Back to Details

wireshark-analysis

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Wireshark Network Traffic Analysis

Wireshark网络流量分析

Purpose

用途

Execute comprehensive network traffic analysis using Wireshark to capture, filter, and examine network packets for security investigations, performance optimization, and troubleshooting. This skill enables systematic analysis of network protocols, detection of anomalies, and reconstruction of network conversations from PCAP files.
使用Wireshark执行全面的网络流量分析,捕获、过滤并检查网络数据包,用于安全调查、性能优化和故障排查。本技能支持对网络协议进行系统性分析、异常检测,以及从PCAP文件中还原网络会话。

Inputs / Prerequisites

输入/前置要求

Required Tools

必备工具

  • Wireshark installed (Windows, macOS, or Linux)
  • Network interface with capture permissions
  • PCAP/PCAPNG files for offline analysis
  • Administrator/root privileges for live capture
  • 已安装Wireshark(支持Windows、macOS或Linux)
  • 拥有捕获权限的网络接口
  • 用于离线分析的PCAP/PCAPNG文件
  • 实时抓包需要管理员/root权限

Technical Requirements

技术要求

  • Understanding of network protocols (TCP, UDP, HTTP, DNS)
  • Familiarity with IP addressing and ports
  • Knowledge of OSI model layers
  • Understanding of common attack patterns
  • 了解网络协议(TCP、UDP、HTTP、DNS)
  • 熟悉IP寻址和端口相关知识
  • 掌握OSI模型分层概念
  • 了解常见攻击模式

Use Cases

使用场景

  • Network troubleshooting and connectivity issues
  • Security incident investigation
  • Malware traffic analysis
  • Performance monitoring and optimization
  • Protocol learning and education
  • 网络故障与连通性问题排查
  • 安全事件调查
  • 恶意软件流量分析
  • 性能监控与优化
  • 协议学习与教学

Outputs / Deliverables

输出/交付物

Primary Outputs

主要输出

  • Filtered packet captures for specific traffic
  • Reconstructed communication streams
  • Traffic statistics and visualizations
  • Evidence documentation for incidents
  • 针对特定流量过滤后的数据包捕获文件
  • 还原后的通信流
  • 流量统计数据与可视化结果
  • 事件证据文档

Core Workflow

核心工作流

Phase 1: Capturing Network Traffic

阶段1:捕获网络流量

Start Live Capture

启动实时捕获

Begin capturing packets on network interface:
1. Launch Wireshark
2. Select network interface from main screen
3. Click shark fin icon or double-click interface
4. Capture begins immediately
在网络接口上开始捕获数据包:
1. Launch Wireshark
2. Select network interface from main screen
3. Click shark fin icon or double-click interface
4. Capture begins immediately

Capture Controls

捕获控制

ActionShortcutDescription
Start/Stop CaptureCtrl+EToggle capture on/off
Restart CaptureCtrl+RStop and start new capture
Open PCAP FileCtrl+OLoad existing capture file
Save CaptureCtrl+SSave current capture
操作快捷键说明
启动/停止捕获Ctrl+E切换捕获开关
重启捕获Ctrl+R停止并启动新的捕获任务
打开PCAP文件Ctrl+O加载已有的捕获文件
保存捕获文件Ctrl+S保存当前捕获内容

Capture Filters

捕获过滤器

Apply filters before capture to limit data collection:
undefined
捕获前应用过滤器以限制数据采集范围:
undefined

Capture only specific host

Capture only specific host

host 192.168.1.100
host 192.168.1.100

Capture specific port

Capture specific port

port 80
port 80

Capture specific network

Capture specific network

net 192.168.1.0/24
net 192.168.1.0/24

Exclude specific traffic

Exclude specific traffic

not arp
not arp

Combine filters

Combine filters

host 192.168.1.100 and port 443
undefined
host 192.168.1.100 and port 443
undefined

Phase 2: Display Filters

阶段2:显示过滤器

Basic Filter Syntax

基础过滤器语法

Filter captured packets for analysis:
undefined
过滤已捕获的数据包用于分析:
undefined

IP address filters

IP address filters

ip.addr == 192.168.1.1 # All traffic to/from IP ip.src == 192.168.1.1 # Source IP only ip.dst == 192.168.1.1 # Destination IP only
ip.addr == 192.168.1.1 # All traffic to/from IP ip.src == 192.168.1.1 # Source IP only ip.dst == 192.168.1.1 # Destination IP only

Port filters

Port filters

tcp.port == 80 # TCP port 80 udp.port == 53 # UDP port 53 tcp.dstport == 443 # Destination port 443 tcp.srcport == 22 # Source port 22
undefined
tcp.port == 80 # TCP port 80 udp.port == 53 # UDP port 53 tcp.dstport == 443 # Destination port 443 tcp.srcport == 22 # Source port 22
undefined

Protocol Filters

协议过滤器

Filter by specific protocols:
undefined
按指定协议过滤:
undefined

Common protocols

Common protocols

http # HTTP traffic https or ssl or tls # Encrypted web traffic dns # DNS queries and responses ftp # FTP traffic ssh # SSH traffic icmp # Ping/ICMP traffic arp # ARP requests/responses dhcp # DHCP traffic smb or smb2 # SMB file sharing
undefined
http # HTTP traffic https or ssl or tls # Encrypted web traffic dns # DNS queries and responses ftp # FTP traffic ssh # SSH traffic icmp # Ping/ICMP traffic arp # ARP requests/responses dhcp # DHCP traffic smb or smb2 # SMB file sharing
undefined

TCP Flag Filters

TCP标志位过滤器

Identify specific connection states:
tcp.flags.syn == 1                   # SYN packets (connection attempts)
tcp.flags.ack == 1                   # ACK packets
tcp.flags.fin == 1                   # FIN packets (connection close)
tcp.flags.reset == 1                 # RST packets (connection reset)
tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN-only (initial connection)
识别特定连接状态:
tcp.flags.syn == 1                   # SYN packets (connection attempts)
tcp.flags.ack == 1                   # ACK packets
tcp.flags.fin == 1                   # FIN packets (connection close)
tcp.flags.reset == 1                 # RST packets (connection reset)
tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN-only (initial connection)

Content Filters

内容过滤器

Search for specific content:
frame contains "password"            # Packets containing string
http.request.uri contains "login"    # HTTP URIs with string
tcp contains "GET"                   # TCP packets with string
搜索特定内容:
frame contains "password"            # Packets containing string
http.request.uri contains "login"    # HTTP URIs with string
tcp contains "GET"                   # TCP packets with string

Analysis Filters

分析过滤器

Identify potential issues:
tcp.analysis.retransmission          # TCP retransmissions
tcp.analysis.duplicate_ack           # Duplicate ACKs
tcp.analysis.zero_window             # Zero window (flow control)
tcp.analysis.flags                   # Packets with issues
dns.flags.rcode != 0                 # DNS errors
识别潜在问题:
tcp.analysis.retransmission          # TCP retransmissions
tcp.analysis.duplicate_ack           # Duplicate ACKs
tcp.analysis.zero_window             # Zero window (flow control)
tcp.analysis.flags                   # Packets with issues
dns.flags.rcode != 0                 # DNS errors

Combining Filters

组合过滤器

Use logical operators for complex queries:
undefined
使用逻辑运算符实现复杂查询:
undefined

AND operator

AND operator

ip.addr == 192.168.1.1 && tcp.port == 80
ip.addr == 192.168.1.1 && tcp.port == 80

OR operator

OR operator

dns || http
dns || http

NOT operator

NOT operator

!(arp || icmp)
!(arp || icmp)

Complex combinations

Complex combinations

(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443
undefined
(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443
undefined

Phase 3: Following Streams

阶段3:跟踪流

TCP Stream Reconstruction

TCP流还原

View complete TCP conversation:
1. Right-click on any TCP packet
2. Select Follow > TCP Stream
3. View reconstructed conversation
4. Toggle between ASCII, Hex, Raw views
5. Filter to show only this stream
查看完整的TCP会话:
1. Right-click on any TCP packet
2. Select Follow > TCP Stream
3. View reconstructed conversation
4. Toggle between ASCII, Hex, Raw views
5. Filter to show only this stream

Stream Types

流类型

StreamAccessUse Case
TCP StreamFollow > TCP StreamWeb, file transfers, any TCP
UDP StreamFollow > UDP StreamDNS, VoIP, streaming
HTTP StreamFollow > HTTP StreamWeb content, headers
TLS StreamFollow > TLS StreamEncrypted traffic (if keys available)
流类型入口使用场景
TCP流Follow > TCP StreamWeb、文件传输等所有TCP场景
UDP流Follow > UDP StreamDNS、VoIP、流媒体场景
HTTP流Follow > HTTP StreamWeb内容、请求头分析
TLS流Follow > TLS Stream加密流量(持有密钥时)

Stream Analysis Tips

流分析提示

  • Review request/response pairs
  • Identify transmitted files or data
  • Look for credentials in plaintext
  • Note unusual patterns or commands
  • 检查请求/响应对
  • 识别传输的文件或数据
  • 查找明文传输的凭证
  • 留意异常模式或命令

Phase 4: Statistical Analysis

阶段4:统计分析

Protocol Hierarchy

协议分层统计

View protocol distribution:
Statistics > Protocol Hierarchy

Shows:
- Percentage of each protocol
- Packet counts
- Bytes transferred
- Protocol breakdown tree
查看协议分布情况:
Statistics > Protocol Hierarchy

Shows:
- Percentage of each protocol
- Packet counts
- Bytes transferred
- Protocol breakdown tree

Conversations

会话统计

Analyze communication pairs:
Statistics > Conversations

Tabs:
- Ethernet: MAC address pairs
- IPv4/IPv6: IP address pairs
- TCP: Connection details (ports, bytes, packets)
- UDP: Datagram exchanges
分析通信对:
Statistics > Conversations

Tabs:
- Ethernet: MAC address pairs
- IPv4/IPv6: IP address pairs
- TCP: Connection details (ports, bytes, packets)
- UDP: Datagram exchanges

Endpoints

端点统计

View active network participants:
Statistics > Endpoints

Shows:
- All source/destination addresses
- Packet and byte counts
- Geographic information (if enabled)
查看活跃的网络参与方:
Statistics > Endpoints

Shows:
- All source/destination addresses
- Packet and byte counts
- Geographic information (if enabled)

Flow Graph

流图

Visualize packet sequence:
Statistics > Flow Graph

Options:
- All packets or displayed only
- Standard or TCP flow
- Shows packet timing and direction
可视化数据包序列:
Statistics > Flow Graph

Options:
- All packets or displayed only
- Standard or TCP flow
- Shows packet timing and direction

I/O Graphs

I/O图

Plot traffic over time:
Statistics > I/O Graph

Features:
- Packets per second
- Bytes per second
- Custom filter graphs
- Multiple graph overlays
绘制流量随时间的变化趋势:
Statistics > I/O Graph

Features:
- Packets per second
- Bytes per second
- Custom filter graphs
- Multiple graph overlays

Phase 5: Security Analysis

阶段5:安全分析

Detect Port Scanning

端口扫描检测

Identify reconnaissance activity:
undefined
识别侦察活动:
undefined

SYN scan detection (many ports, same source)

SYN scan detection (many ports, same source)

ip.src == SUSPECT_IP && tcp.flags.syn == 1
ip.src == SUSPECT_IP && tcp.flags.syn == 1

Review Statistics > Conversations for anomalies

Review Statistics > Conversations for anomalies

Look for single source hitting many destination ports

Look for single source hitting many destination ports

undefined
undefined

Identify Suspicious Traffic

可疑流量识别

Filter for anomalies:
undefined
过滤异常流量:
undefined

Traffic to unusual ports

Traffic to unusual ports

tcp.dstport > 1024 && tcp.dstport < 49152
tcp.dstport > 1024 && tcp.dstport < 49152

Traffic outside trusted network

Traffic outside trusted network

!(ip.addr == 192.168.1.0/24)
!(ip.addr == 192.168.1.0/24)

Unusual DNS queries

Unusual DNS queries

dns.qry.name contains "suspicious-domain"
dns.qry.name contains "suspicious-domain"

Large data transfers

Large data transfers

frame.len > 1400
undefined
frame.len > 1400
undefined

ARP Spoofing Detection

ARP欺骗检测

Identify ARP attacks:
undefined
识别ARP攻击:
undefined

Duplicate ARP responses

Duplicate ARP responses

arp.duplicate-address-frame
arp.duplicate-address-frame

ARP traffic analysis

ARP traffic analysis

arp
arp

Look for:

Look for:

- Multiple MACs for same IP

- Multiple MACs for same IP

- Gratuitous ARP floods

- Gratuitous ARP floods

- Unusual ARP patterns

- Unusual ARP patterns

undefined
undefined

Examine Downloads

下载内容检查

Analyze file transfers:
undefined
分析文件传输:
undefined

HTTP file downloads

HTTP file downloads

http.request.method == "GET" && http contains "Content-Disposition"
http.request.method == "GET" && http contains "Content-Disposition"

Follow HTTP Stream to view file content

Follow HTTP Stream to view file content

Use File > Export Objects > HTTP to extract files

Use File > Export Objects > HTTP to extract files

undefined
undefined

DNS Analysis

DNS分析

Investigate DNS activity:
undefined
调查DNS活动:
undefined

All DNS traffic

All DNS traffic

dns
dns

DNS queries only

DNS queries only

dns.flags.response == 0
dns.flags.response == 0

DNS responses only

DNS responses only

dns.flags.response == 1
dns.flags.response == 1

Failed DNS lookups

Failed DNS lookups

dns.flags.rcode != 0
dns.flags.rcode != 0

Specific domain queries

Specific domain queries

dns.qry.name contains "domain.com"
undefined
dns.qry.name contains "domain.com"
undefined

Phase 6: Expert Information

阶段6:专家信息

Access Expert Analysis

访问专家分析

View Wireshark's automated findings:
Analyze > Expert Information

Categories:
- Errors: Critical issues
- Warnings: Potential problems
- Notes: Informational items
- Chats: Normal conversation events
查看Wireshark自动分析结果:
Analyze > Expert Information

Categories:
- Errors: Critical issues
- Warnings: Potential problems
- Notes: Informational items
- Chats: Normal conversation events

Common Expert Findings

常见专家发现

FindingMeaningAction
TCP RetransmissionPacket resentCheck for packet loss
Duplicate ACKPossible lossInvestigate network path
Zero WindowBuffer fullCheck receiver performance
RSTConnection resetCheck for blocks/errors
Out-of-OrderPackets reorderedUsually normal, excessive is issue
发现结果含义应对措施
TCP重传数据包被重新发送检查是否存在丢包
重复ACK可能存在丢包排查网络路径问题
零窗口缓冲区已满检查接收端性能
RST连接被重置检查是否有阻断或错误
乱序数据包顺序被打乱通常为正常现象,数量过多则存在问题

Quick Reference

快速参考

Keyboard Shortcuts

键盘快捷键

ActionShortcut
Open fileCtrl+O
Save fileCtrl+S
Start/Stop captureCtrl+E
Find packetCtrl+F
Go to packetCtrl+G
Next packet
Previous packet
First packetCtrl+Home
Last packetCtrl+End
Apply filterEnter
Clear filterCtrl+Shift+X
操作快捷键
打开文件Ctrl+O
保存文件Ctrl+S
启动/停止捕获Ctrl+E
查找数据包Ctrl+F
跳转至指定数据包Ctrl+G
下一个数据包
上一个数据包
第一个数据包Ctrl+Home
最后一个数据包Ctrl+End
应用过滤器Enter
清除过滤器Ctrl+Shift+X

Common Filter Reference

常用过滤器参考

undefined
undefined

Web traffic

Web traffic

http || https
http || https

Email

Email

smtp || pop || imap
smtp || pop || imap

File sharing

File sharing

smb || smb2 || ftp
smb || smb2 || ftp

Authentication

Authentication

ldap || kerberos
ldap || kerberos

Network management

Network management

snmp || icmp
snmp || icmp

Encrypted

Encrypted

tls || ssl
undefined
tls || ssl
undefined

Export Options

导出选项

File > Export Specified Packets    # Save filtered subset
File > Export Objects > HTTP       # Extract HTTP files
File > Export Packet Dissections   # Export as text/CSV
File > Export Specified Packets    # Save filtered subset
File > Export Objects > HTTP       # Extract HTTP files
File > Export Packet Dissections   # Export as text/CSV

Constraints and Guardrails

约束与注意事项

Operational Boundaries

操作边界

  • Capture only authorized network traffic
  • Handle captured data according to privacy policies
  • Avoid capturing sensitive credentials unnecessarily
  • Properly secure PCAP files containing sensitive data
  • 仅捕获授权的网络流量
  • 按照隐私政策处理捕获的数据
  • 避免不必要地捕获敏感凭证
  • 妥善保护包含敏感数据的PCAP文件

Technical Limitations

技术限制

  • Large captures consume significant memory
  • Encrypted traffic content not visible without keys
  • High-speed networks may drop packets
  • Some protocols require plugins for full decoding
  • 大型捕获文件会占用大量内存
  • 没有密钥的情况下无法查看加密流量内容
  • 高速网络可能出现丢包
  • 部分协议需要插件才能完整解码

Best Practices

最佳实践

  • Use capture filters to limit data collection
  • Save captures regularly during long sessions
  • Use display filters rather than deleting packets
  • Document analysis findings and methodology
  • 使用捕获过滤器限制数据采集范围
  • 长时间会话期间定期保存捕获文件
  • 使用显示过滤器而非删除数据包
  • 记录分析结果和方法流程

Examples

示例

Example 1: HTTP Credential Analysis

示例1:HTTP凭证分析

Scenario: Investigate potential plaintext credential transmission
1. Filter: http.request.method == "POST"
2. Look for login forms
3. Follow HTTP Stream
4. Search for username/password parameters
Finding: Credentials transmitted in cleartext form data.
场景:调查潜在的明文凭证传输风险
1. Filter: http.request.method == "POST"
2. Look for login forms
3. Follow HTTP Stream
4. Search for username/password parameters
发现:凭证以明文表单数据形式传输。

Example 2: Malware C2 Detection

示例2:恶意软件C2检测

Scenario: Identify command and control traffic
1. Filter: dns
2. Look for unusual query patterns
3. Check for high-frequency beaconing
4. Identify domains with random-looking names
5. Filter: ip.dst == SUSPICIOUS_IP
6. Analyze traffic patterns
Indicators:
  • Regular timing intervals
  • Encoded/encrypted payloads
  • Unusual ports or protocols
场景:识别命令与控制流量
1. Filter: dns
2. Look for unusual query patterns
3. Check for high-frequency beaconing
4. Identify domains with random-looking names
5. Filter: ip.dst == SUSPICIOUS_IP
6. Analyze traffic patterns
指标
  • 固定的时间间隔
  • 编码/加密载荷
  • 异常端口或协议

Example 3: Network Troubleshooting

示例3:网络故障排查

Scenario: Diagnose slow web application
1. Filter: ip.addr == WEB_SERVER
2. Check Statistics > Service Response Time
3. Filter: tcp.analysis.retransmission
4. Review I/O Graph for patterns
5. Check for high latency or packet loss
Finding: TCP retransmissions indicating network congestion.
场景:诊断Web应用加载缓慢问题
1. Filter: ip.addr == WEB_SERVER
2. Check Statistics > Service Response Time
3. Filter: tcp.analysis.retransmission
4. Review I/O Graph for patterns
5. Check for high latency or packet loss
发现:TCP重传表明存在网络拥堵。

Troubleshooting

故障排查

No Packets Captured

未捕获到数据包

  • Verify correct interface selected
  • Check for admin/root permissions
  • Confirm network adapter is active
  • Disable promiscuous mode if issues persist
  • 确认选择了正确的网络接口
  • 检查是否拥有管理员/root权限
  • 确认网络适配器处于活跃状态
  • 如果问题持续,关闭混杂模式

Filter Not Working

过滤器不生效

  • Verify filter syntax (red = error)
  • Check for typos in field names
  • Use Expression button for valid fields
  • Clear filter and rebuild incrementally
  • 验证过滤器语法(红色表示存在错误)
  • 检查字段名称是否存在拼写错误
  • 使用表达式按钮选择有效字段
  • 清除过滤器后逐步重新构建

Performance Issues

性能问题

  • Use capture filters to limit traffic
  • Split large captures into smaller files
  • Disable name resolution during capture
  • Close unnecessary protocol dissectors
  • 使用捕获过滤器限制流量范围
  • 将大型捕获文件拆分为多个小文件
  • 捕获期间关闭名称解析功能
  • 关闭不需要的协议解析器

Cannot Decrypt TLS/SSL

无法解密TLS/SSL

  • Obtain server private key
  • Configure at Edit > Preferences > Protocols > TLS
  • For ephemeral keys, capture pre-master secret from browser
  • Some modern ciphers cannot be decrypted passively
  • 获取服务器私钥
  • 在 编辑 > 首选项 > 协议 > TLS 中配置
  • 对于临时密钥,可从浏览器捕获预主密钥
  • 部分现代加密算法无法被动解密

When to Use

适用场景

This skill is applicable to execute the workflow or actions described in the overview.
本技能适用于执行概述中描述的工作流或操作。