Wireshark Cheatsheet for Network Analysis

📱 Mobile Security Tips

Nina Kovacs — Consumer Security Analyst

What is Wireshark?

Wireshark is an open-source network protocol analyzer that captures and displays the data traveling back and forth on a network in real-time. It’s essential for network troubleshooting, analysis, and security investigations.

Installation

Wireshark can be installed on multiple platforms including Windows, Linux, and macOS. Visit the official Wireshark website for installation packages.

Basic Syntax

The basic command to launch Wireshark from the terminal is:

wireshark

Discovery

Listing Network Interfaces

To see all interfaces available for capture, use:

wireshark -D

Capturing Traffic on a Specific Interface

Use the following command to capture traffic on a specific interface:

wireshark -i

Scanning

Capturing Specific Protocols

To capture only specific protocols like HTTP or DNS:

wireshark -f "port 80 or port 53"

Exploitation

Filtering Captured Packets

To focus on packets that contain a specific IP address:

wireshark -Y "ip.addr == "

Analysis

Saving Captured Data

To save your current session for later analysis:

wireshark -w .pcap

Evasion

Running Wireshark in Non-GUI Mode

If resources are limited, use Wireshark’s command-line tool, TShark:

tshark -i -f "tcp port 80"

Reporting

Generating Protocol Statistics

To generate statistics about captured protocols:

wireshark -V

Quick Reference Table

Pro Tips

• Use display filters: Wireshark’s filtering is powerful; learn more about syntax to get relevant data quickly.
• Coloring rules: Customize packet colors for easier visual analysis.
• Expert info: Enable expert info to highlight potential issues in captured packets.

Real-World Examples

For malicious traffic analysis, capture and filter based on suspicious IPs:

wireshark -Y "ip.dst == "

For web server analysis during a penetration test:

wireshark -f "tcp port 80" -w http_traffic.pcap