frames go switchโswitch, IP unchanged, MAC = actual destination.
- Different subnet (Layer 3): Host ARPs for its default gateway's MAC, sends the frame to the router's MAC (but the destination IP is the far-away host). The router then forwards on. This is why dest MAC โ dest IP owner when talking off-subnet โ a classic exam matching question.
๐ Forensics application: In a capture, if you see a host sending to many external IPs but always to the same destination MAC, that MAC is the gateway/router. Mapping MACโIP relationships reconstructs the local topology from a single pcap โ exactly what you do when you're handed an unknown capture in an IR case.
- Windows / macOS: download from wireshark.org/download. On Windows, install Npcap (bundled) โ it's the packet capture driver. Check "Install Npcap in WinPcap API-compatible mode" if older tools need it.
- Linux:
sudo apt install wireshark(Debian/Ubuntu) orsudo dnf install wireshark. During install, allow non-root capture so you don't have to run Wireshark as root (it adds you to thewiresharkgroup; log out/in after). - Never run Wireshark as root/admin for routine work โ the dissectors parse hostile input; a capture-only helper (
dumpcap) runs with elevated rights instead. This is a security best practice and a forensics integrity practice.
- Launch Wireshark โ the Welcome screen lists interfaces, each with a live sparkline showing traffic. Pick the busy one (usually
Wi-FiorEthernet/eth0). - Double-click it โ capture starts, packets stream in.
- Type
httpin the display filter bar, press Enter โ only HTTP shows. - Click the red โน Stop button.
File โ Save Asโ choose pcapng (the modern default) or pcap (max compatibility).
โ ๏ธ Exam trap โ pcap vs pcapng๐ฏ Domain 1: pcapng (next-gen) supports multiple interfaces in one file, per-packet comments, capture metadata, and nanosecond timestamps. pcap (legacy libpcap) is simpler and more portable to old tools but lacks comments/metadata. Wireshark defaults to pcapng. If a tool "loses your comments," you saved as pcap.
๐ฏ Domain 4.0: "Identify key components of the GUI." Know every pane by name.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Menu bar | Main toolbar (start/stop/restart, navigation) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ [ Display filter bar ] โ type filters here; green=valid, red=invalid โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ PACKET LIST PANE (top) โ โ โ minimap
โ โ No. | Time | Source | Destination | Protocol | Length | Info โ โ (colored
โ โ 1 0.000 10.0.0.5 10.0.0.1 TCP 74 [SYN] ... โ โ sidebar)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ PACKET DETAILS PANE (middle) โ expandable protocol tree โ
โ โธ Frame 1: 74 bytes on wire โ
โ โธ Ethernet II, Src: ..., Dst: ... โ
โ โธ Internet Protocol Version 4, Src: ..., Dst: ... โ
โ โธ Transmission Control Protocol, Src Port: ..., Dst Port: ... โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ PACKET BYTES PANE (bottom) โ raw hex + ASCII โ
โ 0000 00 1a 2b 3c 4d 5e ... ..+<M^.... โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Status bar: expert severity dot | profile | packet counts โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Pane | What it is | Analyst use |
|---|---|---|
| Packet List (top) | One row per packet. Columns are customizable. | 90% of triage happens here โ scan Info + colors. |
| Packet Details (middle) | The decoded protocol tree for the selected packet. | Click any field โ its bytes highlight below and its filter name shows in the status bar. |
| Packet Bytes (bottom) | Raw hex + ASCII. | Confirm ground truth; spot cleartext creds, hidden strings, exfil. |
๐ก The link between panes is a superpower. Click a field in the Details pane โ the exact bytes highlight in the Bytes pane, and the bottom-left status bar shows the display filter field name (e.g.
tcp.flags.syn). This is how you learn filter syntax without memorizing it โ click the field you care about, read its name, right-click โ Apply as Filter.
โ ๏ธ Exam trap โ brackets[ ]๐ฏ Domain 1: "Distinguish actual bytes captured from fields generated by dissectors."Anything Wireshark shows in square brackets โ like[SYN, ACK],[Stream index: 0],[iRTT],[Bytes in flight],[Calculated window size]โ is generated by Wireshark, not real bytes on the wire. You will get a question about this. Fields not in brackets came from the packet itself.
๐ฏ "Compare and contrast the benefits of different methods for traffic capture." This is a guaranteed exam question. Learn the trade-offs.
| Method | How | Sees | Pros | Cons / Gotchas |
|---|---|---|---|---|
| Direct on endpoint | Run Wireshark on the host itself | Only that host's own traffic | Zero extra hardware; easy | Only one host; capture process can alter/observe its own traffic; misses dropped-before-stack frames |
| Port Mirror (SPAN) | Switch copies traffic from port(s)/VLAN to a monitor port | Everything on mirrored ports/VLAN | No inline device; flexible | Switch drops mirrored frames under load (oversubscription); may drop errored frames, strip VLAN tags, and doesn't guarantee timing accuracy |
| Network TAP | Passive hardware inserted inline on a link | 100% of link traffic, both directions | Most reliable & complete; passive (fails safely); preserves errors & timing | Costs money; must be placed inline (brief link cut to install); full-duplex TAP presents 2 streams to merge |
| Infrastructure device | Capture on router/firewall itself (e.g. debug, embedded capture) |
Traffic transiting that device | No extra gear; good vantage point | Can burden the device; limited buffer; often post-routing (MACs rewritten) |
| Multi-point capture | Capture at several locations simultaneously | Same flow from multiple vantage points | Locate where loss/latency is introduced; compare in vs out | Must time-sync captures (NTP/PTP); more data to correlate |
๐ก TAP vs SPAN โ the exam's favorite comparison: A TAP is passive hardware that copies every bit including errors and never drops under load; a SPAN/mirror is a switch software feature that is convenient but can drop packets, drop errors, and reorder when the switch is busy. For forensics/evidence, prefer a TAP โ completeness and integrity matter.
๐ Analyst placement strategy: Where you capture determines what you can prove.
- Suspected exfiltration? Capture at the internet egress (outside the firewall / on the TAP feeding your NDR).
- Lateral movement? Capture east-west at distribution/core or on the segment of interest โ north-south egress won't show it.
- Endpoint compromise, host-only case? Direct capture on the host (but assume malware may hide from a host-based capture; a network vantage is harder to evade).
Open with Capture โ Options (or the โ gear). Key controls:
- Pick interface(s) โ you can select multiple in one capture (pcapng only).
- Promiscuous mode checkbox (see ยง7).
- Snap length (snaplen): bytes captured per packet. Default = full packet. Set it small (e.g. 96) to capture headers only on high-volume links to save disk โ but you'll lose payload (bad for forensics/object extraction).
- Buffer size: kernel capture buffer; raise it on busy links to avoid drops.
๐ฏ "Limit capture by file size, packets, or duration" and "Implement a Ring Buffer."
Long, unattended captures (a common SOC/forensics need โ "capture until the intermittent problem recurs") use ring buffers so you never fill the disk:
Capture โ Options โ Output tab:
โ Output format: pcapng
โ File: /captures/case42.pcapng
โ [โ] Create a new file automatically after:
โ [ 100 ] megabytes โ or after N seconds / packets
โ [โ] Use a ring buffer with [ 20 ] files
- Ring buffer with N files: Wireshark writes
case42_00001_<timestamp>.pcapng, rolls to_00002, ... and when it reaches file N it overwrites the oldest. You always keep the most recent N files worth of traffic. Perfect for "let it run for days, grab the window around the incident." - Autostop conditions (Options โ Stop capture automatically after): stop after X files / packets / seconds / MB. Combine: "stop after 1 hour OR 1 GB."
| Control | Where | Use case |
|---|---|---|
| Files (ring) | Output tab | Continuous monitoring without filling disk |
| Autostop: packets | Options | Grab exactly N packets then stop |
| Autostop: duration | Options | Time-boxed capture (e.g. 60s baseline) |
| Autostop: filesize | Options | Cap a single file's size |
๐ก Start / Stop / Restart
๐ฏ: the toolbar has all three. Restart (โณ) stops and immediately starts a fresh capture โ handy to clear a noisy buffer right before triggering the behavior you want to record.
๐ Forensics tip: For an evidence capture, prefer
dumpcap(see ยง8) over the GUI โ it's leaner, less likely to drop, and doesn't run the (attackable) dissectors while capturing. Capture broad (no filter), preserve the original file untouched, and analyze a copy.
๐ฏ "Describe the purpose of using promiscuous or monitor mode during a capture." Know the difference precisely โ it's a classic fill-in-the-blank.
| Mode | Layer | What it does | Without it |
|---|---|---|---|
| Promiscuous mode | Wired (and Wi-Fi, associated) | NIC keeps all frames it hears, not just those addressed to its own MAC or broadcast/multicast | NIC drops frames not destined to it โ you'd only see your own host's traffic |
| Monitor mode (rfmon) | Wireless only | Radio captures 802.11 frames from all nearby networks without associating to any AP; sees management/control frames, beacons, other SSIDs | You only see traffic of the network you're joined to, already decrypted to look like Ethernet |
Key nuances:
- Promiscuous mode on a switched network shows little extra โ a switch only forwards unicast to the correct port. You still only see broadcast/multicast + your own traffic unless you're on a SPAN port, TAP, or hub. This surprises people: "I enabled promiscuous mode but still only see my traffic" โ because the switch is filtering, not your NIC.
- Monitor mode is for Wi-Fi analysis (rogue AP hunting, deauth attacks, capturing WPA handshakes). Support is OS/driver dependent โ best on Linux/macOS; often unavailable on Windows without special adapters.
๐ SOC/IR use of monitor mode: detecting deauthentication floods (
wlan.fc.type_subtype == 0x0c), rogue/evil-twin APs (unexpected BSSIDs beaconing your SSID), and capturing the 4-way handshake for authorized WPA2 audits.
๐ฏ "Capture traffic using command line tools." You must know what each tool is for.
| Tool | Role | Notes |
|---|---|---|
| dumpcap | The actual capture engine | Wireshark & tshark call it under the hood. Leanest, least likely to drop. Use it for evidence-grade captures. |
| tshark | Terminal Wireshark | Full dissection, display filters, statistics โ no GUI. For scripting, remote boxes, huge files. |
| tcpdump | Classic *nix sniffer | Ubiquitous on servers; uses BPF (capture-filter) syntax; output is pcap you open in Wireshark. |
| editcap / mergecap / capinfos | pcap surgery | split/slice, merge, and summarize capture files. |
# Capture 60s on eth0 to a ring buffer of 10x100MB files (unattended, disk-safe)
dumpcap -i eth0 -b filesize:100000 -b files:10 -w /captures/case.pcapng
# tcpdump on a remote server: only host 10.0.0.9, don't resolve names, full packets
tcpdump -i any host 10.0.0.9 -nn -s0 -w /tmp/host9.pcap
# tshark: read a file, apply a DISPLAY filter, print custom columns
tshark -r case.pcapng -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri
# tshark: live capture with a CAPTURE filter (BPF), stop after 1000 packets
tshark -i eth0 -f "tcp port 443" -c 1000 -w tls.pcapng
# capinfos: quick stats about a capture (great first step on unknown evidence)
capinfos case.pcapng
# editcap: slice out a time window from a huge evidence file (UTC)
editcap -A "2026-07-13 14:00:00" -B "2026-07-13 14:05:00" big.pcapng window.pcapng
# mergecap: combine multi-point captures into one time-ordered file
mergecap -w combined.pcapng site-a.pcapng site-b.pcapng
โ ๏ธ -fvs-Yin tshark โ-fis a capture filter (BPF, applied before capture, like tcpdump).-Yis a display filter (Wireshark syntax, applied after dissection). Mixing them up is a classic mistake.
๐ Forensics workflow with the CLI:
capinfosfirst (hashes, packet count, time range, interfaces) โeditcapto carve the relevant window โ analyze the copy in Wireshark โ keep the original + its SHA256 untouched for chain of custody (ยง35).
Filtering is the skill that separates people who use Wireshark from people who drown in it. There are two completely different filter languages โ mixing them up is the #1 beginner error.
๐ฏ "Compare and contrast Display Filters and Capture Filters." Guaranteed question.
| Capture Filter | Display Filter | |
|---|---|---|
| When applied | Before capture โ decides what's written to disk | After capture โ decides what's shown |
| Syntax | BPF (Berkeley Packet Filter), same as tcpdump | Wireshark's own richer language |
| Reversible? | โ No โ filtered-out packets are gone forever | โ Yes โ just clear the filter, all packets return |
| Example | host 10.0.0.5 and tcp port 443 |
ip.addr == 10.0.0.5 && tcp.port == 443 |
| Where | Capture โ Options (or bar on Welcome screen) | The main filter bar (green when valid) |
| Use it to | Reduce volume on busy links; protect disk/privacy | Zoom in on already-captured data |
โ ๏ธ The golden rule: For forensics/IR, capture broadly, filter on display. A capture filter that's too tight throws away evidence you can never recover. Only use capture filters when volume genuinely forces it (e.g. multi-gig links, long unattended runs).
BPF is primitive-based: [protocol] [direction] [type] value, combined with and / or / not.
host 192.168.1.10 # traffic to OR from that IP
src host 192.168.1.10 # only from
dst host 192.168.1.10 # only to
net 10.0.0.0/8 # a whole subnet
port 53 # TCP or UDP port 53
tcp port 443 # TCP 443 only
udp port 53 # DNS over UDP
portrange 1000-2000 # a range
ether host 00:1a:2b:3c:4d:5e # a MAC address
vlan 100 # VLAN-tagged traffic, VLAN 100
tcp[13] & 2 != 0 # SYN bit set (byte 13 = flags, 0x02 = SYN)
not arp and not stp # exclude noise
host 10.0.0.5 and tcp port 443 # combine with 'and'๐ก BPF has no
==. It'shost X,port Y, notip.addr == X. If you typeip.addr ==into the capture filter box, it's invalid. That word-based feel is how you remember you're in BPF land.
๐ Useful evidence capture filters:
- Everything to/from a suspect host:
host 10.10.10.66- Exclude your own management noise:
not host <your-jumpbox> and not port 22- Only a subnet under investigation:
net 172.16.5.0/24
This is Wireshark's rich language. Format: protocol.field operator value.
# ---- Addressing ----
ip.addr == 10.0.0.5 # src OR dst is this IP (see ! trap below)
ip.src == 10.0.0.5 # source only
ip.dst == 8.8.8.8 # destination only
eth.addr == 00:11:22:33:44:55 # MAC src or dst
ipv6.addr == 2001:db8::1
# ---- Ports & transport ----
tcp.port == 443 # src or dst TCP 443
udp.port == 53
tcp.srcport == 49152
tcp.dstport == 80
# ---- Protocol name = "this layer is present" ----
tcp udp icmp arp
dns http tls dhcp ftp smb2
# ---- TCP analysis (the money filters โ see ยง28) ----
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only (connection attempts)
tcp.analysis.retransmission # retransmits
tcp.analysis.duplicate_ack # dup ACKs
tcp.analysis.zero_window # receiver stalled
tcp.analysis.flags # ALL expert TCP issues at once
# ---- Application ----
http.request.method == "POST"
http.response.code == 200
dns.qry.name contains "evil"
tls.handshake.type == 1 # ClientHello| Meaning | C-style | English | Example |
|---|---|---|---|
| equal | == |
eq |
ip.src == 10.0.0.1 |
| not equal | != |
ne |
tcp.port != 80 |
| greater | > |
gt |
frame.len > 1000 |
| less | < |
lt |
tcp.window_size < 1000 |
| โฅ / โค | >= <= |
ge le |
ip.ttl <= 64 |
| AND | && |
and |
ip.src==X && tcp.port==443 |
| OR | || |
or |
dns || http |
| NOT | ! |
not |
!arp |
contains # byte-sequence / substring match (case-sensitive)
http.user_agent contains "curl"
frame contains "password" # raw bytes anywhere in frame
matches # regex (PCRE), case-insensitive with (?i)
http.host matches "(?i)\\.(ru|cn|top)$"
dns.qry.name matches "^[a-f0-9]{32}\\." # hex-label DNS tunneling
in # membership set ๐ฏ explicitly on the exam
tcp.port in {80 443 8080}
ip.addr in {10.0.0.1 10.0.0.2 10.0.0.3}
http.response.code in {400..599} # ranges work too
[n:m] # slice bytes: offset n, length m
eth.dst[0:3] == 00:1a:2b # match an OUI (vendor)
frame[100:4] == aa:bb:cc:dd๐ฏ Membership filters (
tcp.port in {80,443}) are called out by name in Domain 3. They're cleaner thantcp.port==80 || tcp.port==443and you will see one.
๐ฏ "Use multiple methods to create a display filter (manual entry, right click, drag/drop)."
- Manual entry โ type in the bar (autocomplete helps).
- Right-click a field in Packet Details โ Apply as Filter โ Selected (or Prepare as Filter to edit before applying). Sub-options:
...and Selected,...or Selected,...and not Selectedbuild compound filters click-by-click. - Drag & drop โ drag a field from the Details pane straight into the filter bar to append it.
๐ก Apply as Filter builds the filter and runs it; Prepare as Filter puts it in the bar so you can tweak it first. Also: right-click โ Apply as Column turns any field into a permanent Packet List column (huge for triage โ see ยง13).
๐ฏ Domain 3 explicitly: "Identify the behavior of using ! (not) in different parts of filter logic by explaining the implicit 'any' and 'all' qualifiers." This is one of the most misunderstood topics in all of Wireshark and a favorite exam question. Read this twice.
ip.addr is true if src OR dst matches. Fields like this have an implicit "any" qualifier: "match if any address field equals X."
Now negate it. People write this to mean "exclude host 10.0.0.5":
ip.addr != 10.0.0.5 # โ ๏ธ DOES NOT do what you thinkBecause ip.addr != 10.0.0.5 expands to "is there any address field that is not 10.0.0.5?" In a packet 10.0.0.5 โ 8.8.8.8, the dst (8.8.8.8) is "not 10.0.0.5", so the any test is true โ the packet is shown. You fail to exclude the host you wanted gone.
!(ip.addr == 10.0.0.5) # โ
correct: "not (any field is 10.0.0.5)"This reads as "show packets where it is not the case that any address is 10.0.0.5" โ truly excludes every packet touching 10.0.0.5.
| You want | โ Wrong (implicit any) | โ Right |
|---|---|---|
| Exclude all traffic with host X | ip.addr != X |
!(ip.addr == X) |
| Exclude a port entirely | tcp.port != 80 |
!(tcp.port == 80) |
๐ก Mental model:
field != valuemeans "at least one instance of this field โ value" (any).!(field == value)means "no instance of this field == value" (all/none). When negating multi-instance fields (addresses, ports, which appear twice per packet), always wrap the equality in!( ).
๐ Why analysts get burned by this: you're triaging an incident, you try to filter out a known-good host with
ip.addr != 10.0.0.5, the noise doesn't go away, and you waste ten minutes. Now you know:!(ip.addr == 10.0.0.5).
# Hide known-good chatter to reveal the anomalies
!(ip.addr == 10.0.0.1) && !(arp || dns || stp || nbns)Type a filter, then click the + at the right end of the filter bar โ name it โ it becomes a one-click button under the filter bar. Buttons are per-profile, so your "SOC" profile can carry a whole toolbar of hunt filters.
Great buttons to pre-build for SOC/IR:
Retransmits โ tcp.analysis.retransmission
Resets โ tcp.flags.reset == 1
SYN-no-SYNACK โ tcp.flags.syn==1 && tcp.flags.ack==0
BigDNS โ dns && frame.len > 300
HTTP-POST โ http.request.method == "POST"
Cleartext-pw โ frame contains "password" || frame contains "passwd"๐ก You can group buttons with
//in the name (e.g.TCP//Retransmits) to make dropdown menus once you have many.
๐ฏ "Identify situations where a display filter will show incomplete or excess results (e.g. filter for HTTP but don't see the TCP handshake)."
Display filters match per-packet on the layers present in that packet. Consequences:
- Filter
httpโ you lose the TCP handshake. The SYN/SYN-ACK/ACK and the pure-ACKs carry no HTTP layer, so they're hidden. You see requests/responses but not the connection setup or the ACKs. To see the whole conversation, right-click a packet โ Follow โ TCP Stream (auto-buildstcp.stream == N) or filter by the stream/port instead of the app protocol. - Reassembled data appears "in the wrong packet." With TCP reassembly on, a big HTTP response is shown against the last TCP segment that completed it; filtering
httpshows that one packet, not all the segments that carried the bytes. - Excess results from
ip.addr/tcp.portโ the "any" behavior means a filter can catch more than you intended (see ยง11).
๐ก The fix nearly every time: when a display filter shows a confusing subset, switch to the conversation view:
tcp.stream == N(from Follow Stream) shows every packet of that flow โ handshake, data, ACKs, teardown โ regardless of which app layer is present.
The default columns waste screen space. Custom columns put the exact evidence you need one glance away.
Two ways to add a column ๐ฏ "use multiple methods to add a column":
- Right-click a field in Packet Details โ Apply as Column.
- Preferences โ Appearance โ Columns โ
+, set Type = Custom, and enter a field expression.
High-value columns to add (per-profile):
| Column field | Shows | Why |
|---|---|---|
tcp.stream |
Stream index | Instantly group packets by conversation |
tcp.analysis.ack_rtt |
ACK round-trip time | Spot latency at a glance |
ip.ttl |
TTL | Topology/hop distance; spoofing hints |
tcp.window_size |
Calculated window | Spot zero-window / flow-control stalls |
dns.qry.name |
Queried domain | DNS triage without opening packets |
http.host + http.request.uri |
Web target | See where hosts are browsing/beaconing |
frame.time_delta_displayed |
ฮ from previous displayed packet | Measure gaps between filtered packets (beacon intervals!) |
๐ก Right-align numeric columns and drag to reorder. Column layouts are saved per profile โ build a "TCP-Troubleshooting" profile with latency/window columns and a "SOC-Hunt" profile with DNS/HTTP/host columns.
View โ Coloring Rules. Rules are display-filter expressions evaluated top-to-bottom; first match wins, and it colors the row in the Packet List. Wireshark ships with sensible defaults (black on red = TCP problems/resets, etc.).
Build custom rules for hunting:
# Name Filter Color
C2-suspect-ports โ tcp.port in {4444 1337 8443 9001} red bg
Long-DNS โ dns && frame.len > 300 orange bg
Cleartext-creds โ frame contains "password" magenta bg
Outbound-to-rare โ ip.dst != 10.0.0.0/8 && tcp.flags.syn==1 yellow bg
โ ๏ธ Exam note: coloring rule = a display filter that colors rather than hides. Order matters (first match wins). You can temporarily disable/reorder rules. Colorize Conversation (right-click โ Colorize Conversation) is a separate, quick, temporary way to tint all packets of one flow without writing a rule.๐ฏ Domain 4 lists both.
The thin vertical strip to the right of the Packet List is the minimap (a.k.a. intelligent scrollbar). It renders the coloring of the whole capture in miniature, so a band of red = a cluster of TCP problems you can click straight to. Combined with good coloring rules, it lets you see where trouble is in a 500k-packet file without scrolling. ๐ฏ "Use the minimap to quickly locate packets of interest."
๐ฏ "Describe the value of profiles. Create/modify/copy a profile." Underrated, absolutely on the exam.
A profile is a saved bundle of your entire working environment: columns, coloring rules, filter buttons, layout, capture filters, preferences, and "recent" display filters. Switch profiles to instantly reconfigure Wireshark for a task.
- Switch/create: bottom-right of the status bar shows the current profile (e.g. Default). Right-click it โ New / Copy / Manage Profiles. Copying an existing profile is the fast way to start.
- Why it matters: you keep separate mental toolkits โ e.g.
Default,TCP-Perf,SOC-Hunt,VoIP,DFIR-Caseworkโ each with its own columns, colors, and buttons, and you don't clutter one setup with another's noise.
๐ A ready-made "DFIR" profile = stream-index & host columns + C2/cleartext coloring rules + a filter-button toolbar of hunt queries + name resolution off (ยง17). Set it up once, reuse on every case. Profiles live in the Wireshark config folder (Help โ About โ Folders โ Personal configuration) and can be copied to a USB stick / git repo and dropped onto any analyst's machine.
Edit โ Preferences โ Protocols (or right-click a protocol in Details โ Protocol Preferences). These change how Wireshark dissects, which changes what you see. The ones that bite analysts:
| Preference | Effect | When to change |
|---|---|---|
| TCP โ Relative sequence numbers | Show seq/ack starting at 0 (readable) vs raw | Keep on for reading; turn off to match absolute values in another tool |
| TCP โ Allow subdissector to reassemble TCP streams | Reassemble app data across segments | Turn off to see raw per-segment data; on for clean HTTP/TLS |
| TCP โ Calculate conversation timestamps | Enables tcp.time_delta / tcp.time_relative |
Turn on for beacon-interval & per-flow timing analysis |
| IPv4 โ Validate checksum | Flags bad IP checksums | Off by default because checksum offload makes locally-captured outbound packets show bad checksums that aren't real (see below) |
โ ๏ธ Checksum-offload trap: On the sending host, the NIC computes TCP/IP checksums after Wireshark captures the packet (hardware offload). So your outbound packets show "checksum incorrect" even though the wire is fine. Don't chase this ghost โ it's why checksum validation is off by default. A real bad checksum on inbound traffic is a different story.
Right-click a packet โ Decode As... tells Wireshark to dissect traffic on a nonstandard port with a chosen dissector. Example: an app runs HTTP on TCP 8081; Wireshark shows it as generic "TCP." Decode As โ HTTP โ now port 8081 is fully dissected as HTTP for this session.
๐ Huge for malware analysis: C2 loves oddball ports (HTTP on 8443, TLS on 4444). Decode As forces the right dissector so you can actually read the beacon. You can also use it to decode custom protocols or push a dissector onto a port the malware picked to evade naive tooling.
Ctrl+F opens the Find bar. Search by Display filter, Hex value, String, or Regex, and choose the pane to search (Packet list / details / bytes). String search across bytes is how you locate a filename, username, or IOC string anywhere in a capture.
Find โ String โ "confidential" โ search Packet bytes โ jumps to any packet containing it
Find โ Display filter โ tcp.flags.reset==1 โ next RST
- Mark (Ctrl+M): flags packets of interest (they turn black). Marks let you export only marked packets to a new evidence file (see below) and jump between them (Ctrl+Shift+N / โ).
- Ignore (Ctrl+D): hides a packet from analysis without deleting it.
- Packet comment: right-click a packet โ Packet Comment (or Edit menu). Adds an analyst note stored in the pcapng. Invaluable for casework: annotate "โ first beacon" or "โ exfil starts here."
- Capture file comment: Statistics โ Capture File Properties has a comments box for case-level notes (analyst, case #, source).
โ ๏ธ Comments require pcapng โ save as pcap and they vanish.
- Set Time Reference (Ctrl+T): marks a packet as t=0; all following packets' times are shown relative to it (that packet shows
*REF*). Perfect for measuring "how long after the SYN did X happen." - Time display formats โ View โ Time Display Format:
- Seconds Since Beginning of Capture (default relative)
- Seconds Since Previous Displayed Packet โ the delta view; gaps jump out (great for spotting beacon intervals and stalls)
- UTC Date and Time of Day โ use this for forensics/reporting so timestamps are unambiguous across time zones
- Seconds Since Epoch โ for correlating with logs
๐ก ฮ time is a hunt tool. Filter to a suspected C2 conversation, set time format to Seconds Since Previous Displayed Packet (or add column
frame.time_delta_displayed), and if you see a metronome โ e.g. a packet every ~60.00s ยฑ jitter โ that regularity screams automated beaconing, not human browsing (ยง33).
View โ Name Resolution (and Preferences โ Name Resolution) toggles three layers:
| Layer | Turns... | Source | Caution |
|---|---|---|---|
MAC (Resolve physical addresses) |
00:1a:2b:... โ Cisco_3c:4d:5e |
Built-in OUI/manuf database | Only shows vendor, not device |
Transport (Resolve transport names) |
443 โ https |
services file |
Port name is a guess by number |
Network (Resolve network addresses) |
8.8.8.8 โ dns.google |
DNS lookups |
โ ๏ธ Forensics/OPSEC warning: enabling network name resolution makes Wireshark send DNS queries for every IP in the capture โ from your analysis box. On a live incident this can tip off an attacker (reverse lookups of their infrastructure) and pollute your own capture if you're analyzing live. For DFIR, keep network resolution OFF; rely on the capture's own DNS packets to map names to IPs. Wireshark can also read a hosts file for offline resolution.
Statistics โ Capture File Properties (or click the leftmost status-bar icon) โ your first stop on any unknown capture. It shows:
- File name, length, format (pcap/pcapng), hashes (SHA256/SHA1/MD5) โ evidence integrity!
- First/last packet time & capture duration
- Number of interfaces, their names, link type, snaplen, capture filter used
- Packet count, avg pps, avg packet size, data byte totals
- The capture/file comments
๐ The SHA256 here is your chain-of-custody anchor. Record it before analysis; anyone can re-verify the evidence file is unaltered.
The Statistics menu is where triage gets fast. Master these five.
Statistics โ Protocol Hierarchy โ a tree of every protocol in the capture with % of packets and bytes. Your 10-second "what is even in this file?" view.
๐ Hunt use: unexpected protocols jump out โ why is there IRC, TFTP, or a big slice of unknown TCP on a corporate LAN? A large "Data" or non-standard-port TCP percentage often = tunneled/covert traffic. Right-click any row โ Apply as Filter to drill in.
Statistics โ Conversations โ every pair that talked, tabbed by layer (Ethernet / IPv4 / IPv6 / TCP / UDP), with packets, bytes, duration, and bytes AโB vs BโA. Sort by bytes to find the top talkers instantly.
๐ The exfiltration finder: sort the TCP/IPv4 tab by Bytes BโA (or the direction leaving your network). A workstation that sent hundreds of MB outbound to one external IP is your exfil candidate. Right-click the row โ Apply as Filter โ Selected โ AโB to isolate it. Columns also show Duration โ a long-lived, low-volume conversation can be a C2 channel.
Statistics โ Endpoints โ per-host totals (not pairs). The IPv4 tab can add GeoIP country/city/ASN columns if you've loaded MaxMind databases (Preferences โ Name Resolution โ GeoIP). Sort by packets/bytes to rank hosts; map view shows geographic spread.
๐ GeoIP turns Endpoints into a quick "are we talking to countries we have no business talking to?" check โ a fast IR signal.
Statistics โ I/O Graph โ throughput over time. Add multiple lines, each driven by a display filter, and choose the Y-axis unit (packets/s, bytes/s, bits/s, or an aggregate like MAX/AVG of a field).
Line 1: all traffic (bits/s) โ overall load
Line 2: tcp.analysis.retransmission (pkts/s) โ do retransmits spike with load?
Line 3: tcp.flags.syn==1 (pkts/s) โ SYN flood / scan bursts
Line 4: dns (pkts/s) โ DNS volume anomalies
๐ Reading it: overlaying "throughput" with "retransmissions" shows if loss rises under load (congestion). A flat, evenly-spaced sawtooth of small outbound packets = beaconing. A wall of SYNs = scan or SYN flood. You can click a point on the graph to jump to that packet.
- Statistics โ DNS, HTTP, Statistics โ Flow Graph (sequence diagram of a conversation โ beautiful for explaining a handshake/teardown), Statistics โ TCP Stream Graphs (see ยง28), Statistics โ Service Response Time (per-protocol latency).
Right-click a packet โ Follow โ TCP Stream (also HTTP, TLS, UDP, HTTP/2, QUIC). Wireshark:
- Reassembles the whole conversation's payload into a readable window (client text in one color, server in another).
- Auto-applies the filter
tcp.stream == Nso the Packet List now shows only that flow.
Use it to read an entire HTTP exchange, an FTP session, an SMTP email, or a cleartext protocol end-to-end. The dropdown lets you show ASCII, Hex Dump, C arrays, Raw, or one direction only.
๐ DFIR gold: Follow TCP Stream on a suspicious flow reveals cleartext credentials (FTP/Telnet/HTTP Basic), HTTP beacon bodies, exfiltrated data, and C2 commands in one pane. "Show data as Raw" + Save lets you carve the exact bytes out for a malware sandbox.
File โ Export Objects โ HTTP / SMB / TFTP / FTP-DATA / IMF (email)... lists every file/object Wireshark reconstructed from the capture (URL, hostname, content type, size). Select one โ Save, or Save All to dump every transferred file.
๐ This is core network forensics. From a pcap you can recover the actual downloaded malware binary, exfiltrated documents, or served web pages, then hash them and detonate them in a sandbox.
Export Objects โ HTTPon a drive-by capture literally hands you the payload. (For HTTPS you first need the TLS keys โ see ยง29.)
File โ Export Specified Packets (or Export PDU) lets you save a subset โ Displayed (current filter), Marked, Range, or Selected โ to a new file. This is how you carve a clean, minimal evidence file for a report or to hand to another analyst without shipping the whole multi-GB capture.
This is the single largest domain. Learn the header fields, the normal behavior, and โ for each โ the filters and what abuse looks like. Fields you must be able to name on sight are in bold.
The Layer-2 frame that carries everything on a LAN.
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโ
โ Dest MAC (6B) โ Src MAC (6B) โ EtherType โ Payload (46โ1500)โ FCS 4B โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโ
| Field | Size | Notes |
|---|---|---|
| Destination MAC | 6 bytes | Who the frame is for on this LAN segment |
| Source MAC | 6 bytes | Who sent it (last hop) |
| EtherType | 2 bytes | What's inside: 0x0800 = IPv4, 0x86DD = IPv6, 0x0806 = ARP, 0x8100 = 802.1Q VLAN |
| FCS (CRC) | 4 bytes | Frame check sequence โ usually NOT shown in Wireshark (see below) |
- Minimum frame = 64 bytes (so runts/collisions are detectable); if payload < 46 bytes it's padded. Maximum standard frame = 1518 bytes (1500 MTU payload + 14 header + 4 FCS). Jumbo frames exceed this.
๐ฏ "Describe minimum and maximum frame sizes." - Why the CRC/FCS is missing
๐ฏ: the NIC validates and strips the FCS before handing the frame to the OS/Wireshark. So Wireshark normally never sees it. Frames with a bad FCS are usually dropped by the NIC entirely (unless the adapter is set to pass errors). This is a guaranteed question. - MAC address types
๐ฏ "distinguish Unicast, Broadcast, Multicast":- Broadcast =
ff:ff:ff:ff:ff:ff(all ones) โ everyone on the segment. - Multicast = the least-significant bit of the first octet = 1 (e.g.
01:00:5e:...for IPv4 multicast,33:33:...for IPv6). Filter:eth.dst[0] & 1. - Unicast = that bit = 0 โ one specific NIC.
- The 2nd-least-significant bit of the first octet = the U/L bit; if 1 the MAC is locally administered (e.g. randomized/spoofed) rather than a real burned-in vendor address.
- Broadcast =
- VLAN tags (802.1Q)
๐ฏ "how the frame header is modified for VLAN tags": a 4-byte tag is inserted after Src MAC, EtherType becomes 0x8100, the tag carries the VLAN ID (12 bits, 0โ4095) and priority (PCP), and the original EtherType follows. Filter:vlan/vlan.id == 100.
eth.addr == 00:1a:2b:3c:4d:5e # this MAC as src or dst
eth.dst == ff:ff:ff:ff:ff:ff # broadcasts
eth.dst[0] & 1 # multicast/broadcast (group bit set)
eth.type == 0x0806 # ARP frames
vlan.id == 20 # VLAN 20
eth.src[0:3] == 00:1a:2b # match a vendor OUIAddress Resolution Protocol maps a known IPv4 address โ unknown MAC on the local segment. Pure Layer 2/3 glue; no ARP crosses a router.
- Host needs to send to
10.0.0.9on its subnet but doesn't know its MAC. - ARP Request โ a broadcast (
dst = ff:ff:ff:ff:ff:ff): "Who has 10.0.0.9? Tell 10.0.0.5." - ARP Reply โ a unicast back to the asker: "10.0.0.9 is at aa:bb:cc:dd:ee:ff."
๐ฏ "difference between broadcast ARP and unicast ARP"โ request is broadcast, reply is unicast.
| Type | Filter | Purpose |
|---|---|---|
| Request (op=1) | arp.opcode == 1 |
Ask for a MAC |
| Reply (op=2) | arp.opcode == 2 |
Answer with a MAC |
| Gratuitous ARP | arp.isgratuitous == 1 (or arp.src.proto_ipv4 == arp.dst.proto_ipv4) |
Host announces/updates its own mapping (IP failover, duplicate-IP detection, boot) |
| ARP probe | arp.dst.proto_ipv4 == 0.0.0.0-style sender |
Check if an IP is already in use before claiming it |
arp # all ARP
arp.opcode == 1 # requests
arp.opcode == 2 # replies
arp.src.hw_mac == 00:11:22:33:44:55
arp.dst.proto_ipv4 == 10.0.0.9 # who's asking for this IP
arp.duplicate-address-detected # Wireshark expert: possible ARP spoofing!๐ ARP is a top LAN-attack signal.
arp.duplicate-address-detectedand a flood of gratuitous ARPs claiming the gateway's IP with a new MAC = ARP spoofing / MITM (someone poisoning caches to intercept traffic). A burst of ARP requests sweeping every host in a subnet = reconnaissance/scanning.๐ฏ Domain 6: "identify communication issues using ARP"โ also, if a host ARPs for an IP and gets no reply, that host is down or off-subnet โ a fast way to spot dead gateways.
The Layer-3 packet that gets data across networks.
0 4 8 16 31
โโโโโโฌโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โVer โIHL โ DSCP โTotal Lengthโ Identification โFlagsโFragOffโ
โโโโโโดโโโโโดโโโโโโโโโดโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ TTL โ Protocol โ Header Checksum โ Source IP Address โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Destination IP Address โ Options (if IHL>5) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Field | Filter | Meaning / exam point |
|---|---|---|
| Version | ip.version |
4 |
| Total Length | ip.len |
Whole packet (header+data) in bytes |
| Identification (IP ID) | ip.id |
Unique-ish per packet; ties fragments together; strategies vary by OS (incrementing, random) โ useful to fingerprint a sender or spot a spoofer/NAT ๐ฏ "IP identification strategies" |
| Flags | ip.flags |
DF (Don't Fragment), MF (More Fragments) |
| Fragment Offset | ip.frag_offset |
Where this fragment sits in the original ๐ฏ |
| TTL | ip.ttl |
Decremented each router; hits 0 โ router drops & sends ICMP Time Exceeded |
| Protocol | ip.proto |
1 = ICMP, 6 = TCP, 17 = UDP (memorize) |
| Header Checksum | ip.checksum |
Covers header only |
| Src / Dst IP | ip.src / ip.dst |
End-to-end identity |
| Range | Type | Notes |
|---|---|---|
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 |
Private (RFC1918) | Not routable on the internet โ NAT'd |
169.254.0.0/16 |
APIPA / link-local | Auto-assigned when DHCP fails โ a red flag! |
224.0.0.0/4 (224โ239) |
Multicast | One-to-many |
127.0.0.0/8 |
Loopback | localhost |
| everything else | Public | Internet-routable |
๐ก APIPA (169.254.x.x) in a capture = the host couldn't reach a DHCP server. That's a direct troubleshooting clue (ยง26, Domain 6).
Common initial TTLs: Windows = 128, Linux/macOS = 64, routers/Cisco = 255. Observed TTL subtracted from the nearest higher default = hops traversed. Arriving TTL 117 from a Windows host โ 128 โ 117 = 11 hops away.
NAT rewrites private source IP:port โ the router's public IP:port on the way out (and reverses inbound). Implications for you:
- Capture location changes what you see: inside the NAT you see real private IPs; outside, every internal host looks like one public IP โ you lose per-host visibility. Capture inside to attribute traffic to a specific workstation.
- Many hosts behind one IP complicates attribution in IR โ correlate with NAT/firewall logs.
If a packet exceeds the path MTU and DF isn't set, routers split it: same IP ID, MF=1 on all but the last, increasing Fragment Offset. Wireshark reassembles and shows [Reassembled in frame N]. Filter fragments: ip.flags.mf == 1 || ip.frag_offset > 0.
๐ Unusual heavy fragmentation, tiny fragments, or overlapping offsets can be IDS/firewall evasion or a crafted-packet attack.
ip.addr == 8.8.8.8
ip.src == 10.0.0.0/8 && ip.dst != 10.0.0.0/8 # internal โ external (egress)
ip.ttl < 64 # already traversed routers
ip.flags.df == 1 # Don't Fragment set
ip.addr == 169.254.0.0/16 # APIPA โ DHCP failure
ip.proto == 6 # TCPICMP is IP's diagnostic/error courier (ip.proto == 1). No ports.
| Type/Code | Name | Meaning |
|---|---|---|
| 8 / 0 | Echo Request / Reply | ping โ reachability & RTT |
| 3 | Destination Unreachable | code 0 net, 1 host, 3 port unreachable, 4 frag needed+DF (PMTU black hole!), 13 admin filtered (firewall) |
| 5 | Redirect | Router says "use a better gateway" |
| 11 | Time Exceeded | TTL hit 0 (this powers traceroute) |
| 4 | Source Quench | (deprecated) congestion |
An ICMP error message (types 3, 5, 11) embeds the IP header + first 8 bytes of the original offending packet in its payload. Expand the ICMP packet in Wireshark and you'll see the original IP/TCP/UDP header nested inside โ that tells you which flow caused the error (e.g. which UDP packet got "port unreachable"). This is frequently tested.
icmp # all ICMP
icmp.type == 8 # echo requests (pings out)
icmp.type == 0 # echo replies
icmp.type == 3 && icmp.code == 3 # port unreachable (service down/closed UDP)
icmp.type == 3 && icmp.code == 4 # fragmentation needed (PMTU issues)
icmp.type == 11 # TTL exceeded (traceroute / routing loop)๐ SOC/IR angle: big ICMP Echo packets or a steady ping stream with data payloads can be an ICMP tunnel/covert channel or exfil (normal pings are tiny & uniform โ check
data.len). A flood of Type 3 Code 3 from one host = a UDP port scan hitting closed ports. Type 11 everywhere = a routing loop. Type 3 Code 4 black-holing = broken Path MTU Discovery (a real "some sites hang" bug).
| Type | Prefix | Notes |
|---|---|---|
| Link-Local | fe80::/10 |
Auto-configured, never routed off-link; used for neighbor discovery |
| Global Unicast | 2000::/3 (e.g. 2001:...) |
Internet-routable, like a public IPv4 |
| Unique Local | fc00::/7 (usually fd00::/8) |
Private, like RFC1918 |
| Multicast | ff00::/8 |
e.g. ff02::1 all-nodes, ff02::2 all-routers |
| Loopback | ::1 |
localhost |
IPv6 has no broadcast โ it uses multicast instead. No IP-header checksum, no fragmentation by routers (host-only via extension headers).
ICMPv6 does far more than ICMPv4 โ it replaces ARP and handles autoconfiguration via NDP (Neighbor Discovery Protocol):
| Message | Type | Replaces / does |
|---|---|---|
| Neighbor Solicitation (NS) | 135 | "Who has this IPv6?" (= ARP request) |
| Neighbor Advertisement (NA) | 136 | "I have it, here's my MAC" (= ARP reply) |
| Router Solicitation (RS) | 133 | "Are there routers?" |
| Router Advertisement (RA) | 134 | Router announces prefix/gateway (SLAAC autoconfig) |
icmpv6.type == 135 # Neighbor Solicitation
icmpv6.type == 136 # Neighbor Advertisement
icmpv6.type == 134 # Router Advertisement๐ Rogue RA attack: a malicious host sending Router Advertisements (type 134) can hijack IPv6 default routing (MITM) โ a real threat even on "IPv4-only" networks that left IPv6 enabled. Hunt for RAs from unexpected MACs.
Connectionless, no handshake, no reliability, tiny 8-byte header.
โโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโ
โ Src Port โ Dst Port โ Length โ Checksum โ
โโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโ
| Field | Filter |
|---|---|
| Source Port | udp.srcport |
| Dest Port | udp.dstport |
| Length | udp.length |
| Checksum | udp.checksum |
- Higher-layer protocols on UDP: DNS(53), DHCP(67/68), TFTP(69), SNMP(161), NTP(123), Syslog(514), RTP/VoIP, QUIC(443).
๐ฏ "identify higher layer protocols which use UDP" - Why UDP for multicast/broadcast
๐ฏ: TCP is strictly point-to-point (a handshake needs one specific peer). Broadcast/multicast is one-to-many, so it must be connectionless โ UDP. That's why streaming, discovery (mDNS, SSDP), and routing multicasts use UDP. - UDP "stream id" & conversation timestamps
๐ฏ: Wireshark assignsudp.streamindexes and, with conversation timestamps enabled,udp.time_deltaโ you can Follow UDP Stream and measure per-flow timing just like TCP (useful for DNS/VoIP analysis).
udp.port == 53 # DNS
udp.stream == 3 # a specific UDP conversation
udp.length > 512 # oversized UDP (EDNS, tunneling, amplification)๐ UDP is the backbone of amplification DDoS (DNS, NTP, memcached, SSDP): tiny spoofed request โ huge reply to the victim. Spot it as many large UDP responses to one dst from many servers on ports 53/123/1900.
How hosts get an IP. Runs on UDP: client 68 โ server 67. Filter: dhcp (older Wireshark: bootp).
| Step | Message | Direction | Meaning |
|---|---|---|---|
| D | Discover | client โ broadcast | "Any DHCP servers out there?" |
| O | Offer | server โ client | "You can have 10.0.0.55" |
| R | Request | client โ broadcast | "I'll take that one" (broadcast so other servers know) |
| A | ACK | server โ client | "Confirmed, here's your lease + options" |
dhcp.option.dhcp == 1 # Discover
dhcp.option.dhcp == 2 # Offer
dhcp.option.dhcp == 3 # Request
dhcp.option.dhcp == 5 # ACK
dhcp.option.dhcp == 6 # NAK- In DORA โ accepting an offered address (broadcast).
- Lease renewal โ an already-configured host unicasts a Request directly to its server to extend the lease (no Discover/Offer needed). Same message type, different context โ a classic exam distinction.
| Option | Name | Filter |
|---|---|---|
| 1 | Subnet Mask | dhcp.option.subnet_mask |
| 3 | Router (gateway) | dhcp.option.router |
| 6 | DNS Server(s) | dhcp.option.domain_name_server |
| 51 | Lease Time | dhcp.option.ip_address_lease_time |
| 53 | Message Type | dhcp.option.dhcp |
| 50 | Requested IP | dhcp.option.requested_ip_address |
| 12 | Hostname | dhcp.option.hostname |
If Discover gets no Offer (server down, VLAN/relay misconfig, exhausted pool), the client falls back to APIPA 169.254.x.x and has no gateway/DNS โ "connected but no internet." Seeing DHCP Discovers with no Offers plus APIPA addresses is the textbook diagnosis. ๐ฏ Domain 6
๐ DFIR value of DHCP: Option 12 (hostname) and the client MAC in DHCP packets let you map IP โ hostname โ MAC โ vendor at a point in time โ essential for attributing an IP to a physical device during an incident. A rogue DHCP server (unexpected host sending Offers) is an attack that can redirect DNS/gateway for MITM โ hunt
dhcp.option.dhcp == 2from any non-authorized server.
Name โ IP resolution. Mostly UDP 53 (TCP 53 for zone transfers & large/>512B responses). Filter: dns.
dns.flags.response == 0= query;== 1= response.- Match a query to its reply by Transaction ID (
dns.id) โ Wireshark links them and shows[Time: ...](the DNS response time โ a latency signal).
| Type | # | Meaning |
|---|---|---|
| A | 1 | name โ IPv4 |
| AAAA | 28 | name โ IPv6 |
| CNAME | 5 | alias โ canonical name |
| MX | 15 | mail server |
| NS | 2 | authoritative name server |
| PTR | 12 | IP โ name (reverse) |
| TXT | 16 | arbitrary text (SPF/DKIMโฆ and tunneling/exfil) |
| SOA | 6 | zone authority |
| SRV | 33 | service location (AD uses heavily) |
dns.flags.response == 0 # queries only
dns.qry.name == "example.com"
dns.qry.type == 1 # A queries
dns.qry.type == 16 # TXT (watch for abuse)
dns.flags.rcode == 3 # NXDOMAIN (name doesn't exist)
dns.qry.name contains "dropbox" # find traffic to a service
dns.time > 0.5 # slow DNS responses (>500ms)๐ DNS is a hunter's goldmine (covered deeply in ยง34):
NXDOMAINstorms (dns.flags.rcode == 3) โ malware DGA cycling through random domains looking for its live C2.- Long/hex/base32 labels in
dns.qry.name+ heavy TXT โ DNS tunneling / exfiltration.- DNS with no matching process / to a non-corporate resolver โ possible C2 or policy evasion.
- DNS is often your only record of what domain an IP belonged to at incident time โ capture it, keep it.
TCP alone is 17% of the exam and graded on its own. Plus most of Domain 6 (troubleshooting, 20%) is TCP analysis. Realistically ~a third of your score lives here. Master it.
0 16 31
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโ
โ Source Port โ Destination Port โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโค
โ Sequence Number โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Acknowledgment Number โ
โโโโโโฌโโโโโโฌโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโค
โOff โ Rsv โ Flags โ Window Size โ
โโโโโโดโโโโโโดโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ Checksum โ Urgent Pointer โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโค
โ Options (MSS, SACK, WS, ...) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Flag | Filter | Purpose |
|---|---|---|
| SYN | tcp.flags.syn == 1 |
Synchronize โ open a connection, exchange initial seq numbers |
| ACK | tcp.flags.ack == 1 |
Acknowledge received data |
| FIN | tcp.flags.fin == 1 |
Graceful close โ "I'm done sending" |
| RST | tcp.flags.reset == 1 |
Abrupt reset โ kill the connection now |
| PSH | tcp.flags.push == 1 |
Push buffered data to the app immediately |
| URG | tcp.flags.urg == 1 |
Urgent pointer valid (rare) |
Client Server
โโโโโโ SYN (seq=0) โโโโโโโโโโโโโโโโโโโโถโ "let's talk; my ISN=X"
โโโโโโ SYN, ACK (seq=0, ack=1) โโโโโโโโโโโ "ok; my ISN=Y, I got your SYN"
โโโโโโ ACK (seq=1, ack=1) โโโโโโโโโโโโโโถโ "great, connected"
โโ connection ESTABLISHED โโ
- Each side picks a random Initial Sequence Number (ISN). The SYN and FIN flags each consume one sequence number (that's why the ACK is ISN+1 even though no data was sent).
- Filter for all connection attempts:
tcp.flags.syn == 1 && tcp.flags.ack == 0.
Wireshark measures iRTT as the time between the SYN and the ACK that completes the handshake (SYN โ SYN/ACK โ final ACK). It appears as [iRTT] in the SYN packet's TCP tree (in brackets = Wireshark-generated). Because it's captured before any application delay, iRTT is your clean baseline for network latency on that path. Column/filter: tcp.analysis.initial_rtt.
๐ก High iRTT (say 150 ms) tells you the network path itself is slow before the app even responds โ it separates network latency from server slowness (huge for Domain 6).
- MSS = the largest TCP payload (data only) per segment, advertised in a SYN option by each side.
- Classic math: standard Ethernet MTU 1500 โ 20 (IP header) โ 20 (TCP header) = MSS 1460 bytes. Memorize this. (With TCP options/tunnels the effective MSS is smaller โ e.g. VPNs.)
- Each side can advertise a different MSS; the sender must respect the receiver's advertised MSS. Filter:
tcp.options.mss_val == 1460.
- Sequence number = byte offset of the first data byte in this segment within the stream.
- Acknowledgment number = the next byte the receiver expects (i.e., "I have everything up to ackโ1"). ACKs are cumulative.
- Reliability loop: sender numbers every byte; receiver ACKs the next expected byte; missing bytes โ the ACK number stops advancing โ sender retransmits.
- Relative sequence numbers (Wireshark default) restart each stream at 0 so they're readable; toggle off in TCP preferences to see the real ISN-based values.
๐ฏ
- Graceful (4-way / FIN): each side sends FIN, the other ACKs it โ
FIN,ACKร2. Sometimes seen as 3 packets when a side piggybacks FIN+ACK. - Abrupt (RST): one side sends RST โ connection dies immediately, no cleanup. Common when a port is closed, an app crashes, a firewall kills a flow, or a load balancer trims idle connections.
tcp.flags.fin == 1 # graceful closes
tcp.flags.reset == 1 # resets (investigate these!)TCP Options ๐ฏ "explain TCP options and their purpose (EOL, NOP, MSS, SACK, DSACK, Window Scaling)"
| Option | Purpose |
|---|---|
| MSS | Advertise max segment size (SYN only) |
| Window Scaling (WS) | Multiplier that lets the 16-bit window exceed 65,535 bytes โ essential for high-bandwidth/high-latency (BDP) links. Negotiated in SYN; if one side doesn't support it, no scaling for the whole connection |
| SACK (Selective ACK) | Lets a receiver say "I got bytes 1โ1000 and 2001โ3000 but not 1001โ2000" so the sender resends only the gap, not everything after it |
| DSACK (Duplicate SACK) | Reports that a duplicate segment arrived (helps distinguish real loss from spurious retransmits) |
| NOP | No-op padding to align options on 4-byte boundaries |
| EOL | End of options list |
| Timestamps (TSval/TSecr) | Better RTT measurement & PAWS |
- The Window Size field = how many more bytes the receiver can buffer right now. It's the receiver throttling the sender (flow control).
- Wireshark shows
[Calculated window size]= raw field ร the negotiated window scale factor (brackets = generated). - Zero Window (
tcp.analysis.zero_window): receiver says "stop, my buffer is full" โ transfer stalls until it sends a Window Update. A frequent cause of "the network is slow" that's actually a slow/overloaded receiving application not draining its socket. - Low window + high RTT = throughput killer
๐ฏ Domain 6: max throughput โ Window / RTT (Bandwidth-Delay Product). A small window over a long-latency path caps speed no matter how fast the link โ you'll see the sender constantly waiting for ACKs.
These are Wireshark-generated flags (brackets in the tree), your bread and butter for Domain 6:
tcp.analysis.flags # EVERYTHING flagged below, at once
tcp.analysis.retransmission # sender resent (loss suspected)
tcp.analysis.fast_retransmission # resent after 3 dup ACKs (didn't wait for timeout)
tcp.analysis.duplicate_ack # receiver re-ACKing โ it's missing a segment
tcp.analysis.dup_ack_num # the Nth dup ACK
tcp.analysis.lost_segment # Wireshark saw a gap (a segment never captured)
tcp.analysis.out_of_order # segments arrived out of sequence
tcp.analysis.zero_window # receiver buffer full โ stall
tcp.analysis.window_full # sender has filled the receiver's window
tcp.analysis.window_update # receiver re-opened its window
tcp.analysis.keep_alive # idle-connection keepalive
tcp.analysis.ack_rtt # time from segment to its ACK (latency!)๐ฏ "Describe the purpose of a DUP ACK" and "Identify the byte range of missing segments based on a DUP ACK with SACK or DSACK." This is one of the hardest exam skills โ here's how.
- A duplicate ACK is the receiver repeating "I still only have up to byte N" โ it keeps re-ACKing the same number because a segment is missing and everything after it is arriving out of order. 3 dup ACKs trigger the sender's fast retransmit.
- With SACK enabled, each dup ACK also carries SACK blocks โ the ranges the receiver did receive beyond the gap. The hole between the ACK number and the first SACK-left-edge is the missing byte range.
Worked example:
ACK number (cumulative) = 5001 โ receiver has bytes up to 5000
SACK block Left Edge = 6001
SACK block Right Edge = 7001 โ receiver also has 6001โ7000
โด MISSING segment = bytes 5001 โ 6000 (the gap between 5001 and 6001)
The sender only needs to resend 5001โ6000, not everything from 5001 onward โ that's SACK's whole point. Filters: tcp.options.sack_le / tcp.options.sack_re.
- Retransmission after RTO timeout, or Fast Retransmission after 3 dup ACKs โ both mean the sender believes data was lost.
- Where you capture matters: retransmits seen near the sender but the originals reaching the receiver fine = the ACKs are being lost on the return path, or you're upstream of the loss. Multi-point capture (ยง5) pins down where loss happens.
Statistics โ TCP Stream Graphs:
| Graph | X / Y | Read it for |
|---|---|---|
| Time / Sequence (Stevens) | time / seq number | A smooth climbing line = healthy throughput; flat spots = stalls; step-backs = retransmits |
| Time / Sequence (tcptrace) | adds ACK line & window | Gap between data and the window line closing in = flow-control limited |
| Throughput | time / bytes-per-interval | Where speed dips |
| Round Trip Time | seq / RTT | Latency spikes per segment |
| Window Scaling | time / window size | Watch the receive window shrink toward zero (zero-window stalls) |
๐ก On a Stevens graph, a staircase that flattens then jumps is classic loss+recovery; a line that can't climb because the window ceiling (tcptrace) sits right on top of it is a window-limited transfer, not a loss problem โ different fix entirely.
- TCP reassembly (
Allow subdissector to reassemblepreference): Wireshark stitches segments so the app layer (HTTP/TLS) is shown decoded against the final segment. Turn it off to inspect raw per-segment bytes.๐ฏ "describe the purpose of TCP reassembly." tcp.stream= Wireshark's per-connection index (generated).tcp.stream == 4isolates one whole conversation โ the single most useful TCP filter for triage.๐ฏ "describe the TCP stream id."- Conversation timestamps (
tcp.time_relative,tcp.time_delta) = time since the stream's first packet / since the previous packet in this stream. Enable in TCP preferences; add as columns to measure per-flow timing and beacon intervals.๐ฏ
๐ TCP for security:
- Port scans: many SYNs to many ports, replies are SYN/ACK (open) or RST/ACK (closed).
tcp.flags.syn==1 && tcp.flags.ack==0+ Conversations reveals a scanner instantly.- RST storms: bursts of
tcp.flags.reset==1= blocked/killed connections (firewall, IPS, or a service refusing) โ or a RST-injection attack.- C2 over TCP: long-lived, low-and-slow conversations on odd ports; use Conversations (duration) + ฮtime for beaconing.
- Failed handshakes: SYNs with no SYN/ACK = host down, port filtered, or connectivity broken (Domain 6).
Runs on TCP 80 (and any port โ use Decode As). Filter: http.
http.request # all requests
http.request.method == "GET"
http.request.method == "POST" # uploads / form data / API calls / exfil
http.response.code == 200 # OK
http.response.code >= 400 # client/server errors
http.host == "example.com"
http.user_agent contains "python-requests" # non-browser client
http.request.uri contains "/admin"Key headers to read: Host (which site), User-Agent (which client โ mismatches reveal bots/malware), Referer, Set-Cookie, Content-Type, Server. Follow โ HTTP Stream reads the whole exchange; Export Objects โ HTTP pulls the transferred files.
Server slowness vs. network slowness ๐ฏ Domain 6 โ "distinguish server performance from slow transfer times"
This is a flagship exam/real-world skill. In an HTTP GET:
Client โโ GET /page โโโถ Server
(โฑ time server takes to respond = SERVER think time)
Client โโโ 200 OK โโโโโ Server
http.time= time from the request to the full response โ includes both server processing and transfer.- Compare against iRTT (ยง28) and
tcp.analysis.ack_rtt:- Big gap before the server's first response byte, but ACKs are fast โ server is slow (app/DB think time), network is fine.
- First byte comes quickly but the transfer drags with retransmissions / zero-windows โ network or client problem, server is fine.
- High RTT hurts request/response protocols most
๐ฏ: HTTP, SMB, SQL do many small round trips; each one pays the RTT. On a 200 ms-RTT link, 50 sequential round-trips = 10 s of pure waiting regardless of bandwidth. This is why "the app is slow over the WAN but fine on LAN." Low window + high RTT compounds it (BDP throughput cap, ยง28).
Filter: tls. You can see the handshake even though content is encrypted:
tls.handshake.type == 1 # ClientHello โ contains SNI (server name!)
tls.handshake.type == 2 # ServerHello
tls.handshake.type == 11 # Certificate
tls.handshake.extensions_server_name == "example.com" # SNI = which site
tls.record.version- SNI (
tls.handshake.extensions_server_name) in the ClientHello reveals which domain the client is contacting even though the payload is encrypted โ a critical hunting field. - The certificate (handshake type 11) shows the server's cert subject/issuer โ self-signed or weird certs on odd ports are a C2 signal.
- Decrypting TLS: if you control an endpoint, set the env var
SSLKEYLOGFILEbefore launching the browser/app; point Wireshark to that keylog file (Preferences โ Protocols โ TLS โ (Pre)-Master-Secret log filename). Wireshark then decrypts the session and Export Objects / Follow HTTP Stream work on the plaintext. (Server RSA private keys also work for non-PFS ciphers, but modern ECDHE requires the keylog.)
๐ JA3/JA3S fingerprints (derived from ClientHello/ServerHello fields) identify specific TLS clients โ many malware families have known JA3 hashes even though the traffic is encrypted. Wireshark exposes the raw fields; NDR tools compute the hash.
- Scope it โ Statistics โ Conversations/Endpoints: who's involved, how much, how long.
- Isolate the flow โ Follow Stream /
tcp.stream == N. - Check the handshake โ present? iRTT high? SYNs with no SYN/ACK?
- Run the expert โ
tcp.analysis.flags; look for retransmits, dup ACKs, zero windows, resets. - Separate the layers โ network latency (iRTT, ack_rtt) vs app latency (http.time, gaps before response) vs flow control (window).
- Confirm root cause & prove it โ annotate packets, export the minimal evidence.
| Symptom in capture | Likely cause | Confirm with |
|---|---|---|
| SYN, SYN, SYN (no SYN/ACK) | Host down / port filtered / firewall drop | tcp.flags.syn==1 && tcp.flags.ack==0; check for ICMP type 3 |
| SYN โ RST/ACK | Port closed / service not listening | tcp.flags.reset==1 |
| Many retransmissions + dup ACKs | Packet loss on the path | tcp.analysis.retransmission, I/O graph vs load |
| Zero-window / window-full | Receiver app not reading its socket | tcp.analysis.zero_window; TCP window graph |
| Fast first byte, slow big transfer | Loss/congestion or small windowรRTT | Stevens stream graph flat spots |
| Slow first byte, fast transfer | Server/app think time | Gap before response; iRTT is low |
| Everything slow only over WAN | High RTT ร chatty protocol / small window | iRTT, throughput = window/RTT |
| APIPA 169.254 addresses | DHCP failure | ip.addr==169.254.0.0/16, DHCP Discovers w/ no Offer |
| Duplicate-IP / gratuitous ARP flood | IP conflict or ARP spoofing | arp.duplicate-address-detected |
| ICMP type 3 code 4 black hole | Broken Path MTU Discovery | icmp.type==3 && icmp.code==4 |
๐ฏ Domain 6 also lists: "determine network topology only using information in a packet capture" โ combine MACโIP mappings (ยง2), TTL hop counts (ยง22), gateway MAC identification, DHCP option-3 gateways, and ARP tables to sketch the LAN. And "identify potential issues using ARP, DHCP, and ICMP" โ the three "infrastructure health" protocols above.
Analyze โ Expert Information (or the colored dot, bottom-left of the status bar) aggregates every issue Wireshark noticed, grouped by severity:
| Severity | Color | Examples |
|---|---|---|
| Error | red | Malformed packets, checksum errors, dissector failures |
| Warning | yellow | Retransmissions, zero window, out-of-order, connection resets |
| Note | cyan | Dup ACKs, keep-alives, fast retransmits, window updates |
| Chat | blue/grey | Connection setup (SYN), FIN, window changes |
Click any group โ expand โ click a specific item โ jumps to that packet. It's a prioritized worklist for a capture: start at Errors/Warnings.
๐ก The status-bar dot shows the highest severity present โ a red dot means at least one error is lurking. Double-click it to open the Expert window. For troubleshooting, this +
tcp.analysis.flagsis the fastest path from "here's a capture" to "here's the problem."
Everything so far taught you normal. This part turns that into detection. The same skills that pass WCA-101 are exactly what you use to hunt an intrusion in a pcap โ you're just looking for deviations from the baselines above. Nothing here is offensive tooling; it's all defensive analysis of traffic you're authorized to inspect.
- Statistics โ Capture File Properties โ record SHA256, time range, size (evidence integrity + scope).
- Statistics โ Protocol Hierarchy โ what protocols exist? Anything weird (IRC, TFTP, unknown TCP, lots of "Data")?
- Statistics โ Conversations (sort by bytes, and by duration) โ top talkers + long-lived low-volume flows.
- Statistics โ Endpoints (+ GeoIP) โ talking to unexpected countries/ASNs?
- DNS overview โ
dns.flags.response==0โ what names are being resolved? Any DGA/tunneling smell?
# --- Reconnaissance / scanning ---
tcp.flags.syn==1 && tcp.flags.ack==0 # connection attempts (port scan source)
tcp.flags.reset==1 # closed-port/blocked responses (scan target)
icmp.type==8 # ping sweep
arp.opcode==1 # ARP scan of a subnet
# --- Suspicious egress ---
ip.src==10.0.0.0/8 && ip.dst!=10.0.0.0/8 && tcp.flags.syn==1 # internalโexternal new conns
tcp.port in {4444 1337 3333 8443 9001 6666 6667} # common C2/backdoor/IRC ports
!( tcp.port in {80 443 53 25 123 22} ) && ip.dst!=10.0.0.0/8 # unusual outbound ports
# --- Cleartext exposure ---
http.authorization # HTTP Basic creds
ftp.request.command in {"USER","PASS"} # FTP creds
telnet # telnet is all cleartext
frame contains "password" # brute string search
# --- Odd clients ---
http.user_agent contains "curl" || http.user_agent contains "python" || http.user_agent contains "powershell"
tls.handshake.extensions_server_name matches "(?i)\\.(top|xyz|tk|ru|cn)$"| Attacker behavior | pcap signature |
|---|---|
| Recon / scanning | SYN sprays, ICMP echo sweeps, ARP sweeps, RST/ACK replies |
| Initial access (drive-by/download) | HTTP GET of an .exe/.dll/.js, odd User-Agent; Export Objects โ HTTP recovers it |
| C2 / beaconing | Regular-interval small flows, long-lived low-volume conversations, self-signed TLS on odd ports (ยง33) |
| Lateral movement | East-west SMB (smb2), RDP (3389), WMI/DCOM (135 + high ports), PsExec named pipes, Kerberos anomalies |
| Credential access | Cleartext creds, LLMNR/NBT-NS poisoning traffic (llmnr, nbns), Kerberoasting (many TGS requests) |
| Exfiltration | Large outbound to one external IP, DNS/ICMP tunneling, HTTP POST of big bodies (ยง34) |
Beaconing = malware "phoning home" on a schedule to fetch commands. It's periodic and usually low-volume โ the opposite of bursty human browsing.
- Statistics โ Conversations โ sort by Duration and look for flows that live for the whole capture but move little data.
- Isolate the suspect flow (
ip.dst == <suspect>ortcp.stream == N). - Add a
frame.time_delta_displayedcolumn (or set time format to Seconds Since Previous Displayed Packet). - Look for regular intervals โ e.g. a connection every 60.0 s ยฑ small jitter. Human traffic is irregular; a metronome is automation.
- I/O Graph the flow (packets/s) โ beacons show an evenly spaced comb of spikes.
- Tiny, uniform request sizes with occasional larger responses (command pull vs. task delivery).
- TLS with a self-signed or mismatched certificate, or no SNI, on a non-standard port (
tls && tcp.port != 443). - HTTP beacons: repetitive GET/POST to the same URI, unusual User-Agent, checkin-looking paths.
- Destination reputation: endpoint IP in an unexpected ASN/country (Endpoints + GeoIP), freshly-registered domain in DNS.
# Isolate + time a suspected beacon
ip.addr == 203.0.113.66 && tcp
# then add column frame.time_delta_displayed and watch the interval๐ก Wireshark shows you the evidence; tools like RITA, Zeek, or your NDR quantify beacon regularity across huge datasets. Use Wireshark to confirm and characterize a beacon your SIEM/NDR flagged, then pull the exact bytes for the malware team.
- Conversations โ sort by bytes leaving your network. One workstation pushing hundreds of MB to a single external IP (especially over HTTPS/FTP/an odd port) is the classic pattern.
- HTTP POST with large bodies to an unusual host:
http.request.method=="POST" && ip.dst!=10.0.0.0/8โ inspectContent-Lengthand Follow Stream. - Off-hours transfers (correlate timestamps), or steady low-and-slow uploads designed to stay under DLP thresholds.
DNS is often allowed straight out, so malware hides data inside DNS. Signatures:
- Very long query names with encoded (hex/base32/base64) subdomains:
dns.qry.namelooks likea3f9c2...e1.tunnel.evil.com, often near the 253-char limit. - High volume of unique subdomains under one parent domain (each query smuggles a chunk of data).
- Heavy use of TXT / NULL / CNAME record types for data return.
- Requests to one domain vastly outnumbering any web/other traffic to it.
dns.qry.name.len > 50 # abnormally long names
dns.qry.type == 16 # TXT (data channel)
dns && frame.len > 300 # oversized DNS
dns.qry.name matches "(?i)[a-f0-9]{16,}" # long hex label (encoded payload)
dns.flags.rcode == 3 # NXDOMAIN storms (DGA hunting)
dns.count.answers == 0 && dns.flags.response==1 # empty answers (tunnel control)Normal pings are small and uniform. Large or variable ICMP Echo payloads carrying data = covert channel: icmp && data.len > 48. Follow the pattern across the conversation and Follow Stream to read the payload.
๐ The mindset: exfil hides in allowed protocols (DNS, HTTPS, ICMP). You detect it by volume, regularity, entropy, and record-type anomalies against the baseline โ exactly the "normal" you learned in Part VI.
When a capture is evidence, process matters as much as analysis.
- Hash first, analyze the copy. Record SHA256 (Statistics โ Capture File Properties, or
capinfos -H file.pcapng) before touching the file. Work on a copy; keep the original read-only. - Document: who captured it, where (capture point/TAP/SPAN), when (UTC), with what tool/version, and why. Wireshark's capture file comment (Statistics โ Capture File Properties) and per-packet comments live inside the pcapng and travel with the evidence.
- Timestamps: set View โ Time Display โ UTC Date and Time of Day for reports so times are unambiguous and correlate with logs/SIEM.
- Preserve completeness: capture with
dumpcap(no dissection, fewer drops), full snaplen (no truncation), no capture filter if you can afford it โ you can't analyze evidence you filtered away.
- Export Objects (HTTP/SMB/FTP/TFTP/IMF) โ recover the actual malware, exfiltrated files, emails, or served pages. Hash recovered files; submit to sandbox/AV; match to threat intel.
- Follow Stream (Raw) โ carve exact byte ranges (payloads, C2 commands, credentials) into standalone files.
- DNS + TLS SNI + HTTP Host โ rebuild which domains/IPs were contacted and when โ the network narrative.
- DHCP (hostname/MAC) + ARP โ attribute an IP to a specific device at incident time.
- File โ Export Specified Packets (Displayed/Marked/Range) โ produce a minimal, court-ready subset instead of shipping the whole capture.
A defensible forensic report says: "At 14:03:11 UTC host
WKSTN-07(MAC.., per DHCP option 12) resolvedevil.example(DNS txn 0x4a1b โ 203.0.113.66), opened TCP stream 42 to it, and over 6 minutes POSTed 240 MB (Conversations bytes AโB). The transferred archive was recovered via Export Objects (SHA256..). Evidence filecase42.pcapngSHA256.., captured on the egress TAP with dumpcap 4.x." Every claim above is a filter/feature you now know.
A repeatable 10-minute first pass when someone drops a pcap on your desk mid-incident:
1. capinfos / Capture File Properties โ hash, duration, size, capture point
2. Protocol Hierarchy โ what's in here? anything abnormal?
3. Endpoints (+GeoIP) โ unexpected external destinations/countries
4. Conversations, sort by bytes โ top talkers = exfil candidates
Conversations, sort by duration โ long low-volume = C2 candidates
5. DNS queries (dns.flags.response==0) โ DGA / tunneling / bad domains
6. Expert Information โ errors/resets/retransmits worth noting
7. Isolate suspects (tcp.stream==N) โ Follow Stream, read the exchange
8. Export Objects โ recover payloads, hash them
9. Mark + comment key packets โ annotate the timeline
10. Export Specified Packets (Marked) โ hand a clean evidence subset up the chain
๐ก Bake steps into a profile: pre-made columns (
tcp.stream,dns.qry.name,http.host,frame.time_delta_displayed), coloring rules for C2 ports/cleartext, and a filter-button toolbar of the hunt queries in ยง32. Then triage is click, click, click.
# ADDRESSING
ip.addr == x ip.src == x ip.dst == x
eth.addr == x ipv6.addr == x !(ip.addr == x) # true exclude
# PORTS / PROTO
tcp.port == 443 udp.port == 53 tcp.port in {80 443 8080}
tcp udp icmp arp dns http tls dhcp smb2 ftp
# TCP HEALTH (Domain 6 gold)
tcp.analysis.flags # all issues
tcp.analysis.retransmission tcp.analysis.duplicate_ack
tcp.analysis.zero_window tcp.analysis.lost_segment
tcp.analysis.out_of_order tcp.flags.reset == 1
tcp.flags.syn==1 && tcp.flags.ack==0 # SYN only
tcp.stream == N # isolate one conversation
# OPERATORS
== != > < >= <= && || ! contains matches in [n:m]
# STRINGS / RECON
frame contains "password" http.request.method == "POST"
dns.qry.name contains "evil" tls.handshake.extensions_server_name == "x"host x src host x dst host x net 10.0.0.0/8
port 53 tcp port 443 udp port 53 portrange 1000-2000
ether host x vlan 100 not arp host x and tcp port 443| Thing | Value |
|---|---|
| IP Protocol IDs | ICMP=1, TCP=6, UDP=17 |
| EtherTypes | IPv4=0x0800, IPv6=0x86DD, ARP=0x0806, VLAN=0x8100 |
| Default TTLs | Windows=128, Linux/macOS=64, routers=255 |
| MSS (Ethernet) | 1500 โ 20 โ 20 = 1460 |
| Ethernet frame | min 64, max 1518 bytes (1500 MTU) |
| DHCP ports | client 68 โ server 67 |
| DNS | UDP 53 (TCP 53 for zone transfer / large) |
| Private ranges | 10/8, 172.16/12, 192.168/16 |
| APIPA | 169.254.0.0/16 (DHCP failed) |
| IPv6 link-local / multicast | fe80::/10 / ff00::/8 |
| ICMP echo | request=8, reply=0; TTL exceeded=11; unreachable=3 |
| DORA msg types | Discover=1, Offer=2, Request=3, ACK=5, NAK=6 |
| TCP throughput | โ Window / RTT (BDP) |
| Key | Action |
|---|---|
| Ctrl+F | Find packet |
| Ctrl+M | Mark packet |
| Ctrl+T | Set/unset time reference |
| Ctrl+D | Ignore packet |
| Ctrl+โ / โ | Expand / collapse detail tree |
| Ctrl+. / , | Next / previous packet in conversation |
| Ctrl+G | Go to packet number |
| Ctrl+Shift+N | Next marked packet |
Anything in [ ] โ [SYN, ACK], [iRTT], [Stream index], [Bytes in flight], [Calculated window size], [Reassembled in ...] โ is Wireshark-generated, not bytes on the wire.
| Week | Focus | Do this |
|---|---|---|
| 1 โ Foundations | Packet flow, interface, capture (Domains 1,2,4) | Install; capture your own traffic; add custom columns; build a profile; learn every pane. Read ยง1โ19. |
| 2 โ Filters + L2/L3 | Filters, Ethernet, ARP, IP, ICMP (Domains 3, 5.1โ5.4) | Drill display + BPF filters on sample pcaps; master the ! trap; do TTL hop-counting; recognize ARP/ICMP types. Read ยง9โ24. |
| 3 โ TCP (the 17%) | TCP end-to-end + UDP/DHCP/DNS (5.7โ5.10) | Handshake, teardown, seq/ack, options, window, retransmits, dup-ACK+SACK gap math, stream graphs. Do this until it's automatic. Read ยง25โ28. |
| 4 โ Troubleshoot + Security + Review | Domain 6 + your SOC/IR use | Work the scenario playbook (ยง30); run the IR triage flow on malware-traffic pcaps; take the official $29 practice exam; re-drill weak areas. Read ยง29โ36. |
Daily habit: open a real capture and answer one question ("what's the slowest flow?", "any retransmits?", "what domains were resolved?"). Hands-on beats re-reading.
Two weeks out: you should be able to, from memory, (1) draw the TCP handshake with seq/ack, (2) list ICMP/DHCP/DNS types, (3) compute MSS and hop distance, (4) explain the ! any/all trap, and (5) name what each stream-graph line means.
Practice on real packets โ reading about Wireshark โ using it.
- Wireshark sample captures: wiki.wireshark.org/SampleCaptures โ protocols of every kind.
- Malware-Traffic-Analysis.net โ free, dated exercises with real malware pcaps + questions + answers. The place to build SOC/IR pcap skills.
- PacketLife.net captures and CloudShark samples โ bite-sized protocol examples.
- Capture your own โ the best lab is your own machine: browse, ping,
nslookup, download a file, and watch it happen live. - Official WCA practice exam (~US $29 via Webassessor) โ closest thing to the real questions, with per-item feedback.
- Official objectives PDF โ wireshark.org/certifications โ download the WCA-101 objectives and check off each bullet.
- Endorsed training: Packet Pioneer (Chris Greer), Network Nerd, SCOS, SYN-bit.
โ ๏ธ Avoid "exam dump" sites promising real questions โ they violate exam policy, are often wrong, and won't teach you the hands-on analysis the WCA actually tests. Learn the packets; the questions take care of themselves.
- I can draw the 3-way handshake and label seq/ack numbers.
- I can compute MSS (1460) and hop distance from TTL.
- I can explain why
ip.addr != xfails and!(ip.addr == x)works. - I know Discover/Offer/Request/ACK and the two meanings of a DHCP Request.
- I can find the missing byte range from a dup ACK + SACK block.
- I can tell server slowness from network slowness in an HTTP flow.
- I know what every
[bracketed]field means (generated, not on wire). - I can name ICMP types 0/8/3/11 and ICMPv6 NS/NA/RS/RA.
- I know TAP vs SPAN vs endpoint capture trade-offs.
- I can run Conversations/Endpoints/Protocol Hierarchy/IO Graph and interpret them.
- I can capture with a ring buffer and export specified packets.
- I can find a beacon, spot DNS tunneling, and recover a file with Export Objects.
Released under CC BY 4.0 โ free to share and adapt with attribution.
Wiresharkยฎ is a registered trademark of the Wireshark Foundation. This is an independent study guide, not an official Wireshark Foundation product. Exam facts were current as of mid-2026 โ always confirm details at wireshark.org/certifications before you register.
Now stop reading and go open a capture. ๐ฆ