TryHackMe: Wireshark: The Basics Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Wireshark: The Basics Room on TryHackMe. In this room we learn about Wireshark, how it works, how it is used to analyze protocols and PCAPs.

https://tryhackme.com/room/wiresharkthebasics

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

Wireshark is an open-source, cross-platform network packet analyser tool capable of sniffing and investigating live traffic and inspecting packet captures (PCAP). It is commonly used as one of the best packet analysis tools. In this room, we will look at the basics of Wireshark and use it to perform fundamental packet analysis.

There are two capture files given in the VM. You can use the “http1.pcapng” file to simulate the actions shown in the screenshots. Please note that you need to use the “Exercise.pcapng” file to answer the questions.

Questions

Which file is used to simulate the screenshots?

Answer: http1.pcapng

Which file is used to answer the questions?

Answer: Exercise.pcapng

Task 2: Tool Overview

Wireshark is a powerful network traffic analyzer used for:

• Troubleshooting network issues (e.g., congestion, failure points).
• Detecting security anomalies (e.g., rogue hosts, unusual port usage).
• Investigating protocols (e.g., response codes, payload data).

Note: Wireshark is not an Intrusion Detection System (IDS). It only captures and analyzes packets, relying on the analyst’s expertise for detecting anomalies.

Wireshark GUI Overview

The interface consists of five key sections:

1. Toolbar: Menus and shortcuts for filtering, sorting, summarizing, and exporting.
2. Display Filter Bar: Main section for filtering packets.
3. Recent Files: Quick access to recently opened capture files (PCAPs).
4. Capture Filter & Interfaces: Selection of network interfaces for packet capture.
5. Status Bar: Displays tool status and packet statistics.

Loading PCAP Files

PCAP files can be opened via the File menu, drag-and-drop, or double-clicking. Packets are displayed in three panes:

• Packet List Pane: Summarizes source, destination, and protocol.
• Packet Details Pane: Provides a detailed protocol breakdown.
• Packet Bytes Pane: Displays hex and ASCII representation of packet data.

Colouring Packets

Wireshark uses color-coding to quickly identify protocols and anomalies. Users can create custom coloring rules:

• Temporary rules (session-based).
• Permanent rules (saved for future sessions).

Traffic Sniffing

• Start sniffing: Click the blue shark button.
• Stop sniffing: Click the red button.
• Restart sniffing: Click the green button.
  The status bar provides details on the selected interface and packet count.

Merging PCAP Files

Wireshark allows merging multiple PCAP files using File → Merge. The new merged file must be saved before analysis.

Viewing File Details

For analyzing multiple PCAP files, file details (hash, timestamps, comments, interfaces, statistics) can be accessed via Statistics → Capture File Properties or by clicking the PCAP icon in the bottom left.

Questions

Use the “Exercise.pcapng” file to answer the questions.

Read the “capture file comments”. What is the flag?

Open up the Exercise.pcapng on the hosts Desktop with Wireshark. Then go to Statistics > Capture File Properties.

Look at the file properties, and in the bottom there is a text field called Capture file comments:

Answer: TryHackMe_Wireshark_Demo

What is the total number of packets?

This is also found in the Capture File Properties. Actually it is on my previous screenshot, on the second line to the left.

Answer:58620

What is the SHA256 hash value of the capture file?

This is again found in the Capture File Properties, but you have to scroll a bit up. Find it as the third value:

Answer:f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb

Task 3: Packet Dissection

Packet dissection (or protocol dissection) involves analyzing packet details by decoding protocols and fields. Wireshark supports numerous protocols for dissection, and custom scripts can also be created.

Packet Details in Wireshark

Clicking on a packet in the list pane reveals its details, highlighting corresponding bytes. Packets typically contain 5 to 7 layers based on the OSI model:

1. Frame (Layer 1 – Physical): Displays overall packet/frame details.
2. Source [MAC] (Layer 2 – Data Link): Shows source and destination MAC addresses.
3. Source [IP] (Layer 3 – Network): Displays source and destination IP addresses.
4. Protocol (Layer 4 – Transport): Identifies protocol (TCP/UDP) and port numbers.
5. Protocol Errors: Highlights TCP segments requiring reassembly.
6. Application Protocol (Layer 5 – Application): Shows details of protocols like HTTP, FTP, or SMB.
7. Application Data: Displays protocol-specific data.

Understanding these layers helps in analyzing network traffic effectively. Next, different application protocols and their details can be explored.

Questions

Use the “Exercise.pcapng” file to answer the questions.

View packet number 38. Which markup language is used under the HTTP protocol?

Find packet 38 in the packet list. Now look at the packets details. As the theory covered, each entry in the list corrosponds to a layer of the OSI model.

In this case we are interested in the Application layer, and you will find the answer in the final row.

The markup language is eXtensible Markup Language (XML).

Answer: eXtensible Markup Language

What is the arrival date of the packet? (Answer format: Month/Day/Year)

This information can be found in the Frame (Layer 1).

The answer is May 13, 2004, in other words 05/13/2004.

Answer:05/13/2004

What is the TTL value?

This is part of the Network Layer of the OSI model, which is the third row in the packet list. In Wireshark the details are underneath Internet Protocol.

The Time to live is 47.

Answer: 47

What is the TCP payload size?

We are now interested in OSI layer 4, the Transport Layer.

This can be found under TCP in the packet details. You will find the answer is 242 bytes.

Answer: 424

What is the e-tag value?

This was is a bit harder to find, but you will find it in the Application Layer again, underneath Hypertext Transfer Protocol in the packet details.

The ETag value is 9a01a-4696-7e354b00. In case you are wondering what a e-tag value is it is an identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content has not changed.

Answer: 9a01a-4696-7e354b00

Task 4: Packet Navigation

Here is a summary of the room:

Packet Numbers: Wireshark assigns unique numbers to packets, making it easier to track and analyze large captures.

Go to Packet: Users can navigate between packets using the “Go” menu and toolbar, tracking specific packets within a conversation.

Find Packets: Wireshark allows searching by packet content using display filters, hex values, strings, or regex. Searches can be performed within different panes (packet list, details, bytes).

Mark Packets: Analysts can mark packets for further investigation, but markings are lost when the capture file is closed.

Packet Comments: Unlike marking, comments remain in the capture file and can help with collaboration and future analysis.

Export Packets: Specific packets can be exported for focused analysis, avoiding unnecessary data.

Export Objects (Files): Wireshark can extract files transferred via selected protocols (DICOM, HTTP, SMB, etc.), aiding security investigations.

Time Display Format: The default time format is “Seconds Since Beginning of Capture,” but users can switch to UTC for better readability.

Expert Info: Wireshark highlights protocol anomalies with severity levels (Chat, Note, Warn, Error) to help identify potential issues, though false positives/negatives may occur.

Questions

Use the “Exercise.pcapng” file to answer the questions.

Search the “r4w” string in packet details. What is the name of artist 1?

Open the Edit menu, and select Find Packet. Alternatively, press Ctrl + F. A search box will show up in the top. Search for r4w and press Enter:

The packet details of packet number 33790 show up. More specifically, the string is found in the HTML code. Look at the selected line and you will see the artist name within two header 3 tags.

Answer: r4w8173

Go to packet 12 and read the comments. What is the answer?

You can quickly go to packet 12 by opening:

Go > Go to Packet

And then enter 12.

You will go to the correct packet. Now go to Edit > Packet Comment, or press Ctrl+Alt+C.

Alternatively you can see the comments in the packet details (highlighted in green).

But wait there is more, scroll down:

We better do what they write. Go to packet 3975, right click on the JPEG section in the packet details, and export packet bytes.

Save the file where you can find it, and to find the md5 hash you can then run the following in the Terminal:

md5sum <filename>

Answer: 911cd574a42865a956ccde2d04495ebf

There is a “.txt” file inside the capture file. Find the file and read it; what is the alien’s name?

Open the Edit menu, and select Find Packet. Search for “.txt”.

You will see a GET request for a note.txt file.

Press the Response in frame: 4267 link.

In the packet details you should see a section called Line-based text data. Open it and you should see the following image:

The text seems cut of, but the answer is PACKETMASTER.

Answer: PACKETMASTER

Look at the expert info section. What is the number of warnings?

The expert info section can be found in the lower left bottom section in the status bar or Analyse –> Expert Information menu to view all available information entries via a dialogue box.

There are 1636 warnings.

Answer: 1636

Task 5: Packet Filtering

Wireshark provides powerful filtering tools to help analysts focus on relevant network traffic. There are two main types of filters:

1. Capture Filters – Apply before capturing traffic, limiting what is recorded.
2. Display Filters – Apply after capturing traffic, controlling what is displayed.

Filtering Methods

• Apply as Filter: Right-click on a packet field to instantly apply a filter.
• Conversation Filter: Filters all packets related to a specific conversation (IP and port).
• Colourise Conversation: Highlights related packets without filtering them.
• Prepare as Filter: Adds a filter query for editing before applying.
• Apply as Column: Adds a selected field as a column for quick reference.
• Follow Stream: Reconstructs a full protocol stream (e.g., TCP, UDP, HTTP) to view application-level data.

Questions

Use the “Exercise.pcapng” file to answer the questions.

Go to packet number 4. Right-click on the “Hypertext Transfer Protocol” and apply it as a filter. Now, look at the filter pane. What is the filter query?

Find packet 4, and right-click on Hypertext Transfer Protocol. Then select Apply as Filter -> Selected.

You will see http added as display filter.

Answer: http

What is the number of displayed packets?

With the http display filter set, you can see the number of displayed packets in the bottom right: 1089.

Answer: 1089

Go to packet number 33790 and follow the stream. What is the total number of artists?

Find packet 33790, right-click it and select Follow > HTTP Stream.

This will reconstruct the stream and view the raw traffic as it is presented at the application level.

You will see the complete HTTP stream. You can scroll around or you can search in the bottom on a text, for example artists.

Look at the HTML div section, and you will see three links, one for each individual artist.

Answer: 3

What is the name of the second artist?

Look at the above screenshot. Just to the right of the second square is the second artist name: Blad3.

Answer: Blad3

Task 6: Conclusion

Congratulations! You just finished the “Wireshark: The Basics” room. In this room, we covered Wireshark, what it is, how it operates, and how to use it to investigate traffic captures.

Want to learn more? We invite you to complete the Wireshark: Packet Operations room to improve your Wireshark skills by investigating packets in-depth. 

Questions

Read the task above.

Answer: No answer needed

Congratulations on completing Wireshark: The Basics!!!

Congratulations on finishing this walkthrough of the TryHackMe Wireshark: The Basics room.
This was a great introduction to Wireshark, which is arguably the most important tool there is to Cybersecurity specialists. It can be used for so many different things, and can increase our knowledge of networking as well.

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Like my articles?

You are welcome to comment on this post, or share my post with friends.
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg