Listen to this Post

Introduction:
In high‑throughput networks, thousands of packets race across the wire every second – raw data that becomes useless noise without the right filters. Wireshark’s real power isn’t just capturing traffic; it’s the ability to surgically isolate the packets that matter for troubleshooting, incident response, and threat hunting. This article transforms basic filtering knowledge into operational expertise, equipping you with verified commands, step‑by‑step workflows, and real‑world detection strategies.
Learning Objectives:
- Apply display and capture filters to pinpoint malicious traffic, protocol anomalies, and performance issues.
- Leverage advanced TCP analysis filters (retransmissions, zero windows) and TLS handshake inspection to investigate encrypted sessions.
- Combine frame length, HTTP response codes, and scan‑specific signatures to automate suspicious activity detection.
You Should Know:
- Getting Started with Wireshark Display Filters – The 10‑Second Rule
Step‑by‑step guide explaining what this does and how to use it.
Display filters hide irrelevant packets without discarding them – essential for live analysis. After starting a capture, type a filter into the “Display Filter” bar and press Enter.
- Linux installation: `sudo apt install wireshark -y` (Debian/Ubuntu) or `sudo dnf install wireshark -y` (RHEL/Fedora)
- Windows installation: Download from wireshark.org and run the installer with Npcap selected.
- Basic filters to memorise:
– `tcp` or `udp` – show only TCP or UDP traffic.
– `!arp` – hide all ARP broadcasts (noise reduction).
– `ip.src == 192.168.1.100` – traffic from a specific host.
Pro tip: Right‑click any packet field (e.g., a source IP) and choose “Apply as Filter” → “Selected” to build filters instantly. Use `and` / `or` / `not` for logic: `tcp.port == 443 and !tls` (TCP 443 traffic that isn’t TLS – unusual).
- Protocol and Port‑Based Filtering – Zeroing in on Suspicious Conversations
Step‑by‑step guide explaining what this does and how to use it.
Attackers often abuse well‑known ports (HTTP, DNS) or hide on non‑standard ports. These filters expose rogue services and malware beaconing.
- HTTP & DNS focus:
`http` – all HTTP requests/responses (including methods, URIs, user‑agents).
`dns.qry.name contains “malware”` – catch DNS queries for known bad domains. - Port‑specific capture (during live capture):
In the “Capture Filter” box (before starting): `port 80 or port 443 or port 53` – only keep web/DNS traffic. - Display filter for unusual ports:
`tcp.port == 4444` – look for common Metasploit reverse shells.
`udp.port == 6881` – detect BitTorrent activity on corporate networks.
Windows command to complement Wireshark: `netstat -an | findstr “4444”` – check for established connections on suspicious ports.
- Hunting Network Issues with TCP Analysis Filters – Beyond the Obvious
Step‑by‑step guide explaining what this does and how to use it.
Performance problems and covert data exfiltration often leave TCP fingerprints. Wireshark’s built‑in analysis fields reveal them.
- Retransmissions (reliability red flags):
Filter: `tcp.analysis.retransmission`
What it shows: Packets re‑sent due to loss or congestion. A sudden spike indicates network drops or a denial‑of‑service (DoS) attack.
– Zero‑window (resource exhaustion):
Filter: `tcp.analysis.zero_window`
What it shows: Receiver buffer full – potential target being overwhelmed (e.g., Slowloris attack).
– Out‑of‑order and duplicate ACKs:
Filters: `tcp.analysis.out_of_order` , `tcp.analysis.duplicate_ack`
Use case: Troubleshooting asymmetric routing or a misconfigured load balancer.
Step‑by‑step: Open a capture file → apply `tcp.analysis.retransmission` → look for clusters of retransmits from one IP → right‑click → “Follow TCP Stream” to see the full conversation. Export the stream for evidence.
- Detecting Malicious Activity with Frame Length and HTTP Response Codes
Step‑by‑step guide explaining what this does and how to use it.
Large packets and error responses are low‑hanging fruit for initial triage. These filters automate the hunt for data leakage and scanning.
- Oversized frames (exfiltration or buffer overflows):
Filter: `frame.len > 1000`
Why: Normal web packets are often 500‑800 bytes. >1000 bytes could be file uploads, large DNS‑over‑HTTPS queries, or exploit payloads.
Refine: `frame.len > 1000 and ip.dst != 192.168.0.0/16` – focus on external destinations.
– HTTP 404 floods (directory brute‑forcing):
Filter: `http.response.code == 404`
What it reveals: Repeated requests to non‑existent paths like /wp-admin/, /backup.zip, or /shell.asp.
Count occurrences: Statistics → HTTP → Requests, sort by response code.
– Combine filters for precision:
`http.response.code == 404 and frame.len > 500` – 404 errors with unusually large bodies (some scanners pad requests).
Linux one‑liner to complement:
`tshark -r capture.pcap -Y “http.response.code == 404” -T fields -e ip.src -e http.request.uri | sort | uniq -c | sort -nr`
(Extracts source IPs and URIs of all 404 responses, counts them.)
5. Analyzing Encrypted Traffic with TLS Handshake Filters
Step‑step guide explaining what this does and how to use it.
Even without decryption, TLS handshake metadata reveals certificate issues, cipher suite downgrades, and unusual SNI hostnames.
- Isolate TLS handshakes:
Filter: `tls.handshake`
Expands to: `tls.handshake.type == 1` (Client Hello), `tls.handshake.type == 2` (Server Hello), etc.
– Extract Server Name Indication (SNI) – malware C2 domains:
Filter: `tls.handshake.extensions_server_name`
How to use: Look for SNI values that are odd (e.g., IP addresses instead of domains, recently registered domains).
– Detect weak or deprecated cipher suites:
Filter: `tls.handshake.ciphersuite` – manually inspect for suites like `TLS_RSA_WITH_RC4_128_SHA` (RC4 is broken).
Automated detection: Use Wireshark’s “Analyze” → “Expert Info” → “Note” tab; weak suites produce warnings.
Step‑by‑step for certificate analysis:
Apply `tls.handshake.certificate` → expand the certificate subtree → note “Validity” dates (expired certs are suspicious).
To decrypt TLS (if you have the private key): Edit → Preferences → Protocols → TLS → “RSA keys list” → add private key file. Then all TLS payload becomes visible.
- Threat Hunting with Combined Filters – Real‑World SOC Workflows
Step‑by‑step guide explaining what this does and how to use it.
Single filters are useful; combined filters tell a story. These are ready‑to‑use expressions for common attack patterns.
- SYN flood detection (DoS):
`tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.analysis.retransmission == 0`
What it does: Isolates initial SYN packets without retransmits – catch high rates of connection attempts. - Port scan identification (horizontal scan):
`tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.srcport != 80`
Add: Statistics → Endpoints → sort by “Packets” → look for one source IP contacting many destination ports. - DNS tunneling detection:
`dns.qry.name matches “.\\.[a-z0-9]{20,}\\.”` – very long subdomains (typical of iodine or dnscat2). - ICMP exfiltration (Ping‑based covert channel):
`icmp.type == 8 and data.len > 64` – oversized echo requests often carry encoded data.
Windows PowerShell snippet to automate: Install `PktMon` (built‑in) or use `tshark` with a filter saved as a profile:
`tshark -i eth0 -Y “tcp.analysis.retransmission” -T fields -e ip.src -e ip.dst -e _ws.col.Info`
Redirect to a log and alert on >100 retransmits per minute.
- Command‑Line Packet Analysis with TShark and Capinfos – Scripting Your Filters
Step‑by‑step guide explaining what this does and how to use it.
When you need to analyse dozens of PCAPs or automate triage, the Wireshark command‑line tools are indispensable.
- TShark basic filter application:
`tshark -r capture.pcap -Y “tls.handshake” -w tls_only.pcap`
(Saves only TLS handshake packets to a new file.)
– Export specific fields to CSV:
`tshark -r capture.pcap -Y “http.response.code == 404” -T fields -e frame.time -e ip.src -e http.request.uri -E header=y -E separator=, > 404_errors.csv`
– Capinfos – get summary metrics without opening GUI:
`capinfos capture.pcap` – shows duration, packet count, data size, average rate. Useful for quick triage.
– Merge and filter on the fly (Linux pipeline):
`mergecap -w merged.pcap file1.pcap file2.pcap`
`editcap -F pcap -d 100 merged.pcap sampled.pcap` (keep every 100th packet for large captures).
Windows equivalent: Use `tshark.exe` from the Wireshark installation folder (add to PATH). All commands work identically.
What Undercode Say:
- Key Takeaway 1: Mastery of display filters reduces incident investigation time by over 70% because you stop drowning in noise and start seeing only the packets that attackers leave behind – from retransmits to oversized frames.
- Key Takeaway 2: Layering multiple filters (e.g.,
tcp.analysis.retransmission and http.response.code == 404) reveals attack chains that single filters miss; the real skill is building logical combinations that tell a network story.
Analysis (10 lines):
SOC analysts who treat Wireshark as a “just capture” tool never progress beyond junior level. The difference between a 20‑minute compromise confirmation and a 2‑hour wild goose chase is filter fluency. In 2026, with encrypted traffic approaching 95%, traditional signature matching is dead – but metadata filters (tls.handshake, tcp.analysis, frame.len) become your new detection layer. Organisations should maintain a shared filter library (e.g., GitHub wiki with expressions like icmp.type == 8 and data.len > 64) and practice weekly “capture‑the‑filter” drills. Moreover, training courses that focus exclusively on GUI clicking miss the power of `tshark` scripting – command‑line filtering turns an analyst into an engineer. Finally, combining Wireshark filters with SIEM queries (e.g., export interesting packets as PCAP and re‑filter) is the missing workflow that every IR team should standardise.
Prediction:
By 2028, AI‑assisted filtering will become standard – Wireshark will offer a natural language interface (e.g., “show me all retransmissions from external IPs during the last 5 minutes”) backed by machine learning models trained on millions of attacks. However, the core logic of protocol‑specific fields (tcp.analysis, tls.handshake, frame.len) will remain the foundation, as AI will still rely on these deterministic primitives. Cloud‑native packet brokers will embed Wireshark filter syntax directly into their APIs, enabling real‑time, serverless packet filtering before storage. The analysts who thrive will be those who combine deep filter literacy with automation – scripting `tshark` in CI/CD pipelines to test network security controls continuously. Expect the “Wireshark Certified Filter Professional” to emerge as a niche but highly paid certification in the next three years.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Wireshark Is – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


