Wireshark Basics | Complete Guide | TryHackMe Wireshark The Basics & Packet Operations

We covered a complete introduction to Wireshark, the packet analysis tool. We went over the main sections, capturing traffic, packet dissection and analysis, extracting protocol statistics about the captured traffic in addition to dissecting and explaining packet details and navigation. This was part of TryHackMe Wireshark The Basics & TryHackMe Packet Operations which are part of TryHackMe SOC Level 1.

Packet Analysis Study Notes

The Complete Practical Metasploit Framework Course

Video Highlights

Wireshark is an open-source, cross-platform network packet analyser tool capable of sniffing and investigating live traffic and inspecting packet captures (PCAP). It is commonly used as one of the best packet analysis tools. In this room, we will look at the basics of Wireshark and use it to perform fundamental packet analysis.

Wireshark is one of the most potent traffic analyser tools available in the wild. There are multiple purposes for its use:

• Detecting and troubleshooting network problems, such as network load failure points and congestion.
• Detecting security anomalies, such as rogue hosts, abnormal port usage, and suspicious traffic.
• Investigating and learning protocol details, such as response codes and payload data.

Packet dissection is also known as protocol dissection, which investigates packet details by decoding available protocols and fields. Wireshark supports a long list of protocols for dissection, and you can also write your dissection scripts. You can find more details on dissection here.

Wireshark has a powerful filter engine that helps analysts to narrow down the traffic and focus on the event of interest. Wireshark has two types of filtering approaches: capture and display filters. Capture filters are used for “capturing” only the packets valid for the used filter. Display filters are used for “viewing” the packets valid for the used filter.

Filters are specific queries designed for protocols available in Wireshark’s official protocol reference. While the filters are only the option to investigate the event of interest, there are two different ways to filter traffic and remove the noise from the capture file. The first one uses queries, and the second uses the right-click menu. Wireshark provides a powerful GUI, and there is a golden rule for analysts who don’t want to write queries for basic tasks: “If you can click on it, you can filter and copy it”.

This statistics provides multiple statistics options ready to investigate to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and some protocol-specific details like DHCP, DNS and HTTP/2. For a security analyst, it is crucial to know how to utilise the statical information. This section provides a quick summary of the processed pcap, which will help analysts create a hypothesis for an investigation. You can use the “Statistics” menu to view all available options.

Room Answers

Room answers can be found here.

Video Walkthrough