LOADING SCENARIO...
← All Labs OverviewCommands HintsSolution
Hacky CTF /tools / Wireshark
Forensics Intermediate CEH · CHFI · PNPT

Wireshark The World's #1 Network Protocol Analyzer

Capture and interactively analyze network traffic in real time. Wireshark is the essential tool for packet analysis, forensic investigation, and understanding how protocols work under the hood.

⏱ 60 min ★ 4.8 rating ✓ 2,761 completions 🏷 Forensics
▶ Start Lab Get Hints Get Certified
Lab Details
ToolWireshark
DifficultyIntermediate
Duration60 min
CategoryForensics
Points150 pts
CertsCEH · CHFI · PNPT
CostFREE
Start Lab →
No signup · No VM · Browser-based
Overview Commands Hints Threat Intel Solution
What is Wireshark?
Tool overview and real-world usage

Wireshark is a free, open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education. It displays captured packet data in as much detail as possible.

Wireshark is used by penetration testers, SOC analysts, red teams, and security researchers worldwide. It is a core tool requirement for certifications including CEH · CHFI · PNPT.

Live packet capture on network interfaces
Display filter syntax and expressions
Protocol dissection and inspection
TCP stream reconstruction
HTTP/HTTPS traffic analysis
File extraction from network captures
Step-by-Step Commands
Follow each step in order
01
Start capture on interface
Open Wireshark → Select your network interface → Click the blue shark fin Start button
bash
wireshark -i eth0 -w capture.pcapng
Starts packet capture on eth0 interface and saves to file. Use -i any to capture on all interfaces simultaneously.
02
Filter HTTP traffic
Show only HTTP requests and responses to reduce noise
bash
http
Display filter: shows only HTTP packets. Type in the filter bar at the top. Green = valid filter, Red = invalid syntax.
03
Filter by IP address
Isolate traffic to/from a specific host
bash
ip.addr == 192.168.1.10
Filters all packets where source OR destination is 192.168.1.10. Use ip.src or ip.dst for directional filtering.
04
Follow TCP Stream
Reconstruct a full TCP conversation
bash
Right-click a packet → Follow → TCP Stream
Reassembles the entire TCP session into readable text. Invaluable for reading HTTP conversations, credentials in plaintext, and malware C2 traffic.
05
Export HTTP Objects
Extract files transferred over HTTP
bash
File → Export Objects → HTTP
Extracts all files (images, executables, documents) transferred over HTTP during the capture. Critical for malware forensics.
Lab Hints
Click to reveal hints one at a time
Hint 1
Always work in an authorized environment. Never use Wireshark on networks or systems you do not have explicit written permission to test.
Hint 2
Save all your output and notes as you go. Penetration test reports require evidence — screenshots, command output, and timestamps. Use tee or output redirection to capture everything.
Hint 3
If something fails, check your network connectivity first. Then verify you have the correct target IP. Then check if a firewall or IDS is blocking your attempts.
Hint 4
Practice on intentionally vulnerable machines: TryHackMe, HackTheBox, VulnHub, or DVWA. These are legal targets designed for learning. Never practice on real targets without permission.
Live Threat Intelligence
Lookup any IP or CVE from your findings
GeoIP Lookup
Enter a target IP to geolocate.
CVE Lookup
Try: CVE-2021-44228 (Log4Shell)
Lab Solution
Attempt the lab first before revealing
Quick Reference
wireshark -i eth0 -w capture.p
http
ip.addr == 192.168.1.10
Right-click a packet → Follow
File → Export Objects → HTTP
Get Certified
CEHCHFIPNPT All Courses →
Community
Join Discord Join Telegram View Workshops
What to Learn Next

Related Labs