Network Traffic

Monitoring– Wireshark

CIS 6395, Incident Response Technologies

Fall 2025
Dr. Cliff Zou
[Link]@[Link]
Acknowledgement
[Link]
iles/productfiles/672/
[Link]

UC Berkley course “EE 122: Intro

to Communication Networks”
Other resources:
◦ [Link]
[Link]
Motivation for Network Monitoring
Essential
for Network
Management
◦ Router and Firewall policy
◦ Detecting abnormal/error in
networking
◦ Access control
Security Management
◦ Detecting abnormal traffic
◦ Traffic log for future forensic analysis
 Tools Overview
Tcpdump
◦ Unix-based command-line tool used to
intercept packets
 Including filtering to just the packets of interest

Tshark
◦ Tcpdump-like capture program that comes w/
Wireshark
◦ Very similar behavior & flags to tcpdump

Wireshark
◦ GUI for displaying tcpdump/tshark packet
traces
 Tcpdump example
• Ran tcpdump on a Unix machine
• You can try it on your Kali Linux VM
• First few lines of the output:
[Link].808262 IP [Link] > adsl-69-
[Link].2481: .
2513546054:2513547434(1380) ack 1268355216 win
12816
[Link].808271 IP [Link] > adsl-69-
[Link].2481: P 1380:2128(748)
ack 1 win 12816
[Link].808276 IP [Link] > adsl-69-
[Link].2481: . 2128:3508(1380)
ack 1 win 12816
[Link].890021 IP adsl-69-228-230-
[Link].2481 > [Link]:
P 1:49(48) ack 1380 win 16560
 Similar Output from
Tshark
1190003744.940437 [Link] ->
[Link] SSH Encrypted request packet
len=48
1190003744.940916 [Link] ->
[Link] SSH Encrypted response packet
len=48
1190003744.955764 [Link] ->
[Link] TCP 6943 > ssh [ACK] Seq=48
Ack=48 Win=65514 Len=0 TSV=445871583
TSER=632535493
1190003745.035678 [Link] ->
[Link] SSH Encrypted request packet
len=48
1190003745.036004 [Link] ->
[Link] SSH Encrypted response packet
Filters
We are often not interested in all
packets flowing through the
network
Use filters to capture only
packets of interest to us

How to write filters?

◦ Refer the tcpdump/tshark man page
◦ Many example webpages on the
Internet
Example
1. Capture only udp packets
• tcpdump “udp”
2. Capture only tcp packets
• tcpdump “tcp”
 Example (contd.)
1. Capture only UDP packets with
destination port 53 (DNS requests)
• tcpdump “udp dst port 53”
2. Capture only UDP packets with
source port 53 (DNS replies)
• tcpdump “udp src port 53”
3. Capture only UDP packets with
source or destination port 53 (DNS
requests and replies)
• tcpdump “udp port 53”
Example (contd.)
1. Capture only packets destined
to [Link]
• tcpdump “dst host
[Link]”
2. Capture both DNS packets and
TCP packets to/from
[Link]
• tcpdump “(tcp and host
[Link]) or udp port
53”
 Running tcpdump
Requires superuser/administrator
privileges on Unix
◦ [Link]
◦ You can do it on your own Unix machine
◦ You can install a Linux OS in Vmware/VirtualBox
on your windows machine

Tcpdump for Windows

◦ WinDump: [Link]
 Free software
 So What is WireShark?
Packet sniffer/protocol analyzer
Open Source Network Tool
Latest version of the ethereal tool
What is tShark?
The command-line based packet
capture tool
Equivalent to Wireshark
Network Layered Structure
What is the Internet?

Application Web, Email, VOIP Application

Transport TCP, UDP Transport

Network IP Network

Data Link Ethernet, cellular Data Link

Physical
link
Wireshark Interface
Wireshark Interface
Status Bar
Capture Options
Promiscuous mode is used to
Capture all traffic

In many cases this does not work:

• Network driver does not suppor
• You are on a switch LAN
 Capture Filter
There are some pre-built capture filters that you can use:
Capture Filter examples
host [Link]

host [Link] and host [Link]

tcp port http

ip

not broadcast not multicast

ether host [Link]

Capture Buffer Usage
Display Filters (Post-
Filters)
Display filters (also called post-
filters)
◦ Only filter the view of what you are
seeing
◦ All packets in the capture still exist in
the trace

Display filters use their own

format and are much more
powerful then capture filters
 Display Filter
There are some basic pre-built display filters, too
 Display Filter Examples
[Link]==[Link]/24

[Link]==[Link] && [Link]==[Link]

[Link]==80 || [Link]==3389

!([Link]==[Link] && [Link]==[Link])

([Link]==[Link] && [Link]==[Link]) &&

([Link]==445 || [Link]==139)

([Link]==[Link] && [Link]==[Link]) &&

([Link]==67 || [Link]==68)

[Link] == 80
 Display Filter

There are thousands of pre-defined

protocol fields that
You can use in the display filter!
 TCP segment structure
32 bits
URG: urgent data counting
(generally not used) source port # dest port #
by bytes
sequence number of data
ACK: ACK #
valid acknowledgement (not segments!)
U A Pnumber
head not
len used
R S F Receive window
PSH: push data now # bytes
checksum Urg data pnter
rcvr willing
RST, SYN, FIN: to accept
Options (variable length)
connection estab
(setup, teardown
commands)
application
Internet data
checksum (variable length)
(as in UDP)
 Display Filter
String1, String2 (Optional settings):
◦ Sub protocol categories inside the
protocol.
◦ Look for a protocol and then click on the
"+" character.
◦ Example:
◦ [Link] == 80
◦ [Link] == 2
 SYN packet
 Or use “[Link]==1”
◦ [Link] == 18
 SYN/ACK
 Display Filter Expressions
 snmp || dns || icmp
◦ Display the SNMP or DNS or ICMP
traffics.
 [Link] == 25
◦ Display packets with TCP source or
destination port 25.
 [Link]
◦ Display packets having a TCP flags
 [Link] == 0x02
◦ Display packets with a TCP SYN flag.
If the filter syntax is correct, it will be highlighted in green,
otherwise if there is a syntax mistake it will be highlighted in red.
Correct syntax
Wrong syntax
 Save Filtered Packets as Text After Using
Display Filter
We can save all filtered packets in text file
for further analysis
Operation:
FileExport packet
dissections
as “plain text” file

1). In “packet range” option,

select “Displayed”

2). In choose “summary line”

or “detail”
 Save Filtered Packets in Wireshark format
After Using Display Filter
We can also save all filtered packets in the
original wireshark format for further
analysis
Operation:
1. Enter Display filter to show
packets you want
2. Go to "Edit>" and choose
"Mark all displayed packets“
3. Go to “File”  Export specific
packets…
4. Choose the option “Marked
packets” to save the file
Protocol Hierarchy
Protocol Hierarchy
Follow TCP Stream
Follow TCP Stream
red - stuff you sent blue - stuff you get
 Filter out/in Single TCP
Stream
 When click “filter out this TCP stream” in
previous page’s box, new filter string will contain
like:
◦ http and !([Link] eq 5)
 So,
if you use “[Link] eq 5” as filter string,
you keep this HTTP session
Expert Info
Expert Info
Conversations
Conversations
Use the “Copy” button to copy all text
into clipboard

Then, you can analyze this text file to

get what statistics you want
 Find EndPoint Statistics
Menu “statistics”  “endpoint list” 
“TCP”

You can sort by field

“Tx” : transmit “Rx” : receive
 Find EndPoint Statistics
Use the “Copy” button to copy all
text into clipboard

Then, you can analyze this text file

to get what statistics you want
Export HTTP
 Export HTTP Objects

Now you can save all files transmitted in Web traffic!

HTTP Analysis
 HTTP Analysis – Load
Distribution

Click “Create Stat” button

You can add “filter” to only
Show selected traffic
HTTP Analysis – Packet Counter
HTTP Analysis – Requests
Useful ‘contains’ Operation in
Display Filter
In display filter, ‘contains’ display
all packets that contain a specified
string
◦ http contains “.bmp”
 All HTTP packets that have ‘.bmp’ string
◦ dns contains “[Link]”
 Any dns query/response that has the string
‘[Link]’
Improving WireShark
Performance
Don’t use capture filters
Increase your read buffer size
Don’t update the screen
dynamically
Get a faster computer
Use a TAP
Don’t resolve DNS hostnames
Post-Processing Text File
For saved text-format packet
files, further analysis needs
coding or special tools
One useful tool on Unix: Grep
◦ On Windows: PowerGrep
[Link]
◦ Command-line based utility for
searching plain-text data sets for
lines matching a regular expression.
 Basic usage of Grep
Command-line text-search program in
Linux
Some useful usage:
◦ Grep ‘word’ filename # find lines with ‘word’
◦ Grep –v ‘word’ filename # find lines without ‘word’
◦ Grep ‘^word’ filename # find lines beginning with ‘word’
◦ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2
◦ ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’
feature
◦ grep '^[0-4]‘ filename # find lines beginning with any of the
numbers from 0-4
◦ Grep –c ‘word’ filename # find lines with ‘word’ and print out
the number of these lines
◦ Grep –i ‘word’ filename # find lines with ‘word’ regardless of
case
On-line Wireshark Trace
Files
Public available .pcap files:
◦ [Link]
pFiles

[Link]
traces/Lab%20Trace%20Files/

Wiki Sample capture

◦ [Link]
tures