Wireshark is an open-source tool which is used to perform packet capture and analysis for wired or wireless network traffic. It can be intimidating to look at the first time you open a packet capture file (or pcap). Hopefully this introduction will help smooth the sharp edges on learning this tool.
I was first introduced to network traffic analysis using Wireshark at a workshop taught by Brad Duncan during BSides Austin in 2019. Brad maintains a website – Malware-Traffic-Analysis.net – where he posts tutorials on Wireshark as well as pcap files of real malware and ransomware infection network traffic.
It’s important that I mention Brad Duncan here specifically because the first task is to set up the Wireshark display. Brad has written several articles on this topic, and I did learn his preferred setup during the workshop I attended, so most of my preferences do stem from that experience. There’s only a finite number of ways to configure Wireshark, especially for wired ethernet pcap files, and Brad’s method works very well.
The only major difference between my preferences and Brad’s is that I choose to keep the packet number column. I have personally found this column helpful when working on CTF challenges or when collaborating with another person to review a packet capture file. (i.e., “Hey, can you check out packet 456 on file xyz? I think this might be C2 traffic.”)
Once you understand the basics of configuring your display, it’s easy to create new profiles for specific use cases – such as if you’re investigating wireless traffic and want to see SSIDs or channel numbers listed, or if you’re investigating something that requires a specific set of custom fields such as HTTP host information.
Summary of Instructions
- Download Wireshark from wireshark.org/download.html.
- Install the application; accept all default options and continue through each prompt until the installation is complete.
- The installer will eventually ask if you would like to install USBPcap; it is not needed for anything covered here.
- During the Npcap installation you will be presented with another list of options. For now, click Install with nothing selected.
- Once the installation is complete, launch the application to continue on with these configurations.
Create a Configuration Profile:
- On the top menu bar, navigate to Edit > Configuration Profiles to open the Configuration Profiles window.
- Click the + (plus symbol) button to add a new profile entry.
- Type a name in for your configuration profile.
- What you name your profile is ultimately up to personal preference; I named mine 802.3 Wired Ethernet (unresolved).
- Click OK to close the Configuration Profiles window.
Configure Wireshark Column Displays:
- Double-click one of your listed network adapters to open the packet inspection window, then immediately click the red square at the top left to stop packet capture.
- Right click on any one of the display columns.
- Click on Column Preferences…
- Remove unnecessary columns:
- Select the column entry titled Protocol, then click the
– (minus symbol) button to remove it.
- Select and remove the column entry titled Length.
- Select the column entry titled Protocol, then click the
- Configure the Source columns:
- Double-click and rename title Source to Source IP.
- Double-click type Source address and change drop-down to Src addr (unresolved).
- Use the + (plus symbol) button to add a new column entry with title Src Port and type Src port (unresolved).
- Click and drag the new Src Port column field to just below Source IP.
- Configure the Destination columns:
- Double-click and rename title Destination to Destination IP.
- Double-click type Destination address and change drop-down to Dest addr (unresolved).
- Use the + (plus symbol) button to add a new column entry with title Dest Port and type Dest port (unresolved).
- Click and drag the new Dest Port column field to just below Destination IP.
- Click OK to exit the Preferences window.
- On the menu bar, navigate to View > Time Display Format, then click UTC Date and Time of Day.
Columns and Their Considerations
The No. column is supremely useful for two things:
- Referring to specific packets in a given capture file; and
- Sorting packets back into the order of capture.
I have never personally run into an instance where sorting by time/date has given me a reason for concern versus sorting by packet number, but a couple of blogs I looked at as I was drafting this article mentioned it, so I assume that this happens to people who use Wireshark for troubleshooting a lot more than I do.
The real reason I insist on keeping this column is for collaborative use. Very recently I participated in an OpenSOC event from Recon InfoSec where, during one of the challenges, my teammate was presented with a pair of pcap files as part of a reversing challenge he was working on. One of the flags was to discover the first packet of command and control (or C2) traffic. When he asked me to take a look at the files, I was able to identify what I thought was a good candidate, and give him the exact packet number so that he could take a look at what I was seeing.
Date and Time
Wireshark uses Seconds Since Beginning of Capture as its time display by default, which is honestly next to useless for any kind of corroboration against other datasets – or even retrospective analysis if you save a pcap file for later.
There are two great options for how to configure this:
- Use UTC Date and Time of Day, which is my usual default; or
- Date and Time of Day (without the UTC).
As you can probably guess they are two sides of the same coin. I don’t do a lot of my own packet captures; typically I’m looking at someone else’s pcap file, so the absolute local time doesn’t usually matter to me very much. UTC time is something I’ve grown comfortable with seeing simply from other facets of IT work.
In either case, Wireshark uses the system kernel of the machine capturing the traffic as the time source so it is important when capturing critical data to ensure that your system time is synchronized to an accurate source. You can also switch between UTC and non-UTC display at any time on a given pcap file if it is pertinent to your investigation.
There is an option in this same window to configure the granularity of the timestamps (seconds, tenths of a second, hundredths of a second, etc.) but in most cases you can leave this selection on the default setting — Automatic (from capture file). For brevity’s sake it can clean up your display to use Seconds instead. If you’re getting to the point where this matters for anything other than personal preference then you’re probably beyond the scope of this article anyway.
Source and Destination IPs/Ports
Even though Wireshark does show the source and destination IPs for captured packets by default, I find it incredibly useful to include the source and destination port numbers as well. In cases where there is no layer 3 traffic (such as ARP), these fields will display MAC addresses instead, so you can still understand the source and destination traffic.
In this article I have specified the use of unresolved IP addresses and port numbers. Depending on your needs, it may make sense to set these to resolved. I’ve made myself both a resolved and an unresolved profile so that I can switch between the two as needed.
One thing to keep an eye out for with resolving port numbers to a well-known name is that, sometimes, that traffic over UDP port 53 is not actually DNS traffic. In one CTF that I participated in, the hostile C2 traffic was egressing the LAN from a random ephemeral port as you might expect, but the packet was an HTTP GET request of an obfuscated string to a remote IP over port 80. Wireshark can’t always intelligently decode non-typical traffic like that and assign a resolved port name correctly.
Changing the Column Display in Wireshark | Brad Duncan’s Malware Traffic Analysis
Customizing Wireshark — Changing Your Custom Display | Brad Duncan for Palo Alto Networks Unit 42 Blog
Wireshark Column Setup Deepdive | Jasper at Packet-Foo
SharkTIPS! My Favorite Wireshark Customizations (Part 1) | Eddie Forero’s Bad-fi Blog
Wireshare User Guide 7.6 – Time Stamps | Wireshark.org