10 Wireshark Tips Every Pentester Should Know
Wireshark is one of the most powerful tools in a pentester’s arsenal, yet many only scratch the surface. Here are ten tips that have genuinely made me more effective.
1. Filter by HTTP Methods
Isolate specific HTTP methods to focus your web app analysis:
|
|
This shows all POST requests — login attempts, form submissions, and API calls.
2. Find Credentials in Cleartext
|
|
Catches Basic Auth headers and common password field names. You’d be surprised how often this still works in enterprise environments.
3. DNS Query Analysis
|
|
Replace “example” with the target domain. Reveals subdomains, third-party integrations, and potentially suspicious external communications.
4. Follow TCP Streams
Right-click any packet, then Follow, then TCP Stream. This reconstructs the entire conversation between client and server.
5. Isolate Traffic by IP
|
|
Shows only traffic between two specific hosts.
6. Detect Port Scans
|
|
A high volume of SYN-only packets from a single source IP is a strong indicator of port scanning.
7. Export Objects
Go to File, then Export Objects, then HTTP. Wireshark lists every file transferred over HTTP. Gold for forensics and CTF challenges.
8. Colouring Rules
Create custom colouring rules to visually highlight suspicious patterns. I colour all cleartext credential packets in red and DNS queries in blue.
9. Time Reference
Right-click a packet and Set as Time Reference to reset the time column to zero from that point. Invaluable for measuring attack timelines.
10. Statistics and Conversations
Use Statistics then Conversations to see all communication pairs. Sort by bytes to find the chattiest connections — often data exfiltration or C2 channels.
Wireshark rewards depth. These tips are starting points — experiment with them on your next CTF capture file.
Cybersecurity professional specialising in VAPT and penetration testing.