Back to course

Wireshark II: Filters and Following Streams

Cyber Security Mastery: From Zero to Hero

Analyzing Massive Traffic

Wireshark often captures thousands of packets per second. You must use filters to find the needle in the haystack.

1. Capture Filters (Before Capturing)

Capture filters (using BPF syntax) limit the data that is written to disk, reducing file size and overhead.

  • Example: Only capture traffic destined for TCP port 80:

tcp port 80

2. Display Filters (After Capturing)

Display filters (using Wireshark's own syntax) are applied to the captured data to quickly show only relevant packets.

  • Example: Show all HTTP packets that contain the word 'password' in the content:

http and data contains "password"

Following TCP/UDP Streams

This crucial feature allows you to reassemble the conversation between two hosts. Right-click on a packet, select 'Follow', and then 'TCP Stream'. Wireshark will show the complete text of the session, making it easy to spot HTTP requests, login attempts, or unencrypted data transfers.