👋 Hello everyone!

This is my detailed walkthrough for the Wireshark: The Basics room on TryHackMe.

✅ Task 1 — Introduction

What I Learned:

• Wireshark is an open-source network packet analyzer.
• The room provides a VM with two .pcapng files.

✅ Task 2 — Use Cases, GUI & File Analysis

📂 File Used

Exercise.pcapng

---

🔍 1️⃣ Find the Capture File Comments (Flag)

• Opened Exercise.pcapng in Wireshark.
• Went to Statistics → Capture File Properties.
• A pop-up box appeared showing the file metadata.
• Scrolled down to find the Capture File Comments section.
• Found the hidden flag inside the comments.

📊 2️⃣ Find the Total Number of Packets

• While the file was still open:
  • Looked at the bottom right corner in the Status Bar.
  • Found the Total Packets count there.

🔐 3️⃣ Find the SHA256 Hash Value

• Again, went to Statistics → Capture File Properties.
• At the top of the pop-up, found the SHA256 hash of the capture file.

✅ Task 3 — Packet Dissection

📂 File Used

Exercise.pcapng

---

🔍 What I Did

In this task, I practiced packet dissection by decoding protocol layers in Packet 38.

---

⚙️ Steps I Followed

1️⃣ Markup Language (HTTP)

• I located Packet 38 in the Packet List Pane.
• Below, in the Packet Details Pane, I checked the layers.
• I expanded the HTTP protocol layer.
• Found the markup language directly under HTTP.

2️⃣ Arrival Date

• While still in Packet 38, I expanded the HTTP protocol section.
• Found the Arrival Date field in the headers/info.

3️⃣ TTL Value

• In the Packet Details Pane, I expanded the IP protocol section.
• Found the TTL (Time to Live) field listed inside.

4️⃣ TCP Payload Size

• Just below the IP protocol, there’s the TCP protocol section.
• Without expanding, the Payload Size was already visible in the same line at the end.

5️⃣ E-Tag Value

• Again, under the same HTTP protocol section, I looked deeper.
• Found the E-Tag field and noted its value.

✅ Task 4 — Packet Navigation

📂 File Used

Exercise.pcapng

---

🔍 What I Did

In this task, I learned to search, navigate, mark, comment, extract, and verify packets using Wireshark’s advanced features.

---

⚙️ Steps I Followed

---

1️⃣ Search for r4w String — Artist 1

• Opened Exercise.pcapng in Wireshark.
• Went to Edit → Find Packet.
• In the Find Packet dialog:
  • Entered r4w as the search string.
  • Set the search to look inside Packet Details.
• Wireshark highlighted the packet containing r4w → found the full string → revealed Artist 1’s name.

2️⃣ Get MD5 Hash — Packet Comments

• Went to Go → Go to Packet → Entered 12.
• Right-clicked the packet → selected Packet Comment.
• The comment said: Go to Packet 39765.
• Went to Go → Go to Packet → Entered 39765.
• Exported the packet bytes:
  • File → Export Packet Bytes → saved as test.
• Opened terminal → ran: md5sum test

3️⃣ Extract .txt File — Find the Alien’s Name

• Opened Exercise.pcapng in Wireshark.
• Clicked File → Export Objects → HTTP.
• A window popped up listing all HTTP objects:
  • Columns: Filename, Size, Packet, Host, Content Type.
• Sorted the Filename column by clicking the up arrow.
• Located note.txt in the list.
• Selected note.txt and saved it to my Downloads folder.
• Opened my terminal and ran: cat note.txt

🔍 4️⃣ Check Expert Info — Find Number of Warnings

• Opened Exercise.pcapng in Wireshark.
• Went to Analyze → Expert Information.
• This opened the Expert Info dialog box.
• The dialog showed various categories: Chat, Note, Warn, and Error.
• Looked for the Warnings section (yellow icon).
• Checked the Count column next to Warnings.
• Got the total number of warnings from there.

✅ Task 5 — Packet Filtering

📂 File Used

Exercise.pcapng

---

🔍 1️⃣ Apply Filter — Get Filter Query

• Went to Packet 4 in the capture.
• In the Packet Details Pane below, found the HTTP protocol layer.
• Right-clicked on the HTTP protocol.
• Chose Apply as Filter → Selected.
• The filter was applied automatically.
• The filter query appeared in the Filter Bar at the top.

🔍 2️⃣ Displayed Packets Count

• After the filter was applied:
  • Looked at the Status Bar in the bottom right corner.
  • Verified the number of packets displayed.
  • Used this number as the answer.

🔍 3️⃣ Follow HTTP Stream — Total Number of Artists

• Went to Packet 33790 in the capture.
• Right-clicked the packet.
• Selected Follow → HTTP Stream.
• A new window opened showing the HTTP response.
• Searched for artist in the source code.
• Counted the total number of artists listed.

🔍 4️⃣ Name of Second Artist

• In the same HTTP Stream window:
  • Checked the displayed list of all artists.
  • Found and noted the name of the second artist in the list.

✅ Task 6 — Conclusion

---

🎉 What I Learned

• How to open and navigate .pcapng files in Wireshark.
• How to use Capture File Properties to find metadata like flags and hashes.
• How to dissect packets layer by layer using the Packet Details Pane.
• How to apply filters, follow streams, and extract files from packets.
• How to use Expert Info, Mark Packets, and Packet Comments for deeper analysis.
• How to search with Find Packet, navigate with Go To Packet, and export objects.

🙌 Thanks for Reading!

---

🙏 If this helped you, please ❤️ this post, leave a comment, and share it with your friends!

💬 I’d love to hear: Did you find this TryHackMe room useful? Drop your thoughts below!

• 💻 TryHackMe Profile
• 🐙 GitHub

Happy Packet Sniffing! 🦈✨