Sign up to save your podcasts
Or
Share Course 6 - Network Traffic Analysis for Incident Response | Episode 2: Wireshark Features and Comprehensive Protocol Dissection
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 6 - Network Traffic Analysis for Incident Response | Episode 2: Wireshark Features and Comprehensive Protocol Dissection
In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Transitioning from theoretical networking concepts to hands-on traffic analysis.
- Using Wireshark to capture, dissect, filter, and understand live network traffic.
- Identifying how common protocols appear in real packet captures, including their structure and behavior.
- Recognizing how different protocols handle communication, reliability, and security.
- What Wireshark Is:
- A free, GUI-based network traffic analyzer (formerly Ethereal).
- Supports live packet capture and loading .cap / .pcap files.
- Key Features Covered:
- Capture Management:
- Start live captures with options like promiscuous mode.
- Load and inspect previously saved capture files.
- File Handling & Exporting:
- Merge capture files (if timestamps align).
- Import packets from hex dumps.
- Export selected packets or full dissections in text, CSV, JSON, XML.
- Export TLS session keys for decrypting certain encrypted traffic.
- UI Navigation:
- Color-coded packet list (e.g., green = TCP/HTTP, red = errors/retransmissions).
- Three-pane layout: Packet list → Protocol dissection → Raw hex/ASCII.
- Analysis Tools:
- Display filters for precise inspection (e.g., tcp.port == 80).
- Follow TCP/HTTP Stream to trace entire conversations.
- Decode As to reinterpret traffic running on uncommon ports.
- Capture Management:
- View IP headers, including TTL (Time To Live) as hop count.
- Look at IPv6 structures and tunneling protocols such as:
- 6to4
- 6in4
- Learn how IPv6 packets travel across IPv4 networks.
- Understand reliability and session management.
- Observe:
- The 3-way handshake: SYN → SYN-ACK → ACK
- Connection teardown: FIN/FIN-ACK or RST
- Flags, sequence numbers, acknowledgments, and retransmissions.
- Minimal, fast, connectionless protocol.
- No handshake, no retransmission.
- Used in scenarios requiring speed over reliability.
- Used for error reporting and diagnostic tools like:
- Ping (Echo Request/Reply – Type 8/Type 0)
- Traceroute
- Note: While essential, ICMP must be carefully controlled on networks.
- Maps IP → MAC inside local networks.
- Stateless nature allows ARP poisoning, a common man-in-the-middle technique.
- Seen mostly over UDP.
- Analyze queries, recursion, multiple responses (A, MX, etc.).
- Review request lines, headers (User-Agent, Host, URI) and response codes.
- HTTP is common in analysis due to high traffic volume.
- Also widely monitored because attackers often misuse it for hidden communications.
- A clear-text protocol:
- Credentials and transfers visible in packet captures.
- Highlights the need for secure alternatives (FTPS / SFTP).
- Simple text-based protocol.
- Multi-user channels make it useful for automation and remote coordination tools.
- Clear-text protocol for sending emails.
- Username/password often appear in Base64, easily decoded.
- Typically secured using TLS.
- Encrypted remote terminal access.
- Only early handshake is readable; session content is encrypted by design.
- Demonstrates why encrypted protocols prevent content inspection.
- Runs over UDP.
- Very simple; no authentication.
- Traffic, including files, appears in clear text.
- You’ll gain practical experience by capturing, filtering, and interpreting traffic directly in Wireshark.
- Observing how protocols appear “on the wire” builds intuition for normal vs. abnormal behavior.
- This hands-on section prepares you for real-world network forensics, troubleshooting, and security analysis in an ethical academic environment.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Transitioning from theoretical networking concepts to hands-on traffic analysis.
- Using Wireshark to capture, dissect, filter, and understand live network traffic.
- Identifying how common protocols appear in real packet captures, including their structure and behavior.
- Recognizing how different protocols handle communication, reliability, and security.
- What Wireshark Is:
- A free, GUI-based network traffic analyzer (formerly Ethereal).
- Supports live packet capture and loading .cap / .pcap files.
- Key Features Covered:
- Capture Management:
- Start live captures with options like promiscuous mode.
- Load and inspect previously saved capture files.
- File Handling & Exporting:
- Merge capture files (if timestamps align).
- Import packets from hex dumps.
- Export selected packets or full dissections in text, CSV, JSON, XML.
- Export TLS session keys for decrypting certain encrypted traffic.
- UI Navigation:
- Color-coded packet list (e.g., green = TCP/HTTP, red = errors/retransmissions).
- Three-pane layout: Packet list → Protocol dissection → Raw hex/ASCII.
- Analysis Tools:
- Display filters for precise inspection (e.g., tcp.port == 80).
- Follow TCP/HTTP Stream to trace entire conversations.
- Decode As to reinterpret traffic running on uncommon ports.
- Capture Management:
- View IP headers, including TTL (Time To Live) as hop count.
- Look at IPv6 structures and tunneling protocols such as:
- 6to4
- 6in4
- Learn how IPv6 packets travel across IPv4 networks.
- Understand reliability and session management.
- Observe:
- The 3-way handshake: SYN → SYN-ACK → ACK
- Connection teardown: FIN/FIN-ACK or RST
- Flags, sequence numbers, acknowledgments, and retransmissions.
- Minimal, fast, connectionless protocol.
- No handshake, no retransmission.
- Used in scenarios requiring speed over reliability.
- Used for error reporting and diagnostic tools like:
- Ping (Echo Request/Reply – Type 8/Type 0)
- Traceroute
- Note: While essential, ICMP must be carefully controlled on networks.
- Maps IP → MAC inside local networks.
- Stateless nature allows ARP poisoning, a common man-in-the-middle technique.
- Seen mostly over UDP.
- Analyze queries, recursion, multiple responses (A, MX, etc.).
- Review request lines, headers (User-Agent, Host, URI) and response codes.
- HTTP is common in analysis due to high traffic volume.
- Also widely monitored because attackers often misuse it for hidden communications.
- A clear-text protocol:
- Credentials and transfers visible in packet captures.
- Highlights the need for secure alternatives (FTPS / SFTP).
- Simple text-based protocol.
- Multi-user channels make it useful for automation and remote coordination tools.
- Clear-text protocol for sending emails.
- Username/password often appear in Base64, easily decoded.
- Typically secured using TLS.
- Encrypted remote terminal access.
- Only early handshake is readable; session content is encrypted by design.
- Demonstrates why encrypted protocols prevent content inspection.
- Runs over UDP.
- Very simple; no authentication.
- Traffic, including files, appears in clear text.
- You’ll gain practical experience by capturing, filtering, and interpreting traffic directly in Wireshark.
- Observing how protocols appear “on the wire” builds intuition for normal vs. abnormal behavior.
- This hands-on section prepares you for real-world network forensics, troubleshooting, and security analysis in an ethical academic environment.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy