📡Wireshark

The World's Foremost and Widely-Used Network Protocol Analyzer

📋 Overview

Wireshark adalah open-source packet analyzer yang digunakan untuk network troubleshooting, analysis, software development, dan communications protocol development. Dikenal sebagai Ethereal sebelum tahun 2006, Wireshark menjadi standar industri untuk network protocol analysis.

🎯 Key Features

🔍 Deep Packet Inspection

• Protocol Dissection - 3,000+ protocol support

• Live Capture - Real-time packet capture

• Offline Analysis - Analyze saved capture files

• Color Coding - Visual packet identification

• Expert Information - Automated problem detection

📊 Filtering and Search

• Capture Filters - Pre-capture filtering

• Display Filters - Post-capture packet filtering

• Search Capabilities - Find specific patterns

• Regular Expressions - Advanced pattern matching

• Filter Macros - Reusable filter expressions

🛡️ Security Analysis

• Traffic Decryption - SSL/TLS decryption support

• Malware Detection - Suspicious traffic identification

• Anomaly Detection - Traffic pattern analysis

• Security Protocol Analysis - Authentication, encryption protocols

• Network Forensics - Incident investigation

📈 Performance Analysis

• TCP Stream Analysis - Connection performance metrics

• VoIP Analysis - SIP, RTP quality metrics

• HTTP Analysis - Web performance statistics

• Network Latency - Round-trip time analysis

• Bandwidth Monitoring - Traffic usage statistics

🚀 Installation

Windows Installation

# Download from https://www.wireshark.org/download.html
# Run installer with administrator privileges
# Install Npcap during installation (packet capture library)
# Choose components:
# - Wireshark (GUI)
# - TShark (CLI)
# - TShark documentation
# - Plugins and extensions

Linux Installation

# Ubuntu/Debian
sudo apt-get update
sudo apt-get install wireshark-common tshark

# Add user to wireshark group for non-root capture
sudo usermod -a -G wireshark $USER
# Log out and log back in for changes to take effect

# CentOS/RHEL/Fedora
sudo dnf install wireshark wireshark-cli

# Arch Linux
sudo pacman -S wireshark-qt
sudo gpasswd -a $USER wireshark

macOS Installation

# Using Homebrew
brew install --cask wireshark

# Download DMG from https://www.wireshark.org/download.html
# Mount DMG and drag to Applications
# Install ChmodBPF for non-root packet capture

Docker Installation

# Pull Wireshark image
docker pull linuxserver/wireshark

# Run with privileged access for packet capture
docker run -d \
  --name=wireshark \
  --net=host \
  --privileged \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=America/Los_Angeles \
  -p 3000:3000 \
  linuxserver/wireshark

🔧 Basic Configuration

First-Time Setup

1. Interface Selection - Choose network interfaces to monitor

2. Capture Options - Configure capture settings

3. Color Rules - Set up display filters and colors

4. Protocols - Enable/disable protocol dissectors

5. Name Resolution - Configure DNS and MAC resolution

Interface Configuration

# Select interfaces
Capture → Options → Check desired interfaces

# Configure capture options
- Buffer size: 1 MB (default)
- Capture in promiscuous mode: Checked
- Update list of packets in real time: Checked
- Hide capture info dialog: Unchecked
- Resolve MAC addresses: Checked
- Resolve network names: Unchecked (for performance)

🔍 Basic Usage

Starting Capture

# GUI: Double-click interface or press Ctrl+E
# CLI: Start capturing with tshark
tshark -i eth0

# Capture on specific interface
tshark -i wlan0

# Capture with count limit
tshark -i eth0 -c 100

# Capture with time limit (30 seconds)
tshark -i eth0 -a duration:30

Basic Display Filters

# Show only HTTP traffic
http

# Show traffic to/from specific host
ip.addr == 192.168.1.100

# Show TCP traffic on port 80
tcp.port == 80

# Show DNS traffic
dns

# Show HTTP GET requests
http.request.method == "GET"

# Combine filters (AND)
ip.addr == 192.168.1.100 and tcp.port == 80

# Combine filters (OR)
tcp.port == 80 or tcp.port == 443

Capture Filters

# Capture only HTTP traffic
port 80 or port 8080

# Capture traffic to/from specific host
host 192.168.1.100

# Capture TCP traffic
tcp

# Capture traffic on port range
portrange 1-1024

# Exclude broadcast traffic
not broadcast

# Capture HTTP GET requests
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

🎯 Common Use Cases

1. Network Troubleshooting

Filter: tcp.analysis.flags
Shows: TCP problems like retransmissions, duplicate ACKs

Filter: icmp
Shows: ICMP messages for connectivity troubleshooting

Filter: dns
Shows: DNS query/response analysis

Filter: dhcp
Shows: DHCP server/client communication

2. Security Analysis

Filter: http.request.method == "POST"
Shows: Potential data exfiltration

Filter: tls.handshake.type == 1
Shows: TLS client hello messages

Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0
Shows: New connection attempts

Filter: icmp.type == 8
Shows: Ping requests (potential network mapping)

3. Performance Analysis

Filter: tcp.analysis.retransmission
Shows: Network performance issues

Filter: http.time > 1
Shows: Slow HTTP responses

Filter: tcp.window_size_scalefactor
Shows: TCP window scaling for throughput analysis

Filter: rtp
Shows: VoIP traffic quality analysis

4. Protocol Analysis

Filter: http
Shows: HTTP request/response analysis

Filter: smtp
Shows: Email traffic

Filter: ssh
Shows: Secure shell connections

Filter: smb or nbss
Shows: Windows file sharing traffic

📊 Advanced Filtering

Complex Filters

# HTTP traffic not from local network
http and not ip.src == 192.168.1.0/24

# Large HTTP responses
http.response and http.content_length > 100000

# SSL/TLS certificate issues
ssl.alert_message or ssl.handshake.type == 3

# TCP connection problems
tcp.analysis.retransmission or tcp.analysis.fast_retransmission

# DNS queries without responses
dns and not dns.flags.response

# HTTP traffic with specific user agent
http.user_agent contains "curl"

# Traffic with specific MAC address
eth.addr == 00:11:22:33:44:55

# IPv6 traffic
ipv6

# VLAN tagged traffic
vlan

# MPLS traffic
mpls

Filter Expressions

# Protocol field references
http.request.method
http.response.code
tcp.port
ip.ttl

# Comparison operators
==  (equal)
!=  (not equal)
>   (greater than)
<   (less than)
>=  (greater than or equal)
<=  (less than or equal)

# Logical operators
and
or
not
xor

# String matching
contains
matches
~ (regular expression)

# Set membership
in

🔧 Command Line Interface (TShark)

Basic TShark Usage

# Capture packets with output
tshark -i eth0 -c 100 -V

# Save capture to file
tshark -i eth0 -w capture.pcap

# Read from capture file
tshark -r capture.pcap

# Apply display filter
tshark -r capture.pcap -Y "http.request.method == 'GET'"

# Show specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port

# Export to CSV
tshark -r capture.pcap -T fields -E separator=, -e ip.src -e ip.dst > output.csv

Advanced TShark Commands

# Live capture with two-pass analysis
tshark -i eth0 -2 -R "http.request.method == 'GET'"

# Decode specific protocols
tshark -r capture.pcap -d tcp.port==8080,http

# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0

# Protocol hierarchy statistics
tshark -r capture.pcap -z io,stat,0,"COUNT(http.request.method) http.request.method"

# Conversation statistics
tshark -r capture.pcap -z conv,tcp

# Endpoint statistics
tshark -r capture.pcap -z endpoints,ip

# HTTP server statistics
tshark -r capture.pcap -z http,stat

📈 Traffic Analysis

HTTP Analysis

# HTTP requests by host
http.host

# HTTP methods
http.request.method

# HTTP response codes
http.response.code

# HTTP user agents
http.user_agent

# HTTP content types
http.content_type

# HTTP referrers
http.referer

# Extract HTTP objects
File → Export Objects → HTTP

TCP Analysis

# TCP stream analysis
Right-click packet → Follow → TCP Stream

# TCP round-trip time
tcp.analysis.ack_rtt

# TCP window size
tcp.window_size

# TCP sequence numbers
tcp.seq
tcp.ack

# TCP flags
tcp.flags.syn
tcp.flags.ack
tcp.flags.fin
tcp.flags.rst

SSL/TLS Analysis

# SSL/TLS version
ssl.record.version

# Cipher suite
ssl.handshake.ciphersuite

# Certificate information
ssl.handshake.certificate

# Master secret (requires key log file)
Edit → Preferences → Protocols → SSL → (Pre)-Master-Secret log filename

🔗 Decryption Support

SSL/TLS Decryption

# Create key log file
# Add to Wireshark preferences
Edit → Preferences → Protocols → SSL → (Pre)-Master-Secret log filename

# Environment variable for browsers
export SSLKEYLOGFILE=~/.ssl-keylog.log

# Firefox/Chrome configuration
# Set SSLKEYLOGFILE environment variable before launching browser

WPA/WPA2 Decryption

# Add network key
Edit → Preferences → Protocols → IEEE 802.11 → Edit
# Enter SSID and passphrase

📊 Statistics and Reporting

Built-in Statistics

Statistics → Protocol Hierarchy
- Shows protocol breakdown of capture

Statistics → Conversations
- Shows traffic statistics between endpoints

Statistics → Endpoints
- Shows traffic statistics per endpoint

Statistics → IO Graph
- Shows traffic over time graphs

Statistics → Flow Graph
- Shows conversation flow diagram

Statistics → HTTP → Requests
- Shows HTTP request statistics

Statistics → HTTP → Packet Counter
- Shows HTTP packet statistics

Statistics → TCP → Stream Graphs
- Shows TCP stream analysis

Custom Statistics

# Create custom statistics
Statistics → Custom...

# Example: HTTP response code distribution
# Filter: http.response.code
# Display: Column values, Count

# Example: TCP ports by packet count
# Filter: tcp.port
# Display: Column values, Count

🔧 Automation and Scripting

Lua Scripting

-- Example: Custom protocol dissector
local my_proto = Proto("myproto", "My Custom Protocol")

local fields = my_proto.fields
fields.my_field = ProtoField.uint8("myproto.field", "My Field", base.HEX)

function my_proto.dissector(buffer, pinfo, tree)
    local subtree = tree:add(my_proto, buffer())
    subtree:add(fields.my_field, buffer(0,1))
end

register_postdissector(my_proto)

Command Line Automation

#!/bin/bash
# Automated packet capture script

INTERFACE="eth0"
DURATION=300
OUTPUT_DIR="/tmp/wireshark"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

mkdir -p $OUTPUT_DIR

# Start capture
tshark -i $INTERFACE -a duration:$DURATION -w $OUTPUT_DIR/capture_$TIMESTAMP.pcap

# Generate statistics
tshark -r $OUTPUT_DIR/capture_$TIMESTAMP.pcap -z io,stat,0 > $OUTPUT_DIR/stats_$TIMESTAMP.txt

# Extract HTTP requests
tshark -r $OUTPUT_DIR/capture_$TIMESTAMP.pcap -Y "http.request" -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri > $OUTPUT_DIR/http_$TIMESTAMP.csv

echo "Capture and analysis completed: $OUTPUT_DIR/capture_$TIMESTAMP.pcap"

🎓 Learning Resources

Official Documentation

• Wireshark Official Documentation

• Wireshark User Guide

• Wireshark Filter Reference

• Wireshark Wiki

Training Resources

• Wireshark University

• Laura Chappell's Wireshark Training

• Practical Packet Analysis

• Wireshark Network Analysis

📈 Comparison with Other Tools

Feature	Wireshark	tcpdump	TShark	ngrep
GUI	✅	❌	❌	❌
Protocol Support	3,000+	Limited	3,000+	Limited
Filters	Advanced	Basic	Advanced	Basic
File Formats	Multiple	Multiple	Multiple	None
Live Capture	✅	✅	✅	✅
Analysis	Deep	Basic	Deep	Pattern
Learning Curve	📚 Medium	📚 Easy	📚 Medium	📚 Easy

🔧 Troubleshooting

Common Issues

# Permission denied (run as administrator/root)
sudo wireshark
# or add user to wireshark group

# No interfaces visible
# Check if Npcap/WinPcap is installed and running

# High CPU usage
# Reduce capture buffer size
# Apply capture filters
# Disable real-time updates for large captures

# Can't see decrypted HTTPS
# Configure SSL key log file
# Ensure browser is using SSLKEYLOGFILE variable

# Missing protocol dissectors
# Update Wireshark to latest version
# Install protocol plugins

Performance Optimization

# Increase capture buffer size
Capture → Options → Buffer size: 50 MB

# Use capture filters to reduce traffic
Capture → Options → Capture Filter: port 80

# Disable name resolution for faster capture
Edit → Preferences → Name Resolution → Enable all network name resolution: Unchecked

# Use TShark for automated analysis
tshark -i eth0 -c 1000 -w capture.pcap

🛡️ Security Considerations

Privacy and Data Protection

• Sensitive Data - Avoid capturing passwords or personal data

• Network Permission - Only capture networks you own/authorized

• Data Retention - Follow data retention policies

• Secure Storage - Encrypt sensitive capture files

Network Security

• Network Impact - Packet capture can affect network performance

• Promiscuous Mode - May trigger security alerts

• Port Security - Some networks block packet capture

• Legal Compliance - Follow local laws and regulations

---

⚠️ Legal Notice: Only capture network traffic on networks you own or have explicit permission to monitor. Unauthorized packet capture may violate privacy laws and network policies.

⚡ Pro Tip: Start with broad filters and progressively narrow down to focus on specific traffic patterns. Use color coding to quickly identify interesting packets.

📅 Last Updated: 2024