provocativo_
back to the arsenal
// arsenal·Network AnalysisBeginnerFOSS

Wireshark

The reference open-source network protocol analyzer.

Network Analysis

$ wireshark --help

Wireshark

Wireshark capturing live traffic
Wireshark capturing live trafficWikimedia Commons

// what it is

Description

Dissects hundreds of protocols, color-codes anomalies, follows streams, decrypts TLS with the right keys, and writes a damning report when something on the wire isn't what it should be. The first network-forensics tool every analyst learns.

// use cases

What people use it for

  • Deep-dive PCAP analysis
  • Live capture during an active incident
  • Decoding obscure protocols (Modbus, BACnet, SCTP, ...)

// commands

The commands you'll type

Capture filtered TLS handshakes

$ wireshark -k -i any -Y 'tls.handshake.type==1'

Convert pcap to ASCII follow

$ tshark -r capture.pcap -q -z follow,tcp,ascii,0

// facts

category
Network Analysis
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Beginner

// links

// related in Network Analysis

Network AnalysisIntermediate

tcpdump

The command-line packet sniffer that every Unix-like ships with.

FOSS
LIN·MAC
open entry →
Network AnalysisIntermediate

Ettercap

Classic LAN man-in-the-middle framework — ARP poisoning, DNS spoofing, filters.

FOSS
LIN·MAC
open entry →
Network AnalysisIntermediate

Bettercap

Modern reincarnation of Ettercap — Go-based, scriptable, Wi-Fi-aware.

FOSS
LIN·MAC
open entry →