MASTER REFERENCE
Wireshark is the world's most used network protocol analyzer. In SOC and forensics roles, you'll use it to investigate incidents, analyze malware C2 traffic, reconstruct attacks, and extract artefacts from PCAPs.
// GURU TIP — CAPTURE vs DISPLAY FILTERS
This is the #1 confusion point. Capture filters (BPF syntax) decide what gets recorded — set before capture, cannot be changed. Display filters (Wireshark syntax) decide what you see in the already-captured data — can be changed any time. Different syntax entirely. Know both cold for interviews.
ESSENTIAL DISPLAY FILTERS
httpAll HTTP traffic
dnsAll DNS queries/responses
tcp.port == 443HTTPS traffic
ip.addr == 1.2.3.4All traffic to/from IP
tcp.flags.syn == 1SYN packets only
frame contains "password"Keyword in any frame
!(arp or dns or icmp)Exclude noise
CAPTURE FILTER SYNTAX (BPF)
host 192.168.1.1Traffic to/from host
port 80HTTP traffic only
net 192.168.1.0/24Entire subnet
tcpTCP only
not port 22Exclude SSH
src host 10.0.0.5Source IP only
port 80 or port 443HTTP + HTTPS
TCP FLAG FILTERS
tcp.flags.syn==1 && tcp.flags.ack==0SYN only (new connections)
tcp.flags.reset==1RST (connection resets)
tcp.flags.fin==1FIN (connection close)
tcp.flags==0x002SYN scan detection
tcp.flags==0x000NULL scan packets
tcp.flags==0x029Xmas scan packets
OPERATORS (DISPLAY FILTERS)
== !=Equals / not equals
> < >= <=Comparison
&& andLogical AND
|| orLogical OR
! notLogical NOT
containsByte/string search
matchesRegex match
PROTOCOL COLORS (DEFAULT)
■ Light BlueUDP traffic
■ Light GreenTCP traffic
■ Light RedTCP errors / RST
■ YellowARP / routing
■ PurpleICMP
■ OrangeHTTP / application
■ WhiteOther protocols
KEY MENU PATHS
Statistics → ConversationsTop talkers
Statistics → Protocol HierarchyTraffic breakdown
File → Export ObjectsExtract files
Analyze → Follow StreamReconstruct session
Edit → Find PacketSearch content
Statistics → IO GraphTraffic over time
CAPTURE FILTERS (BPF)
Berkeley Packet Filter syntax. Set BEFORE starting capture. These run in the kernel — very fast, but you can't change them mid-capture. Use to reduce file size on busy networks.
// CRITICAL DIFFERENCE
Capture filters use BPF syntax — not Wireshark display filter syntax. host, port, net, src, dst. If you type a display filter here it will fail silently or error. This trips up candidates constantly.
| FILTER | SYNTAX | EXAMPLE | PURPOSE |
|---|---|---|---|
| host | host [IP] | host 192.168.1.100 | CRITICAL Capture all traffic to OR from a specific IP address. Most common capture filter. Use to focus on a single endpoint during incident investigation. |
| src host | src host [IP] | src host 10.0.0.5 | SOC Only capture traffic originating from a specific IP. Use when investigating exfiltration — you only care about outbound data from a suspected compromised host. |
| dst host | dst host [IP] | dst host 8.8.8.8 | SOC Only capture traffic destined for a specific IP. Use to monitor all traffic hitting a specific server or external IP flagged as C2. |
| net | net [network/mask] | net 192.168.0.0/16 | RECON Capture entire subnet. Use for LAN-wide monitoring. Can specify source/dest with src net or dst net. |
| port | port [number] | port 443 port 22 | CRITICAL Capture traffic on a specific port (src or dst). Essential for service-specific monitoring. Works with TCP and UDP. |
| portrange | portrange [start-end] | portrange 1-1024 | Capture traffic across a range of ports. Useful for monitoring all privileged ports or a custom service range. |
| tcp / udp / icmp | tcp udp icmp | tcp udp and port 53 | CRITICAL Filter by protocol layer. Combine with other filters using and, or, not. |
| not / ! | not [filter] | not port 22 not broadcast | PRO Exclude traffic. Critical for reducing noise — exclude SSH, ARP broadcasts, DNS to isolate interesting traffic on busy networks. |
| ether host | ether host [MAC] | ether host aa:bb:cc:dd:ee:ff | FORENSIC Filter by MAC address (Layer 2). Use when you know the physical device but not its IP (DHCP environments), or when tracking spoofed MACs. |
| Compound AND/OR | host [IP] and port [port] src net [net] and not port 22 | host 10.0.0.5 and port 80 not (port 22 or port 53) | PRO Chain multiple conditions. Use parentheses for complex logic. The not (port 22 or port 53) pattern is gold for cutting SSH and DNS noise in captures. |
DISPLAY FILTERS
Wireshark's own filter syntax. Applied to already-captured data. Rich, protocol-aware — you can filter on any field in any protocol. The core skill for PCAP analysis.
// GURU TIP
Click any field value in the packet details pane → right-click → "Apply as Filter". Wireshark writes the filter for you. This is how pros build complex filters fast without memorizing every field name.
| FILTER | SYNTAX | EXAMPLE | PURPOSE |
|---|---|---|---|
| ip.addr | ip.addr == [IP] | ip.addr == 192.168.1.5 ip.addr == 10.0.0.0/8 | CRITICAL Show all traffic involving an IP (either direction). Accepts CIDR notation for subnets. Your most-used filter when investigating a specific host. |
| ip.src / ip.dst | ip.src == [IP] ip.dst == [IP] | ip.src == 192.168.1.5 ip.dst == 8.8.8.8 | CRITICAL Directional IP filters. ip.src for outbound from a host (exfiltration hunting), ip.dst for inbound to a server (attack traffic). |
| tcp.port / udp.port | tcp.port == [port] | tcp.port == 4444 tcp.port == 80 || tcp.port == 443 | CRITICAL Filter by port (either src or dst). Port 4444 is classic Metasploit default shell. Unusual ports in display filters are a key threat hunting technique. |
| http.request.method | http.request.method == "[METHOD]" | http.request.method == "POST" http.request.method == "GET" | SOC Filter HTTP by method. POST requests often carry credentials or exfiltrated data. Filter POST + large content-length to find data exfil. |
| http.request.uri | http.request.uri contains "[string]" | http.request.uri contains "admin" http.request.uri contains "cmd=" | ATTACK Search HTTP request paths. Hunting for web attacks — "cmd=", "exec", "passwd", ".php?id=" — classic web shell and SQLi indicators. |
| http.response.code | http.response.code == [code] | http.response.code == 200 http.response.code == 401 http.response.code >= 400 | SOC Filter by HTTP status. Burst of 401s = brute force. Many 404s = directory scanning. 200 after many 401s = successful brute force. Classic SOC pattern. |
| dns.qry.name | dns.qry.name contains "[string]" dns.qry.name matches "[regex]" | dns.qry.name contains "evil.com" dns.qry.name matches "^[a-z]{20,}" | ATTACKSOC Filter DNS queries by domain name. Regex match for long random subdomains = DNS tunneling detection. Key IOC hunting technique. |
| frame contains | frame contains "[string]" | frame contains "password" frame contains "Authorization" frame contains "flag{" | CRITICALFORENSIC Search raw bytes of entire frame for a string. Slow on large PCAPs but finds credentials, tokens, flags in any protocol. Gold for CTF and credential hunting. |
| tcp.stream | tcp.stream == [N] | tcp.stream == 0 tcp.stream == 14 | FORENSIC Isolate a specific TCP conversation by stream index. Right-click any TCP packet → Follow → TCP Stream to see the stream number. Essential for session reconstruction. |
| tcp.len | tcp.len > [bytes] | tcp.len > 0 tcp.len > 1000 | PRO Filter by TCP payload size. tcp.len > 0 removes ACK-only packets — dramatically cleans up session analysis. Large payload filters spot bulk data transfers. |
| ip.ttl | ip.ttl < [value] | ip.ttl < 10 ip.ttl == 64 | FORENSIC Filter by Time-To-Live. Low TTL packets may indicate traceroute or spoofed packets. Known OS TTL values: Linux=64, Windows=128, Cisco=255. |
| Negate/Combine | !(filter) && (filter) filter1 || filter2 | !(arp || dns || icmp) && ip ip.addr==10.0.0.5 && tcp.port==80 | PRO Combine and negate filters. The !(arp||dns||icmp) pattern is the pro move for clearing noise and seeing only meaningful traffic in a busy capture. |
PROTOCOL-SPECIFIC FILTERS
Wireshark understands hundreds of protocols deeply. These are the protocol-specific filters every SOC analyst must know.
| PROTOCOL | FILTER / FIELD | EXAMPLE | PURPOSE |
|---|---|---|---|
| DNS | dns dns.flags.response == 0 dns.flags.response == 1 dns.qry.type == 1 dns.resp.len > 512 | dns.qry.name == "google.com" dns.flags.response==0 && dns.qry.type==28 | CRITICAL All DNS traffic. Queries (response=0), responses (response=1). Type 1=A, 28=AAAA, 15=MX, 16=TXT. Large TXT responses = DNS tunneling. Unusual AAAA queries = C2 beaconing. |
| HTTP | http http.request http.response http.host http.user_agent http.cookie | http.host contains "pastebin" http.user_agent contains "curl" http.cookie contains "session" | CRITICAL HTTP analysis. Unusual user-agents (curl, python-requests, nmap) = automated attack tools. Filter cookies for session hijacking analysis. Host filter for C2 domain detection. |
| HTTPS/TLS | tls tls.handshake.type == 1 tls.record.version ssl.handshake.ciphersuite tls.handshake.extensions_server_name | tls.handshake.type == 1 tls.handshake.extensions_server_name contains "evil" | SOC TLS handshake analysis. Type 1=ClientHello. SNI (server_name extension) reveals destination domain even in encrypted traffic. JA3 fingerprinting starts with ClientHello analysis. |
| SMB | smb smb2 smb.cmd smb2.cmd == 5 smb2.filename | smb2.cmd == 5 smb2.filename contains ".exe" smb.cmd == 0x25 | ATTACKCRITICAL SMB protocol analysis. SMB2 cmd 5 = file create/read. Filter for .exe/.dll transfers = lateral movement. EternalBlue exploitation visible as malformed SMB packets. |
| FTP | ftp ftp.request.command ftp-data ftp.request.command == "PASS" | ftp.request.command == "USER" ftp.request.command == "PASS" ftp-data | ATTACK FTP is cleartext — credentials visible in USER/PASS commands. ftp-data captures the actual file transfers. Follow FTP stream to see login + all transferred data in plaintext. |
| ICMP | icmp icmp.type == 8 icmp.type == 0 data.len > 64 | icmp.type == 8 icmp && data.len > 64 | ATTACK ICMP type 8=Echo Request (ping), type 0=Echo Reply. Large ICMP payloads = ICMP tunneling (data being smuggled in ping packets). Normal ping payload is 32-64 bytes. |
| ARP | arp arp.opcode == 1 arp.opcode == 2 arp.duplicate-address-detected | arp.opcode == 1 arp.duplicate-address-detected | ATTACK ARP op 1=request, op 2=reply. Wireshark flags ARP poisoning automatically with arp.duplicate-address-detected. Burst of ARP requests = ARP scanning or poisoning attack. |
| SSH | ssh tcp.port == 22 ssh.message_code | tcp.port == 22 && tcp.flags.syn==1 ssh.message_code == 50 | SOC SSH is encrypted — you can't see content. But you CAN see connection frequency (brute force = many SYNs to port 22), session duration, and data volume (large transfers = tunneling/exfil). |
| DHCP | dhcp bootp dhcp.option.dhcp == 1 dhcp.hw.mac_addr | dhcp.option.dhcp == 1 dhcp.hw.mac_addr == aa:bb:cc:dd:ee:ff | FORENSIC Track IP assignments. DHCP discover (type 1) reveals MAC addresses of new devices joining network. Cross-reference with IP assignments to map device inventory and detect rogue devices. |
| SMTP/POP3/IMAP | smtp pop imap smtp.req.command == "AUTH" | smtp.req.command == "AUTH" smtp.req.parameter contains "PLAIN" | FORENSIC Email protocol analysis. SMTP AUTH PLAIN = base64 encoded credentials visible in cleartext. Filter for email exfiltration — large attachments in SMTP = data theft vector. |
TSHARK — COMMAND LINE WIRESHARK
TShark is Wireshark's terminal-based sibling. Essential for scripting, automation, remote capture, and processing large PCAPs where the GUI would be too slow. Interviewers love asking about tshark.
// GURU TIP
In a SOC role you'll frequently SSH into a remote server and need to capture packets without a GUI. tshark is your answer. Know how to capture, filter, and extract fields from the command line — it shows you can work in headless environments.
| COMMAND | SYNTAX | EXAMPLE | PURPOSE |
|---|---|---|---|
| -i (interface) | tshark -i [interface] | tshark -i eth0 tshark -i any | CRITICAL Specify capture interface. -i any captures on all interfaces. Use tshark -D to list available interfaces. First thing you set in any tshark command. |
| -r (read file) | tshark -r [file.pcap] | tshark -r capture.pcap tshark -r capture.pcapng | CRITICAL Read and analyze an existing PCAP file. The CLI equivalent of opening a file in Wireshark. Essential for scripting automated PCAP analysis in SOC workflows. |
| -w (write file) | tshark -i [iface] -w [file.pcap] | tshark -i eth0 -w /tmp/cap.pcap | CRITICAL Write captured packets to file. Remote server capture — SSH in, run tshark -w, download the PCAP, analyze in Wireshark GUI. Standard incident response workflow. |
| -f (capture filter) | tshark -i [iface] -f "[BPF]" | tshark -i eth0 -f "port 80" tshark -i eth0 -f "host 10.0.0.5" | SOC Apply BPF capture filter. Reduces capture size immediately at kernel level. Use when capturing on busy production servers where disk space matters. |
| -Y (display filter) | tshark -r [file] -Y "[filter]" | tshark -r cap.pcap -Y "http" tshark -r cap.pcap -Y "ip.addr==1.2.3.4" | CRITICAL Apply Wireshark display filter to a PCAP file. Same syntax as GUI filter bar. Combine with -T and -e to extract specific fields from filtered packets. |
| -T / -e (fields) | tshark -r [file] -T fields -e [field1] -e [field2] | tshark -r cap.pcap -T fields -e ip.src -e ip.dst -e tcp.port tshark -r cap.pcap -Y "dns" -T fields -e dns.qry.name | PROCRITICAL Extract specific protocol fields as text. Pipe to sort/uniq/grep for analysis. Extract all DNS queries: -Y "dns.flags.response==0" -T fields -e dns.qry.name — pure gold for threat hunting. |
| -c (packet count) | tshark -i [iface] -c [N] | tshark -i eth0 -c 100 tshark -i eth0 -c 1000 -w out.pcap | Stop after capturing N packets. Quick sampling of network traffic without letting the file grow unbounded. Combine with -w to save exactly N packets. |
| -a duration | tshark -i [iface] -a duration:[sec] -w [file] | tshark -i eth0 -a duration:60 -w cap.pcap | SOC Auto-stop after N seconds. Scheduled/timed captures — set a 5-minute capture window for a suspicious time period without having to manually stop it. |
| -b (ring buffer) | tshark -i [iface] -b filesize:[KB] -w [file] | tshark -i eth0 -b filesize:10240 -b files:5 -w cap.pcap | PRO Ring buffer — rotate capture files at set size/time, keeping only last N files. Professional long-term monitoring without filling disk. Used in production SOC capture setups. |
| -z statistics | tshark -r [file] -z [stat] | tshark -r cap.pcap -z conv,tcp tshark -r cap.pcap -z http,tree tshark -r cap.pcap -z io,stat,1 | PRO Generate statistics from PCAP. conv,tcp = top TCP conversations, http,tree = HTTP breakdown, io,stat,1 = traffic per second. CLI equivalent of Statistics menu. |
ATTACK DETECTION FILTERS
Real-world filters for detecting active attacks in packet captures. These are what SOC analysts use during threat hunting and incident response.
// 🎯 INTERVIEW GOLD
"Walk me through how you'd detect a port scan in Wireshark." Answer: tcp.flags.syn==1 && tcp.flags.ack==0 shows all SYN packets. A large number from one source IP to many destination ports in a short timeframe = port scan. Statistics → Conversations shows top scanners immediately.
| ATTACK TYPE | DETECTION FILTER | EXAMPLE / INDICATOR | WHAT TO LOOK FOR |
|---|---|---|---|
| Port Scan (SYN) | tcp.flags.syn==1 && tcp.flags.ack==0 | One src IP → many dst ports Many SYNs, few SYN-ACKs | CRITICAL SYN packets with no ACK = connection attempts. Single source to many ports = nmap/masscan port scan. Check Statistics → Conversations to quantify. High RST ratio confirms scan. |
| Nmap NULL Scan | tcp.flags == 0x000 | Packets with zero flags No SYN/ACK/FIN set | ATTACK TCP packets with absolutely no flags set. Legitimate TCP never sends null-flag packets. Immediate indicator of nmap NULL scan (-sN) or other stealth reconnaissance. |
| Nmap Xmas Scan | tcp.flags == 0x029 | FIN+URG+PSH flags set 0x029 = 0b00101001 | ATTACK FIN, URG, and PSH flags simultaneously = nmap Xmas scan (-sX). Never occurs in legitimate traffic. Instant detection signature for this specific evasion technique. |
| ARP Poisoning | arp.duplicate-address-detected arp.opcode==2 && eth.dst==ff:ff:ff:ff:ff:ff | Same IP, different MACs Gratuitous ARP flood | ATTACKCRITICAL Wireshark auto-flags duplicate IP-to-MAC mappings. ARP poisoning for MITM creates multiple ARP replies claiming ownership of an IP. Also look for unsolicited gratuitous ARPs. |
| DNS Tunneling | dns.qry.name matches "[a-z0-9]{20,}" dns.resp.len > 512 | Long random subdomains High volume DNS to one domain TXT queries with large responses | ATTACKCRITICAL DNS tunneling embeds data in DNS queries/responses. Indicators: unusually long subdomains, high-entropy names, abnormally large TXT records, excessive queries to one domain. |
| Brute Force | http.response.code == 401 ftp.response.code == 530 tcp.port==22 && tcp.flags.syn==1 | Many 401s same src IP Many failed FTP logins Rapid SYN to port 22 | SOCCRITICAL HTTP 401, FTP 530 (login failed), repeated SSH connections = brute force. Filter + Statistics → Conversations to count attempts per source. Successful login after burst = compromise. |
| ICMP Tunneling | icmp && data.len > 64 icmp.type==8 && data.len > 100 | Ping with 500+ byte payloads Regular interval pings Non-standard ICMP data | ATTACK Normal ping payload = 32-64 bytes. Large ICMP data payloads = data being smuggled in ping packets (ICMP tunnel tools like icmptunnel, ptunnel). Check for regular intervals = C2 beaconing. |
| SQL Injection | http.request.uri contains "'" http.request.uri contains "UNION" http.request.uri contains "--" | GET /?id=1' OR 1=1-- UNION SELECT in URI Encoded %27 in requests | ATTACK SQLi signatures in HTTP URIs. Single quotes, UNION SELECT, comment markers (--). Check for URL-encoded variants too: http.request.uri contains "%27". |
| Cleartext Credentials | http.authbasic ftp.request.command=="PASS" telnet pop.request.command=="PASS" | Authorization: Basic base64 FTP PASS command visible Telnet session (all cleartext) | CRITICALFORENSIC HTTP Basic Auth sends base64 credentials in every request. FTP, Telnet, POP3 send passwords in cleartext. Follow stream to extract. Base64 decode Authorization header for credentials. |
| C2 Beaconing | http.request && ip.dst == [suspicious_IP] dns.qry.name contains [domain] tcp.port == 4444 || tcp.port == 8080 | Regular interval HTTP GET Same domain/IP contacted every N sec Metasploit default port 4444 | SOCATTACK C2 beacons show as regular interval connections to same destination. Use Statistics → IO Graph to visualize. Consistent timing = automated callback. Metasploit Meterpreter defaults to port 4444. |
FORENSICS & ANALYSIS TECHNIQUES
Beyond filtering — the professional techniques for deep PCAP investigation, file extraction, credential recovery, and session reconstruction.
| TECHNIQUE | HOW TO DO IT | FILTER / PATH | WHAT IT REVEALS |
|---|---|---|---|
| Follow TCP Stream | Right-click packet → Follow → TCP Stream | Analyze → Follow → TCP Stream tcp.stream == [N] | CRITICAL Reconstructs the entire conversation between two endpoints. See cleartext credentials, HTTP requests/responses, FTP commands, shell sessions end-to-end. Most powerful forensic tool in Wireshark. |
| Follow UDP Stream | Right-click UDP packet → Follow → UDP Stream | Analyze → Follow → UDP Stream udp.stream == [N] | FORENSIC Reconstruct UDP sessions (DNS, VoIP, custom protocols). Essential for DNS tunnel analysis — follow stream to see full tunneled data content hidden in DNS queries. |
| Export Objects (Files) | File → Export Objects → [Protocol] | File → Export Objects → HTTP File → Export Objects → SMB File → Export Objects → FTP-DATA | CRITICALFORENSIC Extract files transferred over the network directly from PCAP. Recover malware samples, documents, images from HTTP downloads or SMB file transfers. Critical for malware analysis in forensic investigations. |
| Protocol Hierarchy | Statistics → Protocol Hierarchy | Shows % breakdown of all protocols | SOC See breakdown of every protocol in the capture by percentage and packet count. Abnormal protocol ratios reveal anomalies — unexpected DNS percentage, unknown protocols, excessive ICMP. |
| Conversations | Statistics → Conversations → TCP/UDP/IP tab | Sort by bytes (exfil hunting) Sort by packets (scan detection) | CRITICALSOC Top network talkers sorted by packets or bytes. Sort by bytes to find exfiltration (huge outbound transfers). Sort by packets to find scanners. Click "Follow Stream" directly from here. |
| IO Graph | Statistics → IO Graph | Add filter: http.request Compare normal vs spike periods | SOC Visualize traffic volume over time. Add multiple filters to overlay. Spikes indicate attacks, scans, or transfers. Regular intervals = beaconing. Flatlines after normal activity = connection drop/kill. |
| Expert Information | Analyze → Expert Information | Shows: Errors, Warnings, Notes, Chats | PRO Wireshark's automated anomaly detection. Flags TCP retransmissions, RST storms, malformed packets, protocol violations. First stop when opening an unfamiliar PCAP — let Wireshark tell you what's wrong. |
| Decode As | Right-click port → Decode As | Decode port 4444 as HTTP Decode custom port as SMB | PRO Force Wireshark to interpret a protocol as something else. Malware often runs HTTP C2 on non-standard ports — decode that port as HTTP and suddenly you can read the C2 commands clearly. |
| GeoIP / Name Resolution | Edit → Preferences → Name Resolution | Enable: Resolve network addresses MaxMind GeoIP database | FORENSIC Resolve IPs to hostnames and geographic locations. Enable MaxMind GeoIP to see country flags on packets. Quickly identifies foreign C2 servers, CDNs, and unexpected international connections. |
| Color Rules | View → Coloring Rules | Add rule: tcp.flags.reset==1 → Red Add rule: dns.qry.name contains "evil" → Bright yellow | PRO Create custom color rules for your investigation. Highlight all RST packets red, all connections to a suspicious IP orange. Custom coloring dramatically speeds up manual PCAP analysis. |
KEYBOARD SHORTCUTS & UI MASTERY
Speed is analysis quality. Analysts who navigate Wireshark with keyboard shortcuts work 3x faster and catch things mouse-clickers miss.
CAPTURE CONTROL
Ctrl + EStart/Stop capture
Ctrl + KCapture options
Ctrl + OOpen PCAP file
Ctrl + SSave capture
Ctrl + Shift + SSave As
Ctrl + WClose capture
Ctrl + QQuit Wireshark
NAVIGATION
Ctrl + FFind packet
Ctrl + NNext found packet
Ctrl + BPrevious found packet
Ctrl + GGo to packet #
Ctrl + HomeFirst packet
Ctrl + EndLast packet
SpaceNext packet
DISPLAY & VIEW
Ctrl + +Zoom in
Ctrl + -Zoom out
Ctrl + =Normal size
Ctrl + RReload file
Ctrl + .Next TCP stream
Ctrl + ,Previous TCP stream
Alt + →/←Expand/collapse tree
FILTERS (POWER USER)
Ctrl + /Focus filter bar
EnterApply filter
Ctrl + EnterApply & save filter
EscClear filter
Right-click field"Apply as filter"
Right-click field"Prepare as filter"
Shift + Ctrl + OMerge PCAP files
ANALYSIS
Ctrl + Alt + Shift + TFollow TCP stream
Ctrl + Alt + Shift + UFollow UDP stream
Ctrl + MMark packet
Ctrl + Shift + NNext marked packet
Ctrl + DDisplay filter expression
Ctrl + ICapture interfaces
F5Refresh / autoscroll
TSHARK ONE-LINERS
tshark -DList interfaces
tshark -r x.pcap -z conv,tcpTCP conversations
tshark -r x.pcap -Y "dns" -T fields -e dns.qry.nameAll DNS queries
tshark -r x.pcap -Y "http.request" -T fields -e http.host -e http.request.uriAll HTTP requests
tshark -r x.pcap -Y "ftp.request.command==PASS" -T fields -e ftp.request.argFTP passwords
🎯 INTERVIEW SCENARIOS
Real questions and answers from SOC analyst, blue team, and DFIR interviews. Know the WHY behind every filter, not just the syntax.
| INTERVIEW QUESTION | YOUR FILTER / COMMAND | WHY THIS IS THE RIGHT ANSWER |
|---|---|---|
| "How do you detect a port scan in a PCAP?" | tcp.flags.syn==1 && tcp.flags.ack==0 Then: Statistics → Conversations → sort by packets | CRITICAL SYN with no ACK = connection attempt with no response. One source IP to many destination ports = scan. Conversations view shows you the scanner immediately by packet count. Mention RST ratio confirming closed ports. |
| "What's the difference between capture and display filters?" | Capture: BPF syntax → host, port, net Display: Wireshark syntax → ip.addr, tcp.port, http | CRITICAL Capture filters run in kernel before packets reach Wireshark — can't be changed mid-capture, very fast. Display filters are post-capture, can be changed anytime, use protocol-aware field names. Different syntax entirely. |
| "How would you extract credentials from a PCAP?" | http.authbasic → decode base64 ftp.request.command == "PASS" frame contains "password" Follow TCP Stream on cleartext sessions | CRITICAL HTTP Basic Auth = base64 in header (decode it). FTP/Telnet/POP3 = plaintext. Frame contains for keyword hunting. Follow TCP Stream on interesting sessions. Mention that HTTPS requires decryption key to read. |
| "Malware is suspected on a host. How do you analyze its network traffic?" | 1. ip.addr == [host_IP] 2. Statistics → Protocol Hierarchy 3. Statistics → Conversations → sort by bytes 4. Look for: beaconing intervals, unusual ports, DNS tunneling, C2 patterns | SOCCRITICAL Start broad with the host IP, then Protocol Hierarchy shows unexpected protocols. Conversations finds external IPs the host talks to. IO Graph visualizes beaconing intervals. This systematic approach shows methodology, not just syntax knowledge. |
| "How do you find data exfiltration in Wireshark?" | Statistics → Conversations → TCP → sort by Bytes B→A ip.src == [internal_host] && tcp.len > 1000 File → Export Objects → HTTP/SMB | SOC Sort conversations by outbound bytes — exfiltration shows as unusually large transfers to external IPs. Large payload filter eliminates ACK noise. Export Objects reveals what files were sent. DNS exfil: filter for large DNS responses. |
| "How would you detect ARP poisoning / MITM?" | arp.duplicate-address-detected arp.opcode == 2 | ATTACKCRITICAL Wireshark auto-flags this. ARP poisoning = multiple ARP reply packets claiming the same IP belongs to different MACs. The poisoner broadcasts ARP replies for the gateway IP pointing to their MAC. Wireshark colors these and adds expert warnings. |
| "How do you investigate a suspected web attack?" | http.request.method == "POST" http.response.code >= 400 http.request.uri contains "'" or "UNION" or "cmd=" Statistics → HTTP → Requests | ATTACK Start with HTTP requests. Filter POST (data submission). Filter 4xx responses (errors = scanning/probing). Check URI for injection signatures. HTTP → Requests shows all URLs hit — scanning pattern obvious from sequential URLs. |
| "How do you capture packets on a remote server without a GUI?" | tshark -i eth0 -w /tmp/capture.pcap -a duration:60 # Then SCP the file and open in Wireshark GUI | PROCRITICAL tshark is the headless answer. SSH in, run tshark with -w to write to file, set -a duration to auto-stop, SCP the PCAP back, analyze in GUI. This shows you understand real-world SOC workflows beyond lab environments. |
| "What is DNS tunneling and how do you detect it?" | dns.qry.name matches "[a-z0-9]{20,}" dns.resp.len > 512 tshark -T fields -e dns.qry.name | sort | uniq -c | sort -rn | ATTACKSOC DNS tunneling encodes data as subdomain labels — dGhpcyBpcyBkYXRh.evil.com. Indicators: high-entropy long subdomains, excessive queries to one domain, large TXT responses. The tshark one-liner extracts all queries for offline frequency analysis. |
| "Name 3 things you check first when opening an unknown PCAP" | 1. Analyze → Expert Information 2. Statistics → Protocol Hierarchy 3. Statistics → Conversations → sort by bytes | CRITICAL Expert Information = Wireshark's own anomaly flags (errors, warnings). Protocol Hierarchy = what protocols are present (anything unexpected?). Conversations = who's talking to whom and how much data. This triage approach in under 60 seconds shows investigative maturity. |
// GURU — THE COMPLETE INVESTIGATION WORKFLOW
When given a PCAP in an interview or on-the-job: 1) Expert Information for auto-flagged anomalies → 2) Protocol Hierarchy for overview → 4) Filter to suspicious IPs/ports → 5) Follow TCP Streams on interesting sessions → 6) Export Objects for file extraction → 7) tshark for automated IOC extraction. That's the complete methodology.