🦈 Wireshark Network Monitoring
Packet Capture & Deep Traffic Analysis
Install Wireshark to capture and analyze every packet on your network. Detect suspicious connections, malware beaconing, and data exfiltration in real-time.
What is Wireshark?
Wireshark is the world's most popular network protocol analyzer. It lets you capture and inspect network traffic at the packet level.
- See every connection your Mac makes to the internet
- Detect malware beaconing to command-and-control servers
- Identify data exfiltration attempts
- Analyze suspicious DNS queries
- Verify encryption is working properly
⚠️ Advanced Tool Warning
Wireshark is a professional-grade tool. The interface can be overwhelming at first. This guide teaches the essentials for security monitoring.
Legal & Ethical Considerations
🚨 Important Legal Notice
Only capture traffic on networks you own or have explicit permission to monitor. Never intercept other people's communications.
Installation
1 Download Wireshark
- Go to wireshark.org/download.html
- Click macOS Arm 64-bit (M1/M2/M3) or Intel 64-bit
- Wait for download (~100MB)
2 Install Wireshark
- Open the downloaded
.dmgfile - Drag Wireshark to Applications
- Important: Also install ChmodBPF package
- Double-click
Install ChmodBPF.pkg - Enter admin password when prompted
3 Grant Capture Permissions
- After installing ChmodBPF, restart your Mac
- Open Wireshark from Applications
- You should see network interfaces listed
⚠️ No Interfaces?
Run in Terminal: sudo dseditgroup -o edit -a $(whoami) -t user access_bpf then restart.
Network Interfaces
| Interface | Description |
|---|---|
en0 | Primary network (usually Wi-Fi) |
en1 | Secondary (Ethernet or Wi-Fi) |
lo0 | Loopback (localhost) |
utun* | VPN tunnel interfaces |
Your First Capture
- Open Wireshark
- Double-click
en0(or your primary interface) - Packets start appearing immediately
- Click red square to stop capture
- File → Save As to save capture
Essential Display Filters
Protocol Filters
| Filter | Shows |
|---|---|
http | HTTP traffic (unencrypted) |
dns | DNS queries |
tls | TLS/SSL encrypted traffic |
tcp | All TCP traffic |
udp | All UDP traffic |
IP & Port Filters
| Filter | Shows |
|---|---|
ip.addr == 192.168.1.100 | Traffic to/from IP |
tcp.port == 443 | HTTPS traffic |
tcp.port == 80 | HTTP traffic |
udp.port == 53 | DNS queries |
Combination Filters
http or dns # HTTP and DNS
ip.addr == 192.168.1.100 and tcp # TCP from specific host
dns.qry.name contains "evil" # DNS for specific domain
http.request.method == "POST" # HTTP uploadsFollowing TCP Streams
- Click on an interesting packet
- Right-click → Follow → TCP Stream
- See the entire conversation reconstructed
- Red = sent, Blue = received
Detecting Suspicious Traffic
🚩 Unusual DNS Queries
Filter: dns — Look for random-looking domains, high volume to same domain, very long subdomains.
🚩 Beaconing Behavior
Regular, periodic connections to same IP (every 30s, 60s). Small data transfers at intervals.
🚩 Unencrypted Sensitive Data
Filter: http — Passwords or credentials in plain text over HTTP.
🚩 Unusual Ports
Traffic on non-standard ports. Encrypted traffic hiding on unusual ports.
Useful Statistics
- Statistics → Conversations: All IP pairs, sorted by data volume
- Statistics → Endpoints: All IPs your Mac contacted
- Statistics → Protocol Hierarchy: Protocol breakdown
- Statistics → DNS: All DNS queries summary
Quick Reference Filters
# DNS queries
dns
# HTTP traffic
http
# Traffic to/from IP
ip.addr == 192.168.1.100
# Exclude local traffic
!(ip.addr == 192.168.0.0/16)
# HTTP POST requests
http.request.method == "POST"
# Failed connections
tcp.flags.reset == 1
# Large packets
frame.len > 1400Summary
- ✅ Wireshark installed with capture permissions
- ✅ Essential display filters for security analysis
- ✅ Ability to follow TCP streams
- ✅ Knowledge of suspicious traffic patterns
- ✅ Statistics views for traffic analysis
🎉 You're Now a Network Detective
With Wireshark, you can see exactly what's happening on your network. Use this power responsibly and ethically.
