A Brief Introduction to Wireshark as a Security Tool

Wireshark is an open source protocol analyzer. It is “free” and runs on most platforms. Wireshark is a valuable tool for web programming, network troubleshooting and analyzing security issues. In this post we’ll look at a simple way to capture data and look at HTTP’s “Basic Authentication”. I’ll dive Windows instructions, but the operation is the same under other platforms. You can get wireshark from www.wireshark.org.We use Wireshark in multiple Learning Tree classes including Learning Tree Course 468, System and Network Security Introduction.

Starting a Capture with Wireshark


First, locate the Wireshark icon and double-click it.  Wireshark Icon This starts Wireshark and you will see the start page after the program initializes.

Wireshark start screen


If you are using the network, you will likely see packets begin to fill the top pane. At this point I entered into my web browser (you will be able to see which one shortly). When an authentication window appeared, I entered an (incorrect) username and password. At that point I returned to Wireshark and clicked on the red square on the toolbar to stop the capture.

Analyzing Traffic

I wanted to look only at traffic to the demo web server I’d setup so I entered ip.addr== in the filter window. If you don’t know how to use Wireshark filters, click on Expression… – it will help you build a filter. Mine looks for all packets where either the IP source or destination address is that of my web server.

Wireshark filter entry

I selected one of the web packets and “Follow TCP stream “ from the Analyze menu item. This shows both sides of the communication in a (mostly) human-readable form. Where you see the Authorization: Basic line with gibberish after the “Basic” is where the username and password were sent. Note that it is unreadable.

Wireshark follow TCP stream

Wireshark TCP stream

I closed the window and in the top pane selected the packet with the authentication (called “Authorization” here) information. Note that in the center pane the gibberish is decoded to show the username “joe” and the password “blogs:. That gibberish is not encryption, of course, but rather an encoding called “Base64” used on the web to encode possibly binary data into plain text.

Wireshark Authentication Decode

So, if you use “Basic Authentication” on the web, the username and password are sent in the clear. That may or may not be an issue for you, but you should know how it works. In a future post I’ll show some other Wireshark features.

Stay tuned for part 2 on Wireshark, coming soon!

To your safe computing,
John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.