> For the complete documentation index, see [llms.txt](https://dti-techs.gitbook.io/practical-foundations-in-cybersecurity/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dti-techs.gitbook.io/practical-foundations-in-cybersecurity/6.-practical-foundations-in-ethical-hacking/network-security-testing/wireshark-defensive-or-offensive.md).

# Wireshark: Defensive or offensive?

Wireshark is primarily a defensive (security monitoring) tool, but it can also be used in offensive security (ethical hacking) scenarios.

#### Wireshark Defensive Use Cases

1. **Traffic Analysis for Security Monitoring**
   * Wireshark’s core function is capturing and analyzing network traffic, which is essential for detecting anomalies, intrusions, and malicious activity (e.g., malware C2 traffic, suspicious connections).
   * Security teams use it to inspect packets for signs of attacks (e.g., port scans, unusual protocols, data exfiltration).
2. **Incident Response & Forensics**
   * After a breach, analysts use Wireshark to review packet captures (PCAPs) to understand attack vectors, lateral movement, and data leaks.
   * It helps reconstruct events by examining raw network data.
3. **Network Troubleshooting**
   * IT admins and defenders use Wireshark to diagnose connectivity issues, misconfigurations, and performance problems—not just security threats.
4. **Passive Tool (No Active Exploitation)**
   * Wireshark doesn’t send packets or exploit vulnerabilities; it only observes traffic. Offensive tools (e.g., Metasploit, Nmap) actively interact with targets.

#### Wireshark Offensive Use Cases

While defensive use is primary, ethical hackers and attackers can leverage Wireshark for:

* **Reconnaissance**: Capturing unencrypted credentials, session tokens, or sensitive data in transit.
* **Man-in-the-Middle (MITM) Analysis**: Inspecting traffic during red-team engagements (e.g., ARP spoofing attacks).
* **Protocol Reverse-Engineering**: Studying proprietary protocols for vulnerabilities.

However, these offensive uses typically require additional tools (e.g., Ettercap, BetterCAP) to actively manipulate traffic—Wireshark alone is just the analyzer.

### **Decryption for TLS/SSL traffic using Wireshark**

Modern encrypted protocols like **TLS (used in HTTPS, VPNs, etc.)** prevent packet analyzers from inspecting payloads by default. However, some tools such as Wireshark can **decrypt TLS/SSL traffic** if provided with the necessary decryption keys.

**What Are The Necessary Decryption Keys?**

* **Pre-master secret key (for RSA-based TLS)**: If you have the server’s private key, Wireshark can decrypt traffic.
* **Session keys (for TLS 1.3 and forward)**: Requires logging the session keys during the handshake (e.g., via `SSLKEYLOGFILE` in browsers).
* **PSK (Pre-Shared Key)**: Used in some VPNs or custom encrypted apps.

**How It Works in Wireshark:**

1. **Configure Wireshark** to use the `SSLKEYLOGFILE` (exported by Chrome/Firefox).
2. **Provide the server’s private key** (if decrypting RSA-based HTTPS).
3. Wireshark **automatically decrypts** TLS traffic in real-time.

**Example Setup:**

sh

```
# Set SSLKEYLOGFILE in Linux/Mac before opening a browser  
export SSLKEYLOGFILE=/tmp/sslkeys.log  
```

Then, in Wireshark:\
`Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename` → Point to `sslkeys.log`.

**Limitations:**

* Decrypts HTTPS traffic only if session keys or private keys are available.
* **Cannot decrypt without keys**: If traffic uses **perfect forward secrecy (PFS)**, you must capture keys live (not retroactively).
* **Not all protocols supported**: Some custom encryption (e.g., proprietary VPNs) may not be decryptable.

Wireshark is **defensive-first** because its primary purpose is monitoring, analysis, and defense. Its core value lies in visibility—whether for protecting or probing a network.

Here’s a concise table summarizing Wireshark’s dual-use capabilities in **defensive (security monitoring)** and **offensive (ethical hacking)** contexts:

| **Category**         | **Defensive Use (Security Monitoring)**                                                                                                              | **Offensive Use (Ethical Hacking)**                                                                                                          |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| **Primary Role**     | Traffic inspection, threat detection, and incident response.                                                                                         | Reconnaissance, protocol analysis, and attack validation.                                                                                    |
| **Key Functions**    | <p>- Detect malware C2 traffic.<br>- Analyze intrusion attempts.<br>- Troubleshoot network issues.<br>- Forensic investigations (PCAP analysis).</p> | <p>- Capture unencrypted credentials.<br>- Analyze MITM attack results.<br>- Reverse-engineer protocols.<br>- Validate exploit payloads.</p> |
| **Tool Interaction** | Used alongside SIEMs, IDS/IPS (e.g., Snort), and firewalls.                                                                                          | Paired with exploitation tools (e.g., Metasploit, Responder).                                                                                |
| **Activity Type**    | **Passive**: Observes traffic without modification.                                                                                                  | **Supportive**: Analyzes traffic generated by active attacks.                                                                                |
| **Examples**         | <p>- Identifying a ransomware beacon.<br>- Investigating a data exfiltration attempt.</p>                                                            | <p>- Sniffing FTP credentials.<br>- Debugging a custom exploit's network behavior.</p>                                                       |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dti-techs.gitbook.io/practical-foundations-in-cybersecurity/6.-practical-foundations-in-ethical-hacking/network-security-testing/wireshark-defensive-or-offensive.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.