Wireshark

Wireshark is Article description::a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Permissions
As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group (note, replace ${LOGNAME} by the user's actual login name):

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

Wireshark over SSH
Source system (the server you want to capture packets on) that you have SSH access to, with tcpdump installed, and available to your user (either directly, or via sudo without password). Destination system (where you run graphical Wireshark) with wireshark installed and working, and mkfifo available. Procedure:

Network Name Resolution
To automatically resolve IP addresses to domain names, open the preferences window from, clicking the panel and selecting the Enable Network Name Resolution check box.

Filter packets to a specific IP Address
To see all incoming and outgoing traffic for a specific address, enter ==  in the filter box, replacing  with the relevant IP address. Additionally, to view only incoming traffic, replace with ; to view only outgoing traffic, replace  with.

tshark
TShark is Wireshark's terminal-based network protocol analyzer. TShark's native file format is pcap. All packet capture options are listed by entering

For example, to capture packets across a specified network interface and save the results, enter

Replace with the desired network interface and  with the desired filename.

If you capture no packets and send to xxd, you can see just the file header for any capture type
An easy way to capture no packets is to filter by unused ipx in your capture filter. In this example, we use -F pcap for the pcap file type.

Search for malware URL with regex
You’re looking for an HTTP GET that contains a request for a URL that starts with http or '''https has the Sweden .se domain, and contains the word worm in the query string. Luckily, Wireshark gives you matches which uses PCRE regex syntax. A simple one that satisfies this is https?.*?\.se.*?worm. If this seems like greek', you can explore more info on regex101.

Given that this is GET, it’s better to just search the http protocol: http matches https?.*?\.se.*?worm Note that the regex is double quoted. With tshark, -Y "display filter" also needs to be double-quoted. In order to use this display filter, escape the inner quotes

Print http data in a tree
{{Cmd|tshark -q -i any -Y http -z http,tree|output=

=
========================================================================================================================== HTTP/Packet Counter: Topic / Item           Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start --- Total HTTP Packets     1                                                                     100%          0.0100        2.255 HTTP Request Packets  1                                                                     100.00%       0.0100        2.255 GET                  1                                                                     100.00%       0.0100        2.255 Other HTTP Packets    0                                                                     0.00%         -             - HTTP Response Packets 0                                                                     0.00%         -             - ???: broken          0                                                                                   -             - 5xx: Server Error    0                                                                                   -             - 4xx: Client Error    0                                                                                   -             - 3xx: Redirection     0                                                                                   -             - 2xx: Success         0                                                                                   -             - 1xx: Informational   0                                                                                   -             -

--- }}

External resources

 * https://www.wireshark.org/download/docs/user-guide.pdf Wireshark User's Guide.
 * https://wiki.wireshark.org/DisplayFilters - Display Filters
 * https://wiki.wireshark.org/Development/LibpcapFileFormat - Libpcap File Format
 * https://tshark.dev - tshark.dev
 * https://tshark.dev/capture/ tshark.dev - capturing
 * https://tshark.dev/capture/sources/ssh_interface/ tshark.dev - ssh interface
 * https://tshark.dev/capture/sources/downloading_file/ tshark.dev - downloading files
 * https://tshark.dev/analyze/packet_hunting/tshark_analysis/ tshark.dev - tshark analysis
 * https://tshark.dev/packetcraft/scripting/lua_scripts/ tshark.dev - lua scripts