I captured live traffic and analyzed it with Wireshark display filters and headless tshark, isolating protocol anomalies and reconstructing full TCP sessions. Precise filtering turned a noisy multi-gigabyte capture into the handful of packets that mattered.

Objective & Context

Packet analysis is the ground truth of networking and security. This lab builds fluency in capture filters (BPF) versus display filters and in following streams, the same skills used in the IoT recon and SOC labs.

Environment & Prerequisites

  • Wireshark 4.2 and tshark; capture privileges on the NIC.
  • A sample pcap or live traffic to analyze.
  • Knowledge of the target protocols (HTTP, DNS, TLS).

Step-by-Step Execution

1. Capture with a BPF filter

tshark -i eth0 -f "host 192.168.20.30 and tcp port 443" -w tls.pcap

2. Apply a display filter and extract fields

tshark -r tls.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name
tyfsadik.org
cloud.tyfsadik.org

3. Reconstruct an HTTP session

tshark -r web.pcap -q -z follow,tcp,ascii,0

Validation & Testing

Filter to a single conversation and confirm the reconstructed stream matches the expected request/response. Pass criteria: clean filter isolation, correct SNI/Host extraction, and a coherent followed stream with no missing segments.

Advanced: Troubleshooting
  • Capture vs display confusion: BPF filters at capture (libpcap syntax); Wireshark filters at display (different syntax).
  • Missing packets: capture on the correct interface and disable offload that hides segmentation.
  • Encrypted payload: TLS bodies need keys; analyze metadata (SNI, sizes, timing) instead.

Key Results

  • Reduced a multi-gigabyte capture to the relevant flow with one display filter.
  • Extracted SNI and Host fields across 100% of inspected handshakes.
  • Reconstructed full TCP sessions for application-layer review.
  • Built reusable tshark one-liners for headless analysis.