Become a Digital Detective: Using Wireshark to Find Hidden Data

Published on

Every time you visit a website, send an email, or play an online game, your computer is having a constant, complex conversation. It sends and receives thousands of tiny digital “packets” of information across the internet. Most of us never see this conversation; we only see the final result—the rendered webpage or the delivered message.

But what if you could eavesdrop on that conversation? What if you could inspect every single packet to see exactly what’s being said?

This is the job of a network analyst, and their most essential tool is Wireshark. For players of Venatus, mastering this tool is the key to conquering advanced challenges like Level 9: The Eavesdropper. It might seem intimidating, but Wireshark is a free, powerful, and surprisingly accessible piece of software that can turn you into a true digital detective.

This guide will walk you through the basics of opening a network capture file (.pcap) and using Wireshark’s most powerful feature—display filters—to find a needle in a digital haystack.

What is Wireshark?

Wireshark is the world’s foremost network protocol analyzer. In simple terms, it’s a tool that can capture the traffic flowing over a network (like your home Wi-Fi) and display that traffic in a readable, structured format. It understands the “grammar” of the internet—protocols like HTTP, DNS, and ICMP—and breaks down each packet so you can see its individual components.

You can download it for free for Windows, macOS, and Linux from wireshark.org.

Your First Case: Opening the Capture File

In challenges like Level 9, you are given a pre-recorded network capture file, usually with a .pcap or .pcapng extension. This is a log of all the packets that were captured during a specific period.

Your first step is simple:

  1. Launch Wireshark.
  2. Go to File > Open.
  3. Select the .pcapng file from the level.

You will be immediately presented with the main Wireshark interface, and it can be overwhelming. You’ll see a list of potentially thousands of packets, a rainbow of colors, and a mess of technical details.

This is the haystack. Now, we need to find the needle.

The Analyst’s Best Friend: Display Filters

Scrolling through thousands of packets is impossible. The key to using Wireshark effectively is to tell it what you don’t want to see. This is done using the Display Filter bar, which is the long entry box at the top of the main window.

By typing a filter, you can instantly hide all the “noise” and focus only on the packets that are relevant to your investigation. Here are some of the most useful filters for steganographic analysis:

Filtering by Protocol

This is the most common first step. If you suspect a secret is being hidden in a specific type of traffic, you can filter for it directly.

*http: Shows only unencrypted web traffic. Useful for seeing which files (like images or scripts) a user has requested. *dns: Shows only Domain Name System traffic. This is extremely useful for spotting “DNS tunneling,” where data is hidden in the subdomains of the websites being looked up. If you see hundreds of strange requests like 48656c6c6f.attacker.com, that’s a huge red flag. *icmp: This is the key to solving Level 9. It shows only ICMP traffic, which is primarily used by the ping command. A normal network might have a few pings, but a long, steady stream of them is highly suspicious and suggests a covert channel might be in use.

How to use it: Simply type icmp into the filter bar and press Enter. The packet list will instantly update to show only the ping-related packets.

Filtering by IP Address

If you know the sender or receiver you’re interested in, you can filter for their IP address.

*ip.addr == 8.8.8.8: Shows all packets going to OR from the IP address 8.8.8.8. *ip.src == 192.168.1.100: Shows only packets sent from your local machine. *ip.dst == 1.1.1.1: Shows only packets sent to the Cloudflare DNS server.

You can also combine filters using logical operators like && (and), || (or), and ! (not). *icmp && ip.dst == 8.8.8.8: Shows only the ping packets that were sent to 8.8.8.8.

Inspecting the Payloads

Once you have filtered the traffic down to a manageable number of suspicious packets, the final step is to look inside them.

  1. Select a Packet: Click on a packet in the top pane.
  2. View the Details: The middle pane will now show you a detailed breakdown of that packet’s structure, from the Ethernet frame all the way up to the application data.
  3. Find the Data: For a protocol like ICMP, you’ll want to expand the “Internet Control Message Protocol” section. Inside, you will find the data payload.

In a normal ping, this data is just gibberish—a repeating sequence of letters. But in a steganographic message, this is where the secret is hidden. By clicking through the filtered packets one by one and examining the data payload of each, you can extract the hidden message, character by character.

Wireshark transforms the invisible, chaotic flow of the internet into a structured, searchable log of evidence. Learning to use its filters is like learning to ask the right questions—it’s the fundamental skill of any digital detective.