Last updated: April 26, 2026
Wireshark is the canonical packet-capture tool. Every security professional has installed it; few use it well. This article covers Wireshark for security analysis — display filters that find anomalies, decryption setup for TLS / Kerberos, IoC extraction, and the workflow that turns 40 GB of pcaps into actionable findings.
Display filters worth knowing
| Filter | Purpose |
|---|---|
http.request |
All HTTP requests |
http.response.code >= 400 |
HTTP errors |
tls.handshake.type == 1 |
TLS Client Hello — see SNI for hostname |
dns.qry.name contains "domain.com" |
DNS queries to a domain |
tcp.flags.syn == 1 and tcp.flags.ack == 0 |
SYN-only — port scans |
icmp |
All ICMP — pivot detection |
kerberos |
Kerberos auth traffic |
smb2 |
SMB traffic |
frame contains "passwd" |
Plaintext password indicators |
ip.addr == 10.0.0.5 and not (ip.addr == 10.0.0.6) |
Communication between specific hosts |
TLS decryption setup
Modern traffic is mostly TLS. To decrypt, configure Wireshark to read pre-master secrets:
# 1. Set environment variable on the machine generating traffic:
export SSLKEYLOGFILE=/tmp/sslkeys.log
# 2. Run browser / curl with this env. Pre-master secrets are logged.
# 3. In Wireshark: Edit -> Preferences -> Protocols -> TLS
# Set "(Pre)-Master-Secret log filename" to /tmp/sslkeys.log
# Now TLS traffic decrypts in WiresharkFor Java applications: launch with -Djavax.net.debug=ssl,handshake and parse logs.
Kerberos analysis
For AD investigations, Wireshark decrypts Kerberos if you have the long-term keys:
- Edit → Preferences → Protocols → Kerberos
- “Try to decrypt Kerberos blobs” enabled
- Provide keytab file (extracted from DC or generated)
Then service-ticket contents become readable — useful for forensic investigation post-Kerberoasting or Golden Ticket.
The follow-stream feature
Right-click any TCP/TLS/HTTP packet → “Follow → TCP Stream” / “HTTP Stream” / “TLS Stream”. Reconstructs the full session — both sides — into a readable conversation. Best feature for forensic analysis.
IoC extraction
For threat hunting from pcaps:
# Unique destination IPs
tshark -r capture.pcap -T fields -e ip.dst | sort -u
# DNS queries
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u
# HTTP user agents
tshark -r capture.pcap -Y "http.user_agent" -T fields -e http.user_agent | sort -u
# All TLS SNI values (sees the hostname even when traffic is encrypted)
tshark -r capture.pcap -Y "tls.handshake.extensions_server_name" \
-T fields -e tls.handshake.extensions_server_name | sort -utshark (Wireshark’s CLI) is what scales for large captures. Match against threat-intel feeds for IoC hits.
Anomaly hunting in production
For network forensics on live infrastructure:
- Beaconing detection — find connections with regular intervals (C2 traffic looks like this)
- Long-lived connections — sessions lasting hours/days are suspicious for non-business protocols
- Data transfer asymmetry — outbound >> inbound suggests exfiltration
- DNS anomalies — high-entropy subdomain names (DGA), unusually long TXT records (DNS tunneling), TXT replies of unusual size
Tools that automate this analysis at scale: Zeek (Bro) for protocol logs, RITA for beaconing detection, pyshark for Python-based analysis.
The takeaway
Wireshark is one of those tools where 90% of users use 10% of the features. The 90% you don’t use — display filters, follow-stream, TLS decryption, tshark for scripting — is where the value lives. Spend a focused day with the official Wireshark Network Analysis docs; the productivity gain compounds for years.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.