Spring Training 2018 - Wireshark and Lua programming

Spring Training 2018 - Wireshark and Lua programming

From BruCON 2018

Jump to: navigation, search

Wireshark and Lua programming

Our regular trainer Didier Stevens will host again this class to master to teach you to Wireshark and Lua programming !

Course Description

Wireshark is the number one network security tool according to top 125 Network Security Tools survey. But did you ever spend time to familiarize yourself with the many powerful features of this excellent security tool? If you did not, then now is your chance to learn as much as you can in this class and receive several unpublished tools (like a Lua dissector generator), scripts and dissectors developed by Didier for Wireshark.

Key learning objectives

  • Get a thorough overview of Wireshark's features
  • Learn how to customize Wireshark
  • Learn how to script Wireshark

Course contents

  • First, Didier will familiarize you with the user interface of Wireshark.
  • Then, we will touch upon the art of capturing traffic. You might think that you just need to install Wireshark on your machine to capture traffic, but that is just one way to do it. We will also look at ways to capture traffic at different points in the network, using network devices and dedicated hardware.
  • Learning about capture filters will help you control the size of your capture files on busy networks. Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.
  • Colorizing traffic and using display filters (not to be confused with capture filters) are key in finding the interesting packets hiding in your capture files.
  • Your head will spin when you see all the build-in statistics. Wireshark comes with many statistical reports that help you drill down into your captures. Many of these statistical tools support display filters, allowing you to customize your reports. And when we say reports, we talk about graphics too: Wireshark can produce graphical representations of your network traffic. When you master this feature, you will be able to grasp aspects of your network traffic with the blink of an eye.
  • Data send over a network is split-up in several packets and can adopt many protocols. It can be a hard task figure out what all these packets mean. But Wireshark understands this and can reassemble these packets into streams so that you can view and extract the data you are interested in, so that you get an abstracted view and are no longer “lost in packets”.
  • We will also learn about Wireshark's expert system, an often overlooked feature that can save you many hours of peaking at packets.

Once we are familiar with Wireshark's many important features, we will look at all types of traffic. Regular day-to-day traffic like DNS, TCP/IP, HTTP, SMTP, WLAN, … but, of course, also the irregular traffic like network scans (nmap anyone?) and network discovery, and traffic from hacker tools and malware like botnets. Network forensics is an important skill to master, and Wireshark is an essential tool to help you master this skill.

Course Agenda

Day 1

  • Get familiar with the user interface of Wireshark
  • The art of capturing traffic
    • Capture traffic at different points in the network
    • Using network devices to capture traffic
    • Using dedicated hardware to capture traffic
  • Capture filters
  • Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.
  • Display filters (not to be confused with capture filters)
  • Colorizing traffic
  • Built-in statistics
    • reporting
    • graphs
    • customise with display filters)
  • Streams and data
  • Wireshark's expert system

Day 2

  • Practical capture analysis
    • Regular day-to-day traffic
      • DNS
      • TCP/IP,
      • HTTP
      • SMTP
      • WLAN
      • ...
    • Irregular traffic
      • network scans (nmap anyone?)
      • network discovery
      • traffic from hacker tools
      • traffic from malware like botnets
      • ...
    • Network forensics
  • Scripting
    • Command-line scripting with Tshark, Python and Lua
    • Lua listeners
    • Lua dissectors
      • Use a Lua dissector generator
      • Refactor existing Lua dissectors
      • New protocol dissectors
      • Post dissectors

Target audience

This training is for the novice and intermediate Wireshark user. IT Security professionals, network engineers... anyone else who comes into contact with packets with a desire to dissect them.


  • A basic understanding of networking is required.
  • Some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine.

Hardware/software Requirements

Unless specified otherwise, students are required to bring the following :

  • A laptop with the latest version of Wireshark installed (Windows/Linux/OSX) and with Python 2.7. Administrative rights are useful to install some Python modules. If you don't have administrative rights, make sure that you can perform a capture and run Lua scripts. If you are in doubt, make sure that you have administrative rights. Make sure that there is no security software running that could interfere with capturing.

Trainer Biography

Didier Stevens.png

Didier Stevens (Microsoft MVP, SANS ISC Handler, Wireshark Certified Network Analyst, Cisco CCNP/Security, GREM - GIAC Reverse Engineering Malware, CISSP, OSWP, …) is a Senior Analyst working at NVISO (, well known for his security and forensic tools. Didier is an experienced Wireshark user, he started using it when it was still known as Ethereal. You can find his open source security tools on his IT security related blog

300px-twitter-icon.jpg @DidierStevens

Links :

Wed. 18 - 19 April 2018 (09:00 - 17:00) (2-day) - Novotel Ghent Centrum


Back to Training Overview