> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Wireshark

> Wireshark packet analysis: display filters, protocol analysis, credential capture, and pcap forensics.

## Capture

```bash theme={"dark"}
wireshark -i eth0
wireshark -i eth0 -k                 # Start capture immediately
wireshark -i eth0 -w capture.pcap    # Save to file
```

### CLI (tshark)

```bash theme={"dark"}
tshark -i eth0
tshark -i eth0 -w capture.pcap
tshark -r capture.pcap
```

***

## Display Filters

### By Protocol

```
http
dns
tcp
udp
smb
smb2
ftp
ssh
telnet
icmp
arp
```

### By IP

```
ip.addr == 10.10.10.10
ip.src == 10.10.10.10
ip.dst == 10.10.10.10
!(ip.addr == 10.10.10.10)
```

### By Port

```
tcp.port == 80
tcp.dstport == 443
udp.port == 53
```

### By Flags

```
tcp.flags.syn == 1
tcp.flags.reset == 1
tcp.flags.fin == 1
tcp.flags.syn == 1 && tcp.flags.ack == 0    # SYN only
```

### Combine

```
ip.addr == 10.10.10.10 && tcp.port == 80
http.request.method == "POST"
http.response.code == 200
dns.qry.name contains "target"
```

***

## Capture Filters (BPF)

Applied before capture (less CPU):

```
host 10.10.10.10
port 80
src host 10.10.10.10
dst port 443
net 10.10.10.0/24
tcp port 80 and host 10.10.10.10
```

***

## Follow Streams

Right-click packet → Follow → TCP/UDP/HTTP Stream.

### tshark

```bash theme={"dark"}
tshark -r capture.pcap -z follow,tcp,ascii,0
```

***

## Credential Extraction

### HTTP Auth

```
http.authbasic
```

### FTP

```
ftp.request.command == "USER" || ftp.request.command == "PASS"
```

### Telnet

```
telnet
```

Follow TCP stream to see plaintext credentials.

### SMB

```
ntlmssp
```

### SMTP

```
smtp.req.command == "AUTH"
```

***

## Export Objects

File → Export Objects → HTTP/SMB/FTP/TFTP.

### tshark

```bash theme={"dark"}
tshark -r capture.pcap --export-objects http,./exported/
tshark -r capture.pcap --export-objects smb,./exported/
```

***

## Statistics

* Statistics → Endpoints (top talkers)
* Statistics → Conversations (who talks to whom)
* Statistics → Protocol Hierarchy (protocol breakdown)
* Statistics → I/O Graphs (traffic over time)

***

## Useful Filters

| Purpose         | Filter                                |
| --------------- | ------------------------------------- |
| HTTP requests   | `http.request`                        |
| POST data       | `http.request.method == "POST"`       |
| DNS queries     | `dns.flags.response == 0`             |
| Failed logins   | `ftp.response.code == 530`            |
| ARP requests    | `arp.opcode == 1`                     |
| ICMP            | `icmp`                                |
| Cleartext creds | `http.authbasic \|\| ftp \|\| telnet` |

***

## tshark One-Liners

```bash theme={"dark"}
# Extract HTTP URLs
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

# Extract DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name

# Extract credentials
tshark -r capture.pcap -Y "http.authbasic" -T fields -e http.authbasic
```

***

## Quick Reference

| Task          | Filter/Command                     |
| ------------- | ---------------------------------- |
| Filter by IP  | `ip.addr == TARGET`                |
| HTTP POST     | `http.request.method == "POST"`    |
| Follow stream | Right-click → Follow → TCP Stream  |
| Export files  | File → Export Objects → HTTP       |
| Credentials   | `http.authbasic`, `ftp`, `ntlmssp` |
