Wireshark

What is Wireshark?

Wireshark is the world’s most popular open-source network protocol analyser (packet analyser). It enables real-time capture of network traffic, decoding of hundreds of communication protocols and detailed analysis of every packet - from data link layer headers to application data.

Wireshark supports over 3,000 protocols, including industrial protocols critical for OT security: Modbus TCP, DNP3, IEC 60870-5-104, PROFINET, EtherNet/IP, OPC UA, BACnet and S7Comm (Siemens). This makes it indispensable for both IT network analysis and OT network security audits.

Key Wireshark features include capture and display filters (allowing focus on traffic of interest), packet colouring by protocol, TCP/UDP stream following, HTTP object export, statistics generation and communication flow diagrams. Wireshark uses the libpcap library (Linux/macOS) or Npcap (Windows) for packet capture.

Why does it matter?

Wireshark is a fundamental tool in the network security specialist’s arsenal. It enables incident analysis (what exactly was transmitted on the network), firewall and segmentation rule verification, unencrypted communication identification, OT traffic anomaly detection and analysis of malware communication with C2 servers. In OT network audits, Wireshark helps identify all protocols and devices communicating on the industrial network.

Related topics

• NDR
• PROFINET
• Modbus