Merge pull request #2199 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_basic-forensic-methodology_pcap-inspection_wireshark-tricks_20260503_132348

carlospolop · web-flow · commit 6e2ce60a740c · 2026-05-03T15:38:19.000+02:00
Research Update Enhanced src/generic-methodologies-and-resou...
diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
@@ -60,19 +60,30 @@ Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication
 ### Filters
 
 Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\
+In current Wireshark use `tls.*` instead of the old `ssl.*` filter names.\
 Other interesting filters:
 
-- `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
+- `(http.request or tls.handshake.type == 1) and !(udp.port eq 1900)`
   - HTTP and initial HTTPS traffic
-- `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
+- `(http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
   - HTTP and initial HTTPS traffic + TCP SYN
-- `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
+- `(http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
   - HTTP and initial HTTPS traffic + TCP SYN + DNS requests
+- `tls.handshake.extensions_server_name contains "example.com"`
+  - Pivot on the SNI sent in the ClientHello even when you cannot decrypt the payload
+- `tls.handshake.extensions_alpn_str == "h2" or tls.handshake.extensions_alpn_str == "h3"`
+  - Split classic HTTPS, HTTP/2 and HTTP/3 capable sessions quickly
+- `quic or http3`
+  - Find modern UDP/443 traffic that will be missed if you only review TCP conversations
 
 ### Search
 
 If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column.
 
+### Following multiplexed streams
+
+Recent Wireshark versions can follow `TLS`, `HTTP/2` and `QUIC` streams directly. On noisy captures this is usually faster than only using `Follow TCP Stream`, especially when several requests share the same connection.
+
 ### Free pcap labs
 
 **Practice with the free challenges of:** [**https://www.malware-traffic-analysis.net/**](https://www.malware-traffic-analysis.net)
@@ -83,10 +94,27 @@ You can add a column that shows the Host HTTP header:
 
 ![](<../../../images/image (639).png>)
 
-And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
+And a column that add the Server name from an initiating HTTPS connection (**tls.handshake.type == 1**):
 
 ![](<../../../images/image (408) (1).png>)
 
+If the capture is mostly encrypted, adding these fields as columns will speed up triage a lot:
+
+- `tls.handshake.extensions_server_name`
+- `tls.handshake.extensions_alpn_str`
+- `tls.handshake.ja3`
+- `tls.handshake.ja4` (Wireshark 4.2+)
+
+This lets you cluster sessions by hostname, ALPN (`http/1.1`, `h2`, `h3`, etc.) and client fingerprint even when the payload itself stays encrypted. For decrypted HTTP/2 and HTTP/3 captures, it is also useful to add `http2.header.value` or `http3.headers.header.value` as columns and pivot on paths, authorities and other interesting metadata.
+
+```bash
+tshark -r capture.pcapng -Y "tls.handshake.type == 1" -T fields \
+  -e frame.number -e ip.src -e ip.dst \
+  -e tls.handshake.extensions_server_name \
+  -e tls.handshake.extensions_alpn_str \
+  -e tls.handshake.ja3 -e tls.handshake.ja4
+```
+
 ## Identifying local hostnames
 
 ### From DHCP
@@ -103,23 +131,31 @@ In current Wireshark instead of `bootp` you need to search for `DHCP`
 
 ### Decrypting https traffic with server private key
 
-_edit>preference>protocol>ssl>_
+_edit > preferences > protocols > tls >_
 
 ![](<../../../images/image (1103).png>)
 
 Press _Edit_ and add all the data of the server and the private key (_IP, Port, Protocol, Key file and password_)
 
+This method only works in a limited number of cases. For current TLS 1.3 / ECDHE traffic, the session key log method below is usually the practical option.
+
 ### Decrypting https traffic with symmetric session keys
 
-Both Firefox and Chrome have the capability to log TLS session keys, which can be used with Wireshark to decrypt TLS traffic. This allows for in-depth analysis of secure communications. More details on how to perform this decryption can be found in a guide at [Red Flag Security](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/).
+Both Firefox and Chrome have the capability to log TLS session keys, which can be used with Wireshark to decrypt TLS traffic. This allows for in-depth analysis of secure communications. More details on how to perform this decryption can be found in a guide at [Red Flag Security](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/). This is also the normal route for decrypting modern TLS 1.3 and QUIC/HTTP/3 captures.
 
-To detect this search inside the environment for to variable `SSLKEYLOGFILE`
+To detect this search inside the environment for the variable `SSLKEYLOGFILE`
 
 A file of shared keys will look like this:
 
 ![](<../../../images/image (820).png>)
 
-To import this in wireshark go to \_edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename:
+If the capture is `pcapng`, check whether it already contains embedded decryption secrets before hunting the host filesystem:
+
+```bash
+editcap --extract-secrets capture.pcapng tls-secrets.txt
+```
+
+To import this in wireshark go to \_edit > preferences > protocols > tls > and import it in (Pre)-Master-Secret log filename:
 
 ![](<../../../images/image (989).png>)
 
@@ -154,7 +190,11 @@ f.write(all_bytes)
 f.close()
 ```
 
-{{#include ../../../banners/hacktricks-training.md}}
+## References
+
+- [Wireshark TLS wiki](https://wiki.wireshark.org/TLS)
+- [Decrypting and parsing HTTP/3 traffic in Wireshark](https://blog.elmo.sg/posts/parsing-decrypted-quic-traffic-in-wireshark/)
 
+{{#include ../../../banners/hacktricks-training.md}}
 
 
