Back to course

Wireshark III: Analyzing Common Protocols (HTTP, DNS)

Cyber Security Mastery: From Zero to Hero

Protocol-Specific Analysis

HTTP (Hypertext Transfer Protocol)

Since HTTP runs over cleartext (unencrypted), Wireshark reveals everything, including cookies, POST data (login forms), and headers.

  • Display Filter: http
  • Security Insight: Look for sensitive information being submitted via unencrypted connections (e.g., login attempts over HTTP instead of HTTPS).

DNS (Domain Name System)

DNS typically uses UDP port 53.

  • Display Filter: dns
  • Security Insight: DNS queries can be used for data exfiltration (DNS tunneling) or identifying targets. An analyst might look for unusual domain names or unusually large DNS query responses.

Analyzing Credentials

Use display filters to quickly identify common authentication protocols:

  • ftp (FTP often transmits passwords in cleartext)
  • telnet (Telnet transmits everything in cleartext)

Defensive Note: The only reliable defense against sniffing passwords in transit is robust encryption (SSL/TLS).