TryHackMe: Wireshark Packet Operations Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Wireshark: Packet Operations Room on TryHackMe. In this room we will cover advanced features of the Wireshark by focusing on packet-level details with Wireshark statistics, filters, operators and functions. Be sure to checkout the walkthrough on the previous Wireshark room: TryHackMe: Wireshark: The Basics (SOC Level 1)

Wireshark Packet Operations Banner
Wireshark Packet Operations Banner

Room URL:
https://tryhackme.com/room/wiresharkpacketoperations

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!

Table of Contents

Task 1: Introduction

In this room, we will cover the fundamentals of packet analysis with Wireshark and investigate the event of interest at the packet-level. Note that this is the second room of the Wireshark room trio, and it is suggested to visit the first room (Wireshark: The Basics) to practice and refresh your Wireshark skills before starting this one.

In the first room, we covered the basics of the Wireshark by focusing on how it operates and how to use it to investigate traffic captures. In this room, we will cover advanced features of the Wireshark by focusing on packet-level details with Wireshark statistics, filters, operators and functions.

Questions

Read the task above.

Answer: No answer needed

Task 2: Statistics | Summary

The summary menu provides an overview of network traffic, protocols, endpoints, and conversations to help analysts form investigative hypotheses. Here are some of the functionality found in this menu:

  • Resolved Addresses: Lists IP addresses and DNS names found in the capture file, helping analysts identify accessed resources.
  • Protocol Hierarchy: Displays a breakdown of protocols in a tree format, showing usage percentages and allowing for event filtering.
  • Conversations: Shows traffic between two endpoints in Ethernet, IPv4, IPv6, TCP, or UDP formats, helping analysts track interactions.
  • Endpoints: Similar to conversations but focuses on unique endpoints, with options to resolve MAC addresses to manufacturer names.
  • Name Resolution: Converts MAC addresses, IP addresses, and port names into human-readable formats but must be enabled in settings.
  • GeoIP Mapping: Allows for IP geolocation using MaxMind databases, providing source and destination address mapping, though it requires an internet connection.

Questions

Investigate the resolved addresses. What is the IP address of the hostname starts with “bbc”?

Go into Statistics -> Resolved Addresses:

Resolved address menu entry
Resolved address menu entry

A window will show up with a list of addresses (both IP and MAC) and the hostnames they resolve to.

Resolved address bbc
Resolved address bbc

Search for bbc and you will find the answer: 199.232.24.81.

Answer: 199.232.24.81

What is the number of IPv4 conversations?

Conversation represents traffic between two specific endpoints. To see an overview over all conversations go to Statistics -> Conversations.

Number of IPv4 conversations
Number of IPv4 conversations

You can see the answer in the top, on the second tab.

Answer:435

How many bytes (k) were transferred from the “Micro-St” MAC address?

This time it is time to look at the Endpoints window, by going at Statistics -> Endpoints.

While you could first to to Resolved Addresses to find the MAC address corresponding to the Micro-St manufacturer, the easier way is to check Name resolution in the Endpoints window, as shown below.

Find the correct Address, and find the answer in column 3.

Micro-St transfers
Micro-St transfers

Answer: 7474

What is the number of IP addresses linked with “Kansas City”?

Stay inside the Endpoints window, but go inside the IPv4 overview tab. Here you will see a column called City. Simply press on it to order by city name:

Kansas City IPv4 connections
Kansas City IPv4 connections

Scroll down and you will find 4 entries from Kansas City.

Answer: 4

Which IP address is linked with “Blicnet” AS Organisation?

Once again, we can stay into the Endpoints window. There is another field called AS Organization. As before, click on the column title to sort. Find Blicnet and note that there is only one entry,

Blicnet IP address
Blicnet IP address

On that row you will also find the IP address: 188.246.82.7.

Answer: 188.246.82.7

Task 3: Statistics | Protocol Details

Wireshark has some additional features which gives us the option to narrow the types of protocols which the statistics relate to:

  • IPv4 and IPv6 Statistics: Allows analysts to filter and analyze packets based on IP version to focus on events linked to either IPv4 or IPv6.
  • DNS Statistics: Provides a breakdown of all DNS packets, including query types, response codes, and overall service usage.
  • HTTP Statistics: Displays HTTP packet data, including request and response codes, helping analysts assess web traffic activity.

Questions

What is the most used IPv4 destination address?

To the IPv4 statistics, we need to go to Statistics -> IPv4 Statistics -> Destinations and Ports.

IPv4 Statistics Destinations
IPv4 Statistics Destinations

In this window you can filter on the Count Column, and the IP address on the top (you might have to click twice) will have the highest count (29387).

Most used IPv4 address
Most used IPv4 address

PS: I found out you can get the same information from the Source and Destination Addresses window, also found under Statistics -> IPv4 Statistics.

Answer:10.100.1.33

What is the max service request-response time of the DNS packets?

Go to Statistics -> DNS. Then find the correct Topic, request-response time (secs) underneath Service Stats.

Max service request-response time
Max service request-response time

Finally, look for the Max val column.

Answer: 0.467897

What is the number of HTTP Requests accomplished by “rad[.]msn[.]com?

I guess you know where to go now. Go to Statistics -> HTTP -> Load Distribution.

Sort by the Topic / Item, and you should be able to find rad.msn.com.

Load distribution
Load distribution

The answer is 24 +15, you can figure it out..

Answer: 39

Task 4: Packet Filtering | Principles

Wireshark uses two types of filters for packet analysis:

  1. Capture Filters – Applied before capturing traffic, these filters save only specific packets and cannot be changed during capture. They use byte offsets, hex values, and boolean operators (e.g., tcp port 80). Only experienced users should rely on them, as incorrect filters can miss critical data.

  2. Display Filters – Used to refine visible packets after capture, these filters support 3000+ protocols and allow detailed packet inspection. They can be changed dynamically (e.g., tcp.port == 80).

Filter Syntax and Operators

  • Comparison Operators (==, !=, >, <, >=, <=) allow searching for specific values in packets.
  • Logical Operators (&&/AND, ||/OR, !/NOT) enable complex filtering conditions.
  • Packet Filter Toolbar provides color-coded feedback:
    • Green = Valid filter
    • Red = Invalid filter
    • Yellow = Unreliable filter

Questions

Read the task above

Answer: No answer needed

Task 5: Packet Filtering | Protocol Filters

Wireshark supports 3,000 protocols and enables packet-level investigation using filters. These filters help analysts isolate relevant traffic based on different protocol layers:

1. IP Filters (Network Layer)

IP filters help analyze traffic based on network-level information like IP addresses, TTL, flags, and checksums. Common filters:

  • ip → Show all IP packets
  • ip.addr == 10.10.10.111 → Show packets containing a specific IP address
  • ip.addr == 10.10.10.0/24 → Show packets within a subnet
  • ip.src == 10.10.10.111 → Show packets from a specific source
  • ip.dst == 10.10.10.111 → Show packets sent to a specific destination

Note: ip.addr filters both directions, while ip.src and ip.dst filter based on traffic direction.

2. TCP & UDP Filters (Transport Layer)

These filters analyze transport protocol data such as ports, sequence numbers, window size, and flags.

  • tcp.port == 80 → Show TCP packets on port 80
  • udp.port == 53 → Show UDP packets on port 53
  • tcp.srcport == 1234 → Show TCP packets from source port 1234
  • udp.dstport == 5353 → Show UDP packets sent to port 5353

3. Application Protocol Filters (Application Layer)

Filters traffic based on application protocols such as HTTP and DNS.

  • http → Show all HTTP packets
  • dns → Show all DNS packets
  • http.response.code == 200 → Show HTTP responses with status 200
  • dns.flags.response == 0 → Show DNS requests
  • http.request.method == “GET” → Show HTTP GET requests

4. Display Filter Expressions

Wireshark provides a Display Filter Expression menu (Analyze → Display Filter Expression) to help users create filters without memorizing protocol structures. This menu shows all protocol fields, accepted values, and predefined options, aiding in filter creation.

5. Colorizing Filter Results

Wireshark allows users to highlight filtered packets using Coloring Rules (View → Coloring Rules). This helps in visually distinguishing filtered traffic.

Mastering Wireshark filters takes time and practice, but using the Display Filter Expression tool simplifies the process.

Questions

What is the number of IP packets?

This one is simple. You simply have to write the following display filter:

ip

That’s it 🙂 This shows all IP packets, and removes everything else from the list.

IP display filter
IP display filter

Answer:81420

What is the number of packets with a “TTL value less than 10”?

You can write the following filter expression:

ip.ttl < 10
TTL less than 10
TTL less than 10

PS: If you are unsure on which display filter to use you can look at the Analyse –> Display Filter Expression menu. You can look around there for all the possible fields, and you can even search for properties!

Display Filter Expression
Display Filter Expression

Answer: 66

What is the number of packets which uses “TCP port 4444”?

Another easy one. Simply use the following filter:

tcp.port == 4444

This shows all packets which uses TCP port 4444, either as source or destination port.

TCP port 4444
TCP port 4444

Answer: 632

What is the number of “HTTP GET” requests sent to port “80”?

This is fun!

The request header is part of the application-level protocol filters, while the port is part of the transport layer (and therefore exists on IP).
You can create the display filter like so:

http.request.method == "GET" and tcp.dstport == 80

Remember to use the destination port filter this time.

GET requests to port 80
GET requests to port 80

Answer: 527

What is the number of “type A  Queries”?

This is the toughest one so far. In the theory we learned how to filter on DNS ‘A’ records

dns.qry.type == 1

But this is not enough, since they are interested in queries, which means we have to remove all responses. We do this with the dns.flags.response == 0 filter. In total it should look like this:

dns.qry.type == 1 and dns.flags.response == 1

DNS A record queriesDNS A queriesAnswer: 51

Task 6: Advanced Filterings

This task covers some of the more advanced filter possibilities. I will cover them shortly here:

  • contains: Searches for a specific value inside packets (case-sensitive). This is useful for focusing on a keyword in a field. Example: http.server contains "Apache" will list all HTTP packets where the “server” field includes “Apache”.
  • matches: Uses a case-insensitive regular expression pattern to search for specific strings or patterns. It’s useful for more complex queries. Example: http.host matches "\.(php|html)" will find HTTP packets where the “host” field matches “.php” or “.html”.
  • in: Searches for a value within a set or range of values. It is helpful when dealing with multiple possible values. Example: tcp.port in {80 443 8080} will find TCP packets with port values 80, 443, or 8080.
  • upper: Converts a string to uppercase before applying a filter, which helps when dealing with case-sensitive data. Example: upper(http.server) contains "APACHE" converts the “server” field to uppercase and checks for the “APACHE” keyword.
  • lower: Converts a string to lowercase before filtering, useful for case-insensitive searches. Example: lower(http.server) contains "apache" converts the “server” field to lowercase and looks for “apache”.
  • string: Converts a non-string value (like frame numbers) into a string for more flexible filtering. Example: string(frame.number) matches "[13579]$" converts frame numbers into strings and matches odd-numbered frames.

Bookmarks and Buttons: Wireshark allows you to save custom filters as bookmarks or create buttons for quick access, which helps analysts efficiently apply complex or frequently used filters.

Profiles: Wireshark supports creating multiple profiles, each with a customized set of configurations (e.g., coloring rules, filtering buttons) for different investigation scenarios, making it easier to switch between setups without reconfiguring each time.

Questions

Find all Microsoft IIS servers. What is the number of packets that did not originate from “port 80”?

We have to use the contains operator here to filter for IIS in the http.server values. In addition we should filter out all tcp.srcports that are 80.
I found out that there are two ways to do this:

http.server contains "IIS" and tcp.srcport != 80

But even better:

http.server contains "IIS" and !tcp.srcport == 80

I am not completely sure why the first filter gave me a warning, but the second one didn’t. Both give the same result (21) though.

IIS packets not coming from port 80IIS packets not coming from port 80

Answer: 21

Find all Microsoft IIS servers. What is the number of packets that have “version 7.5”?

You can have a look at the application layer data to find out how the service versions are formatted:

Server info in application layerServer info in application layerYou can right click the server value and select Apply as filter.

http.server == "Microsoft-IIS/7.5"

Number of packets that have version 7.5 IISNumber of packets that have version 7.5 IIS

Answer: 71

What is the total number of packets that use ports 3333, 4444 or 9999?

Time to use the in operator. We can find all packets that use port 3333, 4444 or 9999 by using the following filter:

tcp.port in {3333 4444 9999}

That’s all there is to it 🙂

Using the in operatorThe answer is 2235.Answer: 2235What is the number of packets with “even TTL numbers”?

In the theory we learned about a function called string. This can convert a field to string values, and in the example it is then used to list odd values. We nearly have to do the same thing here, but this time we are interested in even values.

Now, the field we are interested in is the ip.ttl, which we then convert to a string to be able to see if it ends with a 2,4,6,8 or 0 by using some regular expression magic:

string(ip.ttl) matches "[24680]$"

Answer77289

Change the profile to “Checksum Control”. What is the number of “Bad TCP Checksum” packets?

We’re close now, let’s keep moving!

We have to change our profile. We do this in the lower right corner. Click profile and select Checksum Control.

Changing profile to Checksum Control
Using the in operator

Bad TCP checksums are shown in red and black colours. Packets that have invalid checksums will be marked as such with a warning in the information column in the summary pane and also, most important, if the checksum is BAD that tells wireshark that the packet is corrupted.

We can now use the Packet List Pane details or the Display Filter Expression menu to create the required filter.

Bad checksum filter
Bad checksum filter

I opted for selecting the checksum status field and right-clicked, selected Apply as filter, and choose Selected.

The number of packets with a bad TCP checksum is 34185 (see above).

Answer: 34185

Use the existing filtering button to filter the traffic. What is the number of displayed packets?

There is only one filter available, and you can see it next to the display filter input. The filter is called gif/jpeg with http-2000 and it applies the following filter:

(http.response.code == 200 ) && (http.content_type matches "image(gif||jpeg)")

Select it and you will find the answer:

Gif_jpeg with http-200 filter
Gif_jpeg with http-200 filter

Answer: 261

Task 7: Conclusion

Congratulations! 

You just finished the “Wireshark: Packet Operations” room. In this room, we covered Wireshark statistics, filters, operators and functions. 

Want to learn more? We invite you to complete the Wireshark: Traffic Analysis room to improve your Wireshark skills by investigating suspicious traffic activities. 

Questions

Proceed to the next room and keep learning!

Answer: No answer needed.

Congratulations on completing Wireshark: Packet Operations!!!

Congratulations on completing Wireshark Packet Operations
Congratulations on completing Wireshark Packet Operations

Congratulations on finishing this walkthrough of the TryHackMe Wireshark: Packet Operations room.
I hope you enjoyed this more intermediate Wireshark room, in which we learned about viewing statistics, and how to use more advanced display filters. I learned a lot!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Read more of my walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

Background
Data Fundamentals Part 1: Understanding Roles & Concepts