Bird
Raised Fist0
Cybersecurityknowledge~5 mins

Wireshark packet capture basics in Cybersecurity - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Wireshark?
Wireshark is a free tool used to capture and analyze network packets. It helps you see what data is moving through a network in real time.
Click to reveal answer
beginner
What is a packet in networking?
A packet is a small piece of data sent over a network. It contains information like sender, receiver, and the actual message.
Click to reveal answer
beginner
How do you start capturing packets in Wireshark?
You select the network interface (like Wi-Fi or Ethernet) in Wireshark and click the start button to begin capturing packets.
Click to reveal answer
beginner
What is a filter in Wireshark?
A filter helps you see only the packets you want by setting rules, like showing only web traffic or packets from a specific IP address.
Click to reveal answer
beginner
Why is it important to stop capturing packets after you finish?
Stopping capture saves system resources and prevents collecting too much data, which can be hard to analyze and may include sensitive information.
Click to reveal answer
What does Wireshark primarily do?
ACaptures and analyzes network packets
BBlocks unwanted network traffic
CEncrypts network data
DCreates network connections
Which of these is needed to start capturing packets in Wireshark?
AClose all other programs
BSelect a network interface
CRestart the computer
DEnter a password
What is the purpose of a filter in Wireshark?
ATo delete captured packets
BTo speed up the internet
CTo show only specific packets
DTo change packet contents
What information does a network packet usually contain?
AOnly the sender's name
BUser passwords only
CThe entire website content
DSender, receiver, and data
Why should you stop capturing packets when done?
ATo save system resources and avoid too much data
BTo delete Wireshark from the computer
CTo disconnect from the internet
DTo speed up the network
Explain what Wireshark does and why it is useful for network analysis.
Think about how you can see what data moves through your internet connection.
You got /3 concepts.
    Describe the steps to start and stop a packet capture in Wireshark.
    Focus on the buttons and choices you make in the Wireshark interface.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of Wireshark in cybersecurity?
      easy
      A. To capture and analyze network packets in real time
      B. To encrypt network traffic for security
      C. To block unauthorized network access
      D. To create virtual private networks (VPNs)

      Solution

      1. Step 1: Understand Wireshark's function

        Wireshark is a tool designed to capture and display network packets as they travel through a network.

      2. Step 2: Identify the correct purpose

        Among the options, only capturing and analyzing packets matches Wireshark's main use.

      3. Final Answer:

        To capture and analyze network packets in real time -> Option A

      4. Quick Check:

        Wireshark captures packets = To capture and analyze network packets in real time [OK]
      Hint: Wireshark shows network data live, not encrypt or block [OK]
      Common Mistakes:
      • Confusing Wireshark with firewall or VPN tools
      • Thinking Wireshark encrypts data
      • Assuming Wireshark blocks traffic
      2. Which of the following is the correct way to start a packet capture in Wireshark?
      easy
      A. Click on 'File' then 'Open Capture'
      B. Click on 'Capture' then 'Start'
      C. Click on 'Analyze' then 'Filter'
      D. Click on 'Edit' then 'Preferences'

      Solution

      1. Step 1: Identify the menu for starting capture

        In Wireshark, the 'Capture' menu contains options to start or stop capturing packets.

      2. Step 2: Match the correct action

        Clicking 'Capture' then 'Start' begins the live packet capture process.

      3. Final Answer:

        Click on 'Capture' then 'Start' -> Option B

      4. Quick Check:

        Start capture via Capture menu = Click on 'Capture' then 'Start' [OK]
      Hint: Start capture under 'Capture' menu, not 'File' or 'Edit' [OK]
      Common Mistakes:
      • Choosing 'File' to start capture instead of 'Capture'
      • Confusing 'Analyze' with starting capture
      • Looking in 'Edit' menu for capture options
      3. Consider the following Wireshark filter: ip.src == 192.168.1.10. What does this filter do?
      medium
      A. Shows packets where the destination IP is 192.168.1.10
      B. Shows packets with any IP address except 192.168.1.10
      C. Shows packets where the source IP is 192.168.1.10
      D. Shows packets where either source or destination IP is 192.168.1.10

      Solution

      1. Step 1: Understand the filter syntax

        The filter ip.src == 192.168.1.10 means packets where the source IP address equals 192.168.1.10.

      2. Step 2: Match filter meaning to options

        Only Shows packets where the source IP is 192.168.1.10 correctly describes packets with source IP 192.168.1.10.

      3. Final Answer:

        Shows packets where the source IP is 192.168.1.10 -> Option C

      4. Quick Check:

        ip.src filter = source IP = Shows packets where the source IP is 192.168.1.10 [OK]
      Hint: ip.src means source IP, ip.dst means destination IP [OK]
      Common Mistakes:
      • Confusing source IP with destination IP
      • Assuming filter matches both source and destination
      • Thinking filter excludes the IP address
      4. You tried to filter packets with tcp.port == 80 but no packets appear. What could be a likely reason?
      medium
      A. Port 80 is not used for TCP traffic
      B. The filter syntax is incorrect
      C. Wireshark does not support filtering by port
      D. You captured packets on the wrong network interface

      Solution

      1. Step 1: Check filter syntax correctness

        The filter tcp.port == 80 is valid syntax to filter TCP packets on port 80.

      2. Step 2: Consider capture context

        If no packets appear, a common cause is capturing on the wrong network interface where no HTTP traffic (port 80) passes.

      3. Final Answer:

        You captured packets on the wrong network interface -> Option D

      4. Quick Check:

        Wrong interface capture = no matching packets = You captured packets on the wrong network interface [OK]
      Hint: No packets? Check if capturing on correct network interface [OK]
      Common Mistakes:
      • Assuming filter syntax is wrong without checking
      • Believing Wireshark can't filter by port
      • Thinking port 80 is not TCP by default
      5. You want to capture only HTTP traffic from a specific device with IP 10.0.0.5 using Wireshark. Which filter should you apply?
      hard
      A. ip.addr == 10.0.0.5 and tcp.port == 80
      B. ip.src == 10.0.0.5 or ip.dst == 10.0.0.5 and tcp.port == 80
      C. ip.addr == 10.0.0.5 or tcp.port == 80
      D. ip.src == 10.0.0.5 and tcp.port == 80

      Solution

      1. Step 1: Define the filter requirements

        You want packets where the device IP is either source or destination and the traffic is HTTP (TCP port 80).

      2. Step 2: Analyze each filter option

        ip.addr == 10.0.0.5 and tcp.port == 80 uses ip.addr == 10.0.0.5 which matches source or destination IP, combined with tcp.port == 80 to filter HTTP traffic. This matches the requirement exactly.

      3. Step 3: Identify issues in other options

        ip.src == 10.0.0.5 or ip.dst == 10.0.0.5 and tcp.port == 80 lacks parentheses, so 'or' and 'and' precedence causes incorrect filtering. ip.addr == 10.0.0.5 or tcp.port == 80 matches any packet with IP 10.0.0.5 or any TCP port 80 packet, which is too broad. ip.src == 10.0.0.5 and tcp.port == 80 only matches packets where 10.0.0.5 is source, missing destination packets.

      4. Final Answer:

        ip.addr == 10.0.0.5 and tcp.port == 80 -> Option A

      5. Quick Check:

        ip.addr covers both ends + tcp.port 80 = ip.addr == 10.0.0.5 and tcp.port == 80 [OK]
      Hint: Use ip.addr for both source/destination IPs in filters [OK]
      Common Mistakes:
      • Not using parentheses causing wrong logic in filters
      • Using only ip.src or ip.dst missing half the traffic
      • Using 'or' instead of 'and' causing too many packets