Wireshark Packet Analysis: From Raw Traffic to Meaningful Insights (TryHackMe Walkthrough)

How packet-level analysis reveals what logs can't

Introduction

In cybersecurity, logs often provide a summarized view of events, but they don't always tell the full story.

To truly understand what's happening in a network, analysts need to go deeper, down to the packet level.

In this walkthrough of the Wireshark: Packet Operations room on TryHackMe, I explored how raw network traffic can be analyzed, filtered, and transformed into actionable insights using Wireshark.

This process closely mirrors real-world scenarios in incident response and network forensics, where analysts must sift through massive volumes of data to uncover meaningful patterns.

Starting with the Big Picture: Traffic Statistics

None
Figure: Initial packet capture loaded in Wireshark, showing overall traffic before applying filters.

Before diving into individual packets, I began by analyzing the overall traffic using Wireshark's Statistics menu.

This provided a high-level understanding of:

  • Active protocols
  • Communication patterns
  • Key endpoints

Key Observations

  • Most active destination IP: 10.100.1.33
  • Total IPv4 conversations: 436
  • Significant traffic volume tied to specific endpoints
None
None

Using Resolved Addresses, I was able to map IPs to domain names, making it easier to identify accessed resources.

Key Insight

Packet analysis should always start with context. Statistics help identify where to focus before diving deeper.

Protocol-Level Analysis

Once the traffic landscape was clear, I moved into protocol-specific analysis.

DNS Analysis

By inspecting DNS statistics, I identified:

  • Query vs response patterns
  • Query types (A, AAAA, PTR)
  • Maximum response time: 0.467897 seconds
None
Figure: DNS statistics showing query distribution and request-response timings within the captured traffic.

This helps in identifying:

  • Latency anomalies
  • Potential DNS-based activity

HTTP Analysis

HTTP traffic revealed:

  • Request distribution
  • Frequently accessed hosts

One notable finding:

  • rad.msn.com generated 39 HTTP requests
None
Figure: Filtering HTTP traffic by host to identify frequent communication with a specific domain.

Key Insight

Not all traffic matters, protocol analysis helps isolate the most relevant data.

Packet Filtering: The Core Skill

Raw packet captures are massive and noisy. Filtering is what makes analysis possible.

Capture vs Display Filters

  • Capture filters → control what gets recorded
  • Display filters → control what gets analyzed

Example: tcp.port == 80

Filtering by Conditions

I applied filters to extract meaningful insights:

  • Packets with TTL < 10 → 66 packets
None
Figure: Filtering packets based on TTL values to identify unusual network behavior.
  • TCP port 4444 traffic → 632 packets
None
Figure: Filtering traffic by specific TCP ports to identify potentially suspicious communication.
  • HTTP GET requests → 527 packets
None
Figure: Filtering HTTP GET requests to analyze web traffic patterns.
  • DNS A queries → 51 packets
None
Filtering DNS A record queries to analyze domain resolution activity.

Key Insight

Filtering is what transforms raw packet data into actionable intelligence.

Advanced Filtering Techniques

This is where Wireshark becomes a powerful investigation tool.

Content-Based Filtering

http.server contains "Microsoft-IIS" → Identified IIS-based servers

None
Figure: Identifying server technologies using content-based filtering.

Version Matching

http.server matches "7.5" → Identified traffic across suspicious ports

None
Figure: Extracting specific server versions using pattern matching filters.

TTL Pattern Analysis

string(ip.ttl) matches "[02468]$" → Filtered packets with even TTL values

None
Figure: Using pattern matching on TTL values to identify specific packet characteristics.

Protocol Integrity Checks

tcp.checksum.status == 0 → Identified bad TCP checksum packets (34185 total)

None
Figure: Identifying packets with invalid TCP checksums, which may indicate anomalies or capture artifacts.

Combined Filters

(http.response.code == 200) && (http.content_type matches "image(gif|jpeg)") → Extracted specific content types from HTTP responses

None
Figure: Combining multiple filters to isolate specific types of HTTP responses.

Key Insight

Advanced filtering allows analysts to ask precise questions — and get precise answers.

Investigation Workflow Optimization

Beyond filtering, I explored features that improve analysis efficiency:

  • Filter bookmarks → save complex queries
  • Filter buttons → apply filters instantly
  • Profiles → customize environments for different investigations

Key Insight

The real power of Wireshark lies not in capturing packets, but in filtering them effectively.

Key Takeaways

  • Packet analysis provides deeper visibility than logs
  • Statistics help build initial context
  • Protocol analysis isolates relevant traffic
  • Filtering is the core skill for investigation
  • Advanced filters enable precise analysis at scale

My Insight

One thing that stood out during this room is how overwhelming raw packet data can be.

Without filtering, it's just noise.

But with the right approach, that noise turns into a structured story, revealing how systems communicate, where anomalies exist, and what deserves attention.

In my opinion, packet analysis isn't about looking at everything, it's about knowing what to look for and how to isolate it efficiently.

Final Thoughts

Wireshark is more than just a packet capture tool, it's a forensic investigation platform.

In real-world environments, analysts don't just observe traffic. They:

  • Build hypotheses
  • Apply filters
  • Correlate patterns

Because in modern networks, visibility is overwhelming, but insight comes from precision.