Ridgeline Skill

For SOC Analysts, IR Practitioners, and Threat Hunters

Wireshark for Security Analysts

Focused skills. One thing, learned properly.

Learn to use Wireshark and tshark for security investigations — not network troubleshooting. Every filter and analysis technique targets the questions security analysts need answered: what data was sent, what protocol was used, and what the C2 communication looks like.

Start Skill View Pricing

Content last updated: April 2026

Sections

Capture Setup and Interface — Wireshark interface orientation: packet list, packet details, packet bytes. Capture filters (BPF syntax) vs display filters. Capturing on the right interface. Ring buffers for continuous capture. tshark for headless capture. tcpdump for remote capture and piping to Wireshark.

Display Filters for Security Analysis — The 30 display filters every security analyst needs: IP/port/protocol filtering, DNS query analysis, HTTP request extraction, TLS certificate inspection, SMB share access, authentication protocol filtering, and time-based analysis. Building complex filters with AND/OR/NOT. Filter bookmarks for reuse.

Protocol Analysis for Threat Detection — DNS: query patterns, tunnelling indicators, DGA domain detection. HTTP/HTTPS: request methods, user agents, POST data, certificate analysis. SMB: share enumeration, lateral movement, file transfer. Kerberos: ticket requests, AS-REQ/TGS-REQ patterns, Kerberoasting indicators.

Identifying C2 Traffic and Data Exfiltration — C2 beacon patterns: regular intervals, consistent packet sizes, HTTP POST with encoded payloads. DNS C2: long subdomain queries, TXT record responses. HTTPS C2: JA3/JA3S fingerprints, certificate anomalies. Data exfiltration indicators: large outbound transfers, unusual protocols, DNS tunnelling volume. Applied to the INC-2026-0501 beacon traffic.

tshark for Automated Analysis — Command-line packet analysis with tshark. Extracting fields, statistics, and conversations. Batch processing multiple PCAPs. Automated IOC extraction from captures. Integration with Zeek/Suricata output. Building tshark one-liners for common security questions.

Guided Lab: Analyse the INC-2026-0501 Network Capture — A PCAP from the NE-WS-042 network tap during the INC-2026-0501 incident. Identify the beacon traffic, extract C2 indicators (IP, domain, URI, user agent, JA3), find the credential theft traffic, map the lateral movement, and quantify the data exfiltration. Produce a network forensics summary for the IR report.