We covered a complete introduction to Wireshark, the packet analysis tool. We went over the main sections, capturing traffic, packet dissection and analysis, extracting protocol statistics about the captured traffic in addition to dissecting and explaining packet details and navigation. This was part of TryHackMe Wireshark The Basics & TryHackMe Packet Operations which are part of TryHackMe SOC Level 1.

Getting Started with the Wireshark Interface

When I first opened Wireshark, I noticed its intuitive GUI. The toolbar at the top provides quick access to essential functions, like starting a live packet capture. Below that, the display filter bar immediately caught my eye—it’s where I’ll be typing in queries to sift through mountains of packets. I also saw sections for recent files, which is handy for quickly reopening previous captures, and capture filter interfaces, showing me all the network connections I can monitor. The status bar at the bottom keeps me informed about the number of packets captured and the current profile.

Dissecting and Navigating Packets

The core of Wireshark, I found, lies in its three main panes. The packet list gives me a high-level overview of each captured packet, showing details like source and destination IPs, protocol, and length. What’s really neat is that I can customize these columns to display exactly what I need. Below that, the packet details pane is where the magic happens. Here, I can see a deep, layered breakdown of any selected packet, organized by the OSI model—from the physical layer (Frame) all the way up to application-layer protocols like HTTP. And if I want to see the raw data, the packet bytes pane shows me the hexadecimal and ASCII representation of the packet.

I also learned about coloring rules, which Wireshark uses to visually distinguish different types of packets (e.g., ARP, TCP RST). I can even customize these rules, which is super helpful for quickly spotting anomalies. Navigating through packets is straightforward; I can jump to a specific packet number or use the “Find Packet” feature to search by string, hex value, or even regular expressions within the packet details. I also discovered that I can mark packets of interest for later review and even add comments to them, which is great for collaborative analysis.

Extracting Data and Exporting Information

One of the most powerful features I explored was the ability to extract and export data. I can export specified packets into a new .pcap file, which is useful if I want to share a subset of a capture. Even cooler, I can export objects like images, executables, or HTML files directly from protocols like HTTP or SMB. This is incredibly useful for incident response or forensic analysis.

Understanding Expert Information and Filtering

The Expert Information feature, located in the lower-left corner, is a fantastic troubleshooting aid. It categorizes packets based on severity (errors, warnings, notes, chats), helping me quickly pinpoint potential network issues.

But the real powerhouse, I realized, is packet filtering using display filters. I can right-click on almost any element in the packet details (like an IP address) and choose “Apply as Filter” to instantly create and apply a filter for that specific entity. I can also create conversation filters to focus on the communication flow between specific endpoints. “Prepare as Filter” is similar, but it just types the filter in the bar without applying it immediately, giving me a chance to refine it. I also learned how to “Apply as Column” to add a specific field (like a source port) to the packet list view. And for deep dives into data exchange, “Follow TCP/UDP/HTTP Stream” is invaluable for seeing the raw client-server communication.

Statistical Analysis for Network Insights

The “Statistics” menu provides a high-level overview of the entire capture, which I found incredibly insightful. I can view resolved addresses to see IP addresses with their DNS hostnames and MAC addresses with their manufacturers. The protocol hierarchy gives me a tree view of all protocols in the capture, showing packet counts and percentages. I can also see conversations between endpoints and endpoints themselves, which provides unique information for single entities, including geographical details if name resolution is enabled. There are also detailed statistics for IPv4/IPv6 and application protocol stats for things like DNS queries and HTTP requests.

Mastering Filter Syntax and Operators

To truly leverage Wireshark, I had to understand its filter syntax. I learned about comparison operators like == (equal) and != (not equal), and logical operators such as && or and (AND), || or or (OR), and ! or not (NOT). The video also introduced me to advanced filters like contains (to check for substrings, e.g., http.server contains "Apache"), matches or ~ (for regular expressions, e.g., http.host matches "php|html"), and in (to check if a value is within a set, e.g., tcp.port in {80 443 8080}).

Practical Applications and Terminal Commands

The video demonstrated these concepts by tackling questions from TryHackMe rooms, showing me how to find flags in packet comments, identify markup languages, extract TCP payload sizes, and export images and text files from packet data. I even learned how to use expert info to count warnings and apply various display filters for HTTP, TCP ports, and DNS queries. A particularly useful tip was changing Wireshark profiles (e.g., to “Checksum Control”) to identify bad TCP checksums.

While most of the video focused on the Wireshark GUI, I did pick up on a couple of terminal commands used for file navigation and integrity checking:

  • cd Desktop (to change directory to the Desktop)
  • md5sum test (to calculate the MD5 checksum of a file named “test”)

Room Answers

Use the “Exercise.pcapng” file to answer the questions.
 
Read the “capture file comments”. What is the flag?

What is the total number of packets?

What is the SHA256 hash value of the capture file?

View packet number 38. Which markup language is used under the HTTP protocol?

What is the arrival date of the packet? (Answer format: Month/Day/Year)

What is the TTL value?

What is the TCP payload size?

What is the e-tag value?

Use the “Exercise.pcapng” file to answer the questions.
Search the “r4w” string in packet details. What is the name of artist 1?

Go to packet 12 and read the comments. What is the answer?

There is a “.txt” file inside the capture file. Find the file and read it; what is the alien’s name?

Look at the expert info section. What is the number of warnings?

Go to packet number 4. Right-click on the “Hypertext Transfer Protocol” and apply it as a filter. Now, look at the filter pane. What is the filter query?

What is the number of displayed packets?

Go to packet number 33790 and follow the stream. What is the total number of artists?

What is the name of the second artist?

Investigate the resolved addresses. What is the IP address of the hostname starts with “bbc”?

What is the number of IPv4 conversations?

How many bytes (k) were transferred from the “Micro-St” MAC address?

What is the number of IP addresses linked with “Kansas City”?

Which IP address is linked with “Blicnet” AS Organisation?

What is the most used IPv4 destination address?

What is the max service request-response time of the DNS packets?

What is the number of HTTP Requests accomplished by “rad[.]msn[.]com?

What is the number of IP packets?

What is the number of packets with a “TTL value less than 10”?

What is the number of packets which uses “TCP port 4444”?

What is the number of “HTTP GET” requests sent to port “80”?

What is the number of “type A DNS Queries”?

Find all Microsoft IIS servers. What is the number of packets that did not originate from “port 80”?

Find all Microsoft IIS servers. What is the number of packets that have “version 7.5”?

What is the total number of packets that use ports 3333, 4444 or 9999?

What is the number of packets with “even TTL numbers”?

Change the profile to “Checksum Control”. What is the number of “Bad TCP Checksum” packets?

Use the existing filtering button to filter the traffic. What is the number of displayed packets?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles