Intro

Wireshark is the go to network traffic analyzer for enthusiasts, it is a robust program with a lot of options and settings available to the user, so it will be covered in a handful of lessons.

First, you can download it here.
https://www.wireshark.org

So after you fire up a capture you will get a screen full of packets pretty quickly. An intimidating amount of packets. So first we will talk about some ways to drill down this pile.

Handy Filters to begin with

The most important filter IMHO is
ip.addr == 0.0.0.0
This filter will only show packets that have the provided IP address in either the source or the destination of the packet. This makes it easy to get a look at a single conversation.'

Sort by the port with this:
tcp.port == 443

Looking at Logins

Now I did a log in on a site that does not have a certificate to show you how the log in information is sent in clear text across the Internet.


Above is a look at some of the packets.
But I know we captured a log in attempt, so lets try to find it.

Know this, you cannot create a filter based on the contents of the Info column.
If you want to search the Info column either CTRL+F or Edit->Find Packet...
Search in Packet Details or Packet Bytes.
edit->find packet


 This grabbed the packet that I already had highlighted above. We can pop it open and look inside.
my exposed creds

Here we can see under the Form URL Encoded section is a nicely laid out section where my log in creds are displayed.

Here is what it what it would look like in a site that encrypts your creds.
what stuff

encrypted data

You can see that this packet was sent as a TLS protocol, everything was encrypted, but I assume this is the log in information since it was the biggest packet coming from my source.
Look at the highlighted information above and notice how you cannot make out what the user name is. Thanks HTTPS.

Web Search Queries

Search queries are often not encrypted, Google does now encrypt by default, but Bing, Baidu, Naver, and Xu do not.

Packets carrying search queries look like this:

search packet example

You can see the search query nested in the GET request highlighted below.

highlighted query


Some Background

Each packet is encapsulated inside of a frame that states the packet's destination your NIC (Network Interface Card) will read packets that comes across the line, and if it sees a packet is not intended for that particular NIC it will stop reading the packet and move on to the next.
This is the default setting for the sake of speed, so if you want your NIC to analyze the entire breadth of packets coming on the line you need to change the default setting of your NIC to promiscuous mode, this is done by default in Wireshark, you can see the setting under Capture Options: