Overview

Objectives

• Install Wireshark and configure capture permissions.

• Capture traffic from a chosen interface and apply filters.

• Use built in statistics to profile flows and endpoints.

• Save, export, and document findings.

Prerequisites

• Basic networking concepts

• Local admin rights to install and set capture permissions

Implementation

1. Install Wireshark

• Use platform packages or the official installer.

• On Linux, add the user to the wireshark group to capture without root.

2. Launch and select interface

• Choose the active wired or wireless interface and start capture.

• Generate traffic by browsing to a few sites or running simple network tasks.

3. Filter and navigate

• Common display filters:

  • http for web traffic

  • tcp or udp for transport layers

  • ip.addr == <host> for a specific endpoint

  • tcp.port == 80 or tls for encrypted sessions

• Right click a flow and Follow TCP Stream or Follow UDP Stream to see conversations.

4. Inspect and validate

• Expand Ethernet, IP, TCP or UDP, and application layers in the packet details.

• Use Statistics menus: Protocol Hierarchy, Conversations, and Endpoints to find top talkers and unusual patterns.

5. Save and export

• Save full captures as .pcapng.

• Export filtered subsets for sharing minimal evidence.

6. Document findings

• Record capture time window, interface, filters used, and key observations.

• Screenshot important packets or flows for later reference.

Outcomes

• Repeatable workflow for capture, filtering, and interpretation.

• Ability to isolate suspicious flows and hand off precise evidence.

Skills demonstrated

• Packet capture and protocol analysis

• Filter authoring and evidence collection

• Communication of technical findings in plain language