EPISODE · Nov 14, 2025 · 12 MIN
Course 6 - Network Traffic Analysis for Incident Response | Episode 2: Wireshark Features and Comprehensive Protocol Dissection
from CyberCode Academy · host CyberCode Academy
In this lesson, you’ll learn about:Transitioning from theoretical networking concepts to hands-on traffic analysis.Using Wireshark to capture, dissect, filter, and understand live network traffic.Identifying how common protocols appear in real packet captures, including their structure and behavior.Recognizing how different protocols handle communication, reliability, and security.Wireshark: Introduction & Core FeaturesWhat Wireshark Is:A free, GUI-based network traffic analyzer (formerly Ethereal).Supports live packet capture and loading .cap / .pcap files.Key Features Covered:Capture Management:Start live captures with options like promiscuous mode.Load and inspect previously saved capture files.File Handling & Exporting:Merge capture files (if timestamps align).Import packets from hex dumps.Export selected packets or full dissections in text, CSV, JSON, XML.Export TLS session keys for decrypting certain encrypted traffic.UI Navigation:Color-coded packet list (e.g., green = TCP/HTTP, red = errors/retransmissions).Three-pane layout: Packet list → Protocol dissection → Raw hex/ASCII.Analysis Tools:Display filters for precise inspection (e.g., tcp.port == 80).Follow TCP/HTTP Stream to trace entire conversations.Decode As to reinterpret traffic running on uncommon ports.Protocol Dissection: What You’ll See in Wireshark 1. IP (IPv4/IPv6)View IP headers, including TTL (Time To Live) as hop count.Look at IPv6 structures and tunneling protocols such as:6to46in4Learn how IPv6 packets travel across IPv4 networks.2. TCP (Transmission Control Protocol)Understand reliability and session management.Observe:The 3-way handshake: SYN → SYN-ACK → ACKConnection teardown: FIN/FIN-ACK or RSTFlags, sequence numbers, acknowledgments, and retransmissions.3. UDP (User Datagram Protocol)Minimal, fast, connectionless protocol.No handshake, no retransmission.Used in scenarios requiring speed over reliability.4. ICMP (Internet Control Message Protocol)Used for error reporting and diagnostic tools like:Ping (Echo Request/Reply – Type 8/Type 0)TracerouteNote: While essential, ICMP must be carefully controlled on networks.5. ARP (Address Resolution Protocol)Maps IP → MAC inside local networks.Stateless nature allows ARP poisoning, a common man-in-the-middle technique.Higher-Level / Application Protocols in Wireshark 1. DNS (Domain Name System)Seen mostly over UDP.Analyze queries, recursion, multiple responses (A, MX, etc.).2. HTTP (Hypertext Transfer Protocol)Review request lines, headers (User-Agent, Host, URI) and response codes.HTTP is common in analysis due to high traffic volume.Also widely monitored because attackers often misuse it for hidden communications.3. FTP (File Transfer Protocol)A clear-text protocol:Credentials and transfers visible in packet captures.Highlights the need for secure alternatives (FTPS / SFTP).4. IRC (Internet Relay Chat)Simple text-based protocol.Multi-user channels make it useful for automation and remote coordination tools.5. SMTP (Simple Mail Transfer Protocol)Clear-text protocol for sending emails.Username/password often appear in Base64, easily decoded.Typically secured using TLS.6. SSH (Secure Shell)Encrypted remote terminal access.Only early handshake is readable; session content is encrypted by design.Demonstrates why encrypted protocols prevent content inspection.7. TFTP (Trivial File Transfer Protocol)Runs over UDP.Very simple; no authentication.Traffic, including files, appears in clear text.Key TakeawaysYou’ll gain practical experience by capturing, filtering, and interpreting traffic directly in Wireshark.Observing how protocols appear “on the wire” builds intuition for normal vs. abnormal behavior.This hands-on section prepares you for real-world network forensics, troubleshooting, and security analysis in an ethical academic environment.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy
What this episode covers
In this lesson, you’ll learn about:Transitioning from theoretical networking concepts to hands-on traffic analysis.Using Wireshark to capture, dissect, filter, and understand live network traffic.Identifying how common protocols appear in real packet captures, including their structure and behavior.Recognizing how different protocols handle communication, reliability, and security.Wireshark: Introduction & Core FeaturesWhat Wireshark Is:A free, GUI-based network traffic analyzer (formerly Ethereal).Supports live packet capture and loading .cap / .pcap files.Key Features Covered:Capture Management:Start live captures with options like promiscuous mode.Load and inspect previously saved capture files.File Handling & Exporting:Merge capture files (if timestamps align).Import packets from hex dumps.Export selected packets or full dissections in text, CSV, JSON, XML.Export TLS session keys for decrypting certain encrypted traffic.UI Navigation:Color-coded packet list (e.g., green = TCP/HTTP, red = errors/retransmissions).Three-pane layout: Packet list → Protocol dissection → Raw hex/ASCII.Analysis Tools:Display filters for precise inspection (e.g., tcp.port == 80).Follow TCP/HTTP Stream to trace entire conversations.Decode As to reinterpret traffic running on uncommon ports.Protocol Dissection: What You’ll See in Wireshark 1. IP (IPv4/IPv6)View IP headers, including TTL (Time To Live) as hop count.Look at IPv6 structures and tunneling protocols such as:6to46in4Learn how IPv6 packets travel across IPv4 networks.2. TCP (Transmission Control Protocol)Understand reliability and session management.Observe:The 3-way handshake: SYN → SYN-ACK → ACKConnection teardown: FIN/FIN-ACK or RSTFlags, sequence numbers, acknowledgments, and retransmissions.3. UDP (User Datagram Protocol)Minimal, fast, connectionless protocol.No handshake, no retransmission.Used in scenarios requiring speed over reliability.4. ICMP (Internet Control Message Protocol)Used for error reporting and diagnostic tools like:Ping (Echo Request/Reply – Type 8/Type 0)TracerouteNote: While essential, ICMP must be carefully controlled on networks.5. ARP (Address Resolution Protocol)Maps IP → MAC inside local networks.Stateless nature allows ARP poisoning, a common man-in-the-middle technique.Higher-Level / Application Protocols in Wireshark 1. DNS (Domain Name System)Seen mostly over UDP.Analyze queries, recursion, multiple responses (A, MX, etc.).2. HTTP (Hypertext Transfer Protocol)Review request lines, headers (User-Agent, Host, URI) and response codes.HTTP is common in analysis due to high traffic volume.Also widely monitored because attackers often misuse it for hidden communications.3. FTP (File Transfer Protocol)A clear-text protocol:Credentials and transfers visible in packet captures.Highlights the need for secure alternatives (FTPS / SFTP).4. IRC (Internet Relay Chat)Simple text-based...
NOW PLAYING
Course 6 - Network Traffic Analysis for Incident Response | Episode 2: Wireshark Features and Comprehensive Protocol Dissection
No transcript for this episode yet
Similar Episodes
Dec 23, 2025 ·11m
Dec 17, 2025 ·10m