Become a Digital Detective: Using Wireshark to Find Hidden Data

Using Wireshark to Find Hidden Data

Last Updated: August 2025 | Reading Time: 15 minutes

Table of Contents

• Introduction
• What is Wireshark?
• Installing Wireshark: Step-by-Step Guide
• Understanding the Wireshark Interface
• Your First Case: Opening the Capture File
• The Analyst’s Best Friend: Display Filters
  • Basic Filter Syntax
  • Filtering by Protocol
  • Filtering by IP Address
  • Advanced Filter Combinations
• Essential Wireshark Filters Cheat Sheet
• Inspecting the Payloads
• Network Protocol Deep Dive
  • HTTP/HTTPS Analysis
  • DNS Traffic Investigation
  • TCP Stream Analysis
  • ICMP Covert Channels
• Advanced Wireshark Techniques
  • Statistics and Reports
  • Packet Reconstruction
  • Time-based Analysis
• Real-World Use Cases
• Security and Legal Considerations
• Troubleshooting Common Issues
• Wireshark Alternatives and Complementary Tools
• Frequently Asked Questions
• Practice Exercises
• References and Further Reading

Introduction

Every time you visit a website, send an email, or play an online game, your computer is having a constant, complex conversation. It sends and receives thousands of tiny digital “packets” of information across the internet. Most of us never see this conversation; we only see the final result—the rendered webpage or the delivered message.

But what if you could eavesdrop on that conversation? What if you could inspect every single packet to see exactly what’s being said?

This is the job of a network analyst, and their most essential tool is Wireshark. For players of Venatus, mastering this tool is the key to conquering advanced challenges like Level 9: The Eavesdropper. It might seem intimidating, but Wireshark is a free, powerful, and surprisingly accessible piece of software that can turn you into a true digital detective.

This comprehensive guide will walk you through everything from basic packet capture analysis to advanced network forensics techniques, making you proficient in one of cybersecurity’s most valuable tools.

What is Wireshark?

Wireshark is the world’s foremost network protocol analyzer and packet capture tool. Originally known as Ethereal, it was renamed to Wireshark in 2006 and has since become the gold standard for network analysis across industries.

Key Features

Who Uses Wireshark?

• Network Administrators: Troubleshooting connectivity issues
• Security Professionals: Incident response and threat hunting
• Penetration Testers: Identifying vulnerabilities
• Developers: Debugging network applications
• Digital Forensics Experts: Investigating cybercrime
• Students and Researchers: Learning network protocols

You can download it for free for Windows, macOS, and Linux from wireshark.org.

Installing Wireshark: Step-by-Step Guide

Windows Installation

1. Download the Windows installer from wireshark.org/download.html
2. Run the installer as administrator
3. Accept the license agreement
4. Important: Select “Install Npcap” when prompted (required for packet capture)
5. Complete the installation wizard
6. Restart your computer if prompted

macOS Installation

1. Download the macOS disk image (.dmg) file
2. Mount the disk image and drag Wireshark to Applications
3. Install ChmodBPF (included) for packet capture permissions
4. Grant necessary permissions in System Preferences > Security & Privacy

Linux Installation

# Ubuntu/Debian
sudo apt update
sudo apt install wireshark

# Add user to wireshark group (recommended)
sudo usermod -aG wireshark $USER

# CentOS/RHEL/Fedora
sudo yum install wireshark
# or
sudo dnf install wireshark

Understanding the Wireshark Interface

Before diving into analysis, let’s understand Wireshark’s main interface components:

Main Window Components

Color Coding System

Wireshark uses colors to quickly identify packet types:

• Light Purple: TCP traffic
• Light Blue: UDP traffic
• Light Green: HTTP traffic
• Light Yellow: Windows-specific traffic
• Dark Yellow: Routing protocols
• Pink: ICMP traffic
• Red: Problems or errors

Your First Case: Opening the Capture File

In challenges like Level 9, you are given a pre-recorded network capture file, usually with a .pcap or .pcapng extension. This is a log of all the packets that were captured during a specific period.

Your first step is simple:

1. Launch Wireshark.
2. Go to File > Open.
3. Select the .pcapng file from the level.

You will be immediately presented with the main Wireshark interface, and it can be overwhelming. You’ll see a list of potentially thousands of packets, a rainbow of colors, and a mess of technical details.

This is the haystack. Now, we need to find the needle.

Initial Analysis Steps

Once your file is loaded, follow this systematic approach:

1. Check the capture duration: Look at the status bar for total packets and time span
2. Scan for obvious anomalies: Unusual protocols, excessive traffic, or error messages
3. Review the protocol hierarchy: Go to Statistics > Protocol Hierarchy for an overview
4. Identify key endpoints: Use Statistics > Endpoints to see active IP addresses

The Analyst’s Best Friend: Display Filters

Scrolling through thousands of packets is impossible. The key to using Wireshark effectively is to tell it what you don’t want to see. This is done using the Display Filter bar, which is the long entry box at the top of the main window.

By typing a filter, you can instantly hide all the “noise” and focus only on the packets that are relevant to your investigation. Here are some of the most useful filters for steganographic analysis:

Basic Filter Syntax

Wireshark filters follow a logical syntax pattern:

[protocol].[field] [operator] [value]

Common Operators:

• == : equals
• != : not equals
• > : greater than
• < : less than
• >= : greater than or equal
• <= : less than or equal
• contains : contains string
• matches : regex match

Filtering by Protocol

This is the most common first step. If you suspect a secret is being hidden in a specific type of traffic, you can filter for it directly.

http: Shows only unencrypted web traffic. Useful for seeing which files (like images or scripts) a user has requested.

dns: Shows only Domain Name System traffic. This is extremely useful for spotting “DNS tunneling,” where data is hidden in the subdomains of the websites being looked up. If you see hundreds of strange requests like 48656c6c6f.attacker.com, that’s a huge red flag.

icmp: This is the key to solving Level 9. It shows only ICMP traffic, which is primarily used by the ping command. A normal network might have a few pings, but a long, steady stream of them is highly suspicious and suggests a covert channel might be in use.

How to use it: Simply type icmp into the filter bar and press Enter. The packet list will instantly update to show only the ping-related packets.

Filtering by IP Address

If you know the sender or receiver you’re interested in, you can filter for their IP address.

ip.addr == 8.8.8.8: Shows all packets going to OR from the IP address 8.8.8.8.

ip.src == 192.168.1.100: Shows only packets sent from your local machine.

ip.dst == 1.1.1.1: Shows only packets sent to the Cloudflare DNS server.

You can also combine filters using logical operators like && (and), || (or), and ! (not).

icmp && ip.dst == 8.8.8.8: Shows only the ping packets that were sent to 8.8.8.8.

Advanced Filter Combinations

Master these powerful filter combinations for complex analysis:

# Find large packets (potential data exfiltration)
frame.len > 1000

# HTTP POST requests (potential data uploads)
http.request.method == "POST"

# Failed connections
tcp.flags.reset == 1

# Encrypted traffic to specific port
tcp.port == 443 && ssl

# Suspicious DNS queries (potential tunneling)
dns.qry.name contains "."

Essential Wireshark Filters Cheat Sheet

Protocol Filters

Address and Port Filters

Content Filters

Logical Operators

Inspecting the Payloads

Once you have filtered the traffic down to a manageable number of suspicious packets, the final step is to look inside them.

1. Select a Packet: Click on a packet in the top pane.
2. View the Details: The middle pane will now show you a detailed breakdown of that packet’s structure, from the Ethernet frame all the way up to the application data.
3. Find the Data: For a protocol like ICMP, you’ll want to expand the “Internet Control Message Protocol” section. Inside, you will find the data payload.

In a normal ping, this data is just gibberish—a repeating sequence of letters. But in a steganographic message, this is where the secret is hidden. By clicking through the filtered packets one by one and examining the data payload of each, you can extract the hidden message, character by character.

Payload Analysis Techniques

1. Hexadecimal Analysis

Raw bytes: 48 65 6c 6c 6f 20 57 6f 72 6c 64
ASCII:     H  e  l  l  o     W  o  r  l  d

2. ASCII String Extraction

• Right-click packet → “Follow” → “TCP Stream” (for TCP)
• Right-click packet → “Follow” → “UDP Stream” (for UDP)
• Look for readable text in the data

3. Binary Pattern Recognition

• Look for repeating patterns
• Identify encoding schemes (Base64, URL encoding, etc.)
• Check for file signatures (magic bytes)

Network Protocol Deep Dive

HTTP/HTTPS Analysis

HTTP traffic analysis is crucial for web application security and forensics.

Key HTTP Headers to Monitor

Common HTTP Analysis Patterns

# Find all HTTP POST requests
http.request.method == "POST"

# Locate file uploads
http.content_type contains "multipart/form-data"

# Identify potential data exfiltration
http.request.method == "POST" && frame.len > 2000

# Find authentication attempts
http.request.uri contains "login"

DNS Traffic Investigation

DNS analysis is essential for detecting malicious domains and data exfiltration.

DNS Query Types

Detecting DNS Tunneling

# Unusually long DNS queries (potential data exfiltration)
dns.qry.name and frame.len > 100

# Multiple subdomains (suspicious pattern)
dns.qry.name contains "." and dns.qry.name contains "."

# TXT record abuse
dns.resp.type == 16 && frame.len > 200

TCP Stream Analysis

TCP streams allow you to reconstruct entire conversations between endpoints.

Following TCP Streams

1. Right-click any TCP packet
2. Select “Follow” → “TCP Stream”
3. View the complete conversation in a new window
4. Use different view modes:
   • ASCII: Human-readable text
   • EBCDIC: IBM mainframe encoding
   • Hex Dump: Raw hexadecimal
   • C Arrays: Programming format
   • Raw: Binary data

ICMP Covert Channels

ICMP protocols are frequently abused for covert communication and data exfiltration.

Normal vs. Suspicious ICMP Traffic

Normal ICMP Characteristics:

• Occasional ping requests (Type 8)
• Corresponding ping replies (Type 0)
• Standard payload size (32-64 bytes)
• Regular timing intervals

Suspicious ICMP Patterns:

# High frequency ICMP traffic
icmp && frame.time_delta < 0.1

# Unusual payload sizes
icmp && frame.len > 100

# Non-standard ICMP types
icmp.type != 0 && icmp.type != 8

# ICMP with custom data
icmp.data && icmp.data != "abcdefghijklmnopqrstuvwxyz"

Advanced Wireshark Techniques

Statistics and Reports

Wireshark provides powerful statistical analysis tools accessible via the Statistics menu:

Protocol Hierarchy

• Purpose: Overview of protocols in capture
• Access: Statistics → Protocol Hierarchy
• Use: Identify unusual protocol distributions

Conversations

• Purpose: Communication pairs analysis
• Access: Statistics → Conversations
• Filters: Ethernet, IPv4, TCP, UDP tabs
• Use: Find top talkers and unusual connections

Endpoints

• Purpose: Individual host analysis
• Access: Statistics → Endpoints
• Use: Identify suspicious or compromised hosts

I/O Graphs

# Create custom graphs for:
# - Bandwidth utilization over time
# - Packet rates per protocol
# - Error rates and retransmissions

Packet Reconstruction

Reconstructing Files from HTTP Traffic

1. Filter for HTTP traffic: http
2. Find file download/upload requests
3. Use “Export Objects” → “HTTP” to save files
4. Analyze extracted files for malicious content

Email Reconstruction

# Find email protocols
smtp || pop || imap

# Extract email content
# Use "Follow TCP Stream" on SMTP traffic

Time-based Analysis

Analyzing Traffic Patterns

# Traffic during specific time window
frame.time >= "2025-08-29 10:00:00" && frame.time <= "2025-08-29 11:00:00"

# Find rapid-fire requests (potential attack)
tcp.time_delta < 0.01 && tcp.len > 0

# Identify time-based covert channels
icmp && frame.time_delta > 60

Real-World Use Cases

1. Malware Analysis

Scenario: Suspected malware infection on corporate network

Approach:

# Find DNS requests to suspicious domains
dns && !dns.response_in

# Identify command and control traffic
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Look for data exfiltration
frame.len > 1500 && tcp.port != 80 && tcp.port != 443

2. Data Breach Investigation

Scenario: Investigating potential data theft

Key Filters:

• ftp-data - FTP file transfers
• http.request.method == "POST" - HTTP uploads
• smb - Windows file sharing
• ssh - Secure shell connections

3. Network Performance Issues

Scenario: Users reporting slow internet

Diagnostic Filters:

# Find retransmissions (network issues)
tcp.analysis.retransmission

# Identify duplicate ACKs
tcp.analysis.duplicate_ack

# Look for connection resets
tcp.flags.reset == 1

Security and Legal Considerations

Legal Framework

Ethical Guidelines

• Minimize Collection: Capture only necessary data
• Secure Storage: Encrypt capture files
• Limited Access: Restrict analysis to authorized personnel
• Retention Policies: Delete captures after analysis
• Documentation: Maintain detailed logs of analysis activities

Troubleshooting Common Issues

Capture Problems

Performance Optimization

# Capture filters (applied during capture)
host 192.168.1.100          # Specific host only
port 80 or port 443         # Web traffic only
not broadcast and not multicast  # Reduce noise

# Display filters for large files
tcp.stream eq 1             # Focus on single stream
frame.number > 1000 and frame.number < 2000  # Specific range

Wireshark Alternatives and Complementary Tools

Network Analysis Alternatives

Complementary Security Tools

• Nmap: Network discovery and port scanning
• Burp Suite: Web application security testing
• Metasploit: Penetration testing framework
• Snort: Intrusion detection system
• Security Onion: Complete security monitoring platform

Frequently Asked Questions

What is a .pcap file?

A .pcap (Packet Capture) or .pcapng (Packet Capture Next Generation) file is a network capture file that stores a log of network packets. These files contain the raw network data that can be analyzed using tools like Wireshark to inspect network traffic, troubleshoot issues, or investigate security incidents.

Do I need to be connected to the internet to use Wireshark?

No, you can analyze pre-recorded .pcap or .pcapng files offline. However, capturing live network traffic requires an active network connection. Wireshark can work in two modes:

• Live Capture: Monitoring real-time network traffic
• Offline Analysis: Examining previously captured packet files

Why are some packets different colors in Wireshark?

Wireshark uses color coding to highlight different types of packets or issues. The default color scheme includes:

• Green: TCP traffic
• Light Blue: UDP traffic
• Light Purple: TCP traffic
• Pink: ICMP traffic
• Red/Black: Errors or problems
• Yellow: Windows-specific traffic

You can customize colors via View → Coloring Rules.

Can I use Wireshark on any operating system?

Yes, Wireshark is available for Windows, macOS, and Linux, and it functions similarly across all platforms. However, packet capture capabilities may require additional permissions or software:

• Windows: Requires Npcap or WinPcap
• macOS: May require administrator privileges
• Linux: Often requires root access or special group membership

How do I know which protocol to filter for?

Look for clues in the challenge description or game hints. For example, Level 9 of Venatus emphasizes ICMP traffic, so filtering for icmp is a good starting point. If no clues are provided, try this systematic approach:

1. Start with Statistics → Protocol Hierarchy for overview
2. Filter common protocols: http, dns, icmp
3. Look for unusual traffic patterns or high packet counts
4. Focus on protocols relevant to your investigation goal

Can Wireshark decrypt encrypted traffic?

Wireshark can decrypt certain types of encrypted traffic if you have the necessary keys:

• WPA/WPA2 Wi-Fi: With the network password
• TLS/SSL: With private server keys or session keys
• IPSec: With pre-shared keys

However, modern encryption (TLS 1.3, perfect forward secrecy) is generally not decryptable without endpoint access.

How large can capture files get?

Capture files can become extremely large on busy networks:

• High-traffic networks: Several GB per hour
• Storage considerations: Use capture filters to limit size
• Performance impact: Large files (>1GB) may slow analysis

Is Wireshark legal to use?

Wireshark itself is completely legal. However, its use must comply with:

• Local laws: Varies by jurisdiction
• Network ownership: Only capture traffic you’re authorized to monitor
• Privacy regulations: GDPR, CCPA, etc.
• Workplace policies: Corporate IT policies

What’s the difference between capture and display filters?

Practice Exercises

Beginner Level

1. Basic Protocol Identification

   • Open any capture file
   • Filter for HTTP traffic
   • Count how many different websites were visited

2. Simple IP Analysis

   • Identify the top 3 IP addresses by packet count
   • Use Statistics → Endpoints → IPv4

Intermediate Level

1. DNS Investigation

   • Filter for DNS traffic
   • Look for queries to suspicious domains
   • Identify any failed DNS resolutions

2. HTTP Stream Analysis

   • Find HTTP POST requests
   • Follow the TCP stream to see full conversation
   • Look for sensitive data in clear text

Advanced Level

1. Covert Channel Detection

   • Look for ICMP traffic with unusual payloads
   • Create time-based graphs to identify patterns
   • Extract hidden messages from packet data

2. Malware Communication Analysis

   • Identify command and control traffic patterns
   • Look for Base64 encoded data
   • Analyze DNS tunneling attempts

References and Further Reading

Official Documentation

• Wireshark User’s Guide - Comprehensive official documentation
• Wireshark Wiki - Community-driven knowledge base
• Display Filter Reference - Complete filter syntax guide
• Wireshark Development - Contributing to the project

Essential Books

• Sanders, C. (2017). Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems (3rd ed.). No Starch Press.
• Orebaugh, A., Ramirez, G., & Beale, J. (2006). Wireshark & Ethereal Network Protocol Analyzer Toolkit. Syngress.
• Combs, G., & Sanders, C. (2018). Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide. Protocol Analysis Institute.
• Ramirez, G. (2015). Network Analysis Using Wireshark 2 Cookbook. Packt Publishing.

Training and Certification

• Wireshark Certified Network Analyst (WCNA) - Official certification program
• SANS SEC503: Intrusion Detection In-Depth - Network security course
• Cybrary Wireshark Course - Free online training

Online Resources

• Malware Traffic Analysis - Practice capture files
• Wireshark Sample Captures - Various protocol examples
• PacketLife.net Cheat Sheets - Protocol reference materials
• Cloudshark - Online packet analysis platform

Academic and Research Papers

• Paxson, V. (1999). Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24), 2435-2463.
• Sommer, R., & Paxson, V. (2010). Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. IEEE Symposium on Security and Privacy.

Protocol Standards (RFCs)

• RFC 793: Transmission Control Protocol - TCP specification
• RFC 791: Internet Protocol - IPv4 specification
• RFC 1035: Domain Names - Implementation and Specification - DNS specification
• RFC 792: Internet Control Message Protocol - ICMP specification

Security Research Organizations

• NIST Cybersecurity Framework - Cybersecurity guidelines
• OWASP Foundation - Web application security
• SANS Institute - Security training and research
• FIRST (Forum of Incident Response and Security Teams) - Incident response community

Wireshark transforms the invisible, chaotic flow of the internet into a structured, searchable log of evidence. Learning to use its filters is like learning to ask the right questions—it’s the fundamental skill of any digital detective.

Ready to start your journey as a digital detective? Download Wireshark today and begin exploring the hidden conversations happening all around us in cyberspace.