🦈Wireshark 101: Finding Passwords & Credentials in Plain Text Traffic

Ahmed
17 min readOct 14, 2024

--

Table of Contents:

1- Introduction

2- Wireshark First Step

3- Filtering Traffic for Login Protocols

4- Inspecting Packets for Credentials

5- Extracting Credentials from Packets

6- Using Wireshark’s “Follow TCP Stream” Feature

7- Conclusion

1- Introduction

Understanding how data moves across networks is crucial — and that’s where Wireshark comes in. As one of the most powerful network analysis tools out there, Wireshark allows you to capture, filter, and inspect data packets flowing through a network in real-time. Sounds technical? It is, but don’t worry — once you get the hang of it, Wireshark becomes an indispensable tool in your cybersecurity toolkit.

Figure 1: Wireshark Logo (Sticker Press, 2024)

One of the most eye-opening features of Wireshark is its ability to reveal how vulnerable plaintext protocols are. In many cases, login credentials such as usernames and passwords can be transmitted without encryption, making them ripe for interception. With Wireshark, you can monitor network traffic, filter for specific login protocols, and even extract sensitive data if it’s being sent unprotected. It’s like having a magnifying glass over the web’s hidden layers.

But here’s the kicker: just because you can do it doesn’t mean it’s always ethical or legal. While Wireshark helps us understand vulnerabilities in systems, it’s also a reminder of why encryption matters. This guide will walk you through how attackers could exploit insecure network traffic using Wireshark and how you can spot those potential vulnerabilities yourself.

Whether you’re a curious cybersecurity beginner or an enthusiast looking to sharpen your skills, this blog will help you understand the process of intercepting passwords and credentials using Wireshark — and, more importantly, how to protect against it.

2- Wireshark First Step

Firstly, make sure you’re set up with Wireshark and know the basics. Wireshark might look a little intimidating at first, but once you know what you’re looking for, it becomes a powerful tool that even beginners can master. Plus, its user-friendly interface makes it easier to navigate than you might think!

Figure 2: An example of the main interface of Wireshark GUI during MVR-xchange dissector (gdtf.eu, 2024)

Step 1: Download and Install Wireshark

First things first, you’ll need to download Wireshark from the official website

https://www.wireshark.org/download.html

Pick the version for your operating system. The installation process is pretty straightforward — just follow the prompts and get it installed.

Step 2: Launch Wireshark

Once installed, fire up Wireshark. You’ll be greeted by a list of available network interfaces — these are the different ways your computer is connected to the network, such as Wi-Fi, Ethernet, or even virtual network interfaces if you’re running a virtual machine. If you’re not sure which one to choose, look for the one showing the most activity (you’ll see little squiggly lines next to the network interface names). If you’re on Wi-Fi, select the Wi-Fi interface, or Ethernet if you’re using a wired connection.

Step 3: Start Capturing Network Traffic

Now that you’ve selected your network interface, it’s time to start capturing traffic! To do this, click the blue shark fin icon at the top-left corner of the window. This starts capturing all the data packets flying through your network — everything from websites you’re browsing to apps you’re using.

As the capture begins, you’ll see a flood of packets coming in. Don’t panic! At this point, you’re basically watching all the traffic on your network in real time. But with Wireshark’s power comes a lot of noise, and this is where the fun begins — narrowing down the data to find what matters.

Step 4: Traffic Monitoring

Let the capture run for a bit to gather enough data. If you’re monitoring login activity on a specific site or application, this is when you’ll want to either log in or wait for someone else on the network to do so (legally, of course!). At this stage, it’s important to understand that Wireshark is simply listening to traffic; it’s not altering or affecting any data. It’s like a passive observer, capturing a snapshot of what’s happening on the network at any given moment.

Step 5: Capture Saving (Optional)

After a few minutes of capturing, you may want to save the session. Wireshark allows you to save the raw packet data so you can analyze it later. Click File > Save As and give your capture file a name. This is especially helpful if you’re planning to do detailed analysis or need to revisit the capture later on.

3- Filtering Traffic for Login Protocols

It’s time to sift through the noise and zoom in on the good stuff — login credentials. Most of the data you’ll capture is random traffic, but if you know what to look for, you can quickly find login attempts and other sensitive data. Wireshark makes this easy with its filters, which allow you to focus on the protocols that matter for sniffing out passwords. Let’s break it down step by step.

Figure 3: Using Wireshark for Advanced Monitoring & Filtering of outgoing Traffic from IIS (Stackoverflow, 2015)

3.1. Focus on Plaintext Protocols

Before we dive into the actual filtering process, let’s talk about plaintext protocols — these are the key to finding passwords and credentials in Wireshark. Many older or less secure login methods (such as HTTP, FTP and Telnet) send data unencrypted, which means things like usernames and passwords are sent across the network in plain text. This makes them extremely vulnerable to anyone listening in (like Wireshark!).

Here are the main protocols:

  • HTTP: Used for websites that don’t use HTTPS (the secure version of HTTP). This is where you’ll find login credentials from unencrypted web forms.
  • FTP: Used for transferring files between computers, often sending login data unencrypted.
  • Telnet: An old protocol for remote communication, which also sends credentials in plaintext.

3.2. Using Filters to Zero in on Login Traffic

Wireshark can capture hundreds or even thousands of packets in just a few minutes, but you don’t want to manually sort through all of them. Instead, we’ll use display filters to narrow down the traffic to only what we need. Here are a few filters you’ll use to focus on login-related traffic:

  • HTTP Login Traffic: Most websites send login information using HTTP POST requests (usually for submitting form data). To filter for those, use:
http.request.method == "POST"

This will show you only HTTP packets where data is being sent from the user to the server, such as when someone logs in.

  • FTP Login Traffic: FTP sends login information with special commands like `USER` (for the username) and `PASS` (for the password). To filter FTP traffic, just use:
ftp

This will display all FTP packets, making it easy to find login attempts.

  • Telnet Login Traffic: Telnet is a protocol that was commonly used for remote system access, and it sends all data — including login credentials — in plaintext. To filter for Telnet traffic, simply use:
telnet

3.3. Applying the Filters

To apply a filter, simply type one of the commands (like `http.request.method == “POST”`) into the Filter Bar at the top of the Wireshark window & press Enter. Wireshark will immediately narrow down the packet list to only show the traffic that matches your filter.

For example, if you’re looking for HTTP login traffic, typing `http.request.method == “POST”` will filter out everything else, leaving only packets where login forms might be submitted.

3.4. Interpreting the Filtered Traffic

Once you’ve filtered the traffic, the next step is to carefully inspect the individual packets that match your criteria. For each packet, you can click on it to open the Packet Details pane, where you can see the full breakdown of what’s happening in that particular data exchange. For HTTP packets, you’ll want to look under the POST data or form fields where the login information might be hiding.

In FTP and Telnet packets, you’ll often see clear text commands like `USER` and `PASS` in the Packet Bytes pane, which represent the username and password being sent over the network. It’s that simple — and scary!

3.5. Combining Filters for More Specific Searches

Sometimes, just one filter isn’t enough. You can combine multiple filters to get even more specific results. For example, if you only want to see FTP login attempts where passwords are being sent, you can use this filter:

ftp.request.command == "PASS"

This will limit the capture to only FTP packets that contain password data.

At this point, you should have a pretty good idea of how to narrow down your Wireshark captures to find login credentials. Whether it’s HTTP POST requests, FTP logins, or Telnet connections, these filters are your gateway to discovering how vulnerable plaintext protocols can be.

4- Inspecting Packets for Credentials

Now that you’ve captured some network traffic and filtered it down to login protocols, it’s time for the real detective work:

Inspecting packets for credentials. This is where Wireshark really shines — letting you dig into individual packets and uncover usernames, passwords, and other sensitive data (all legally, of course, on networks you have permission to test!).

Let’s walk through how to inspect packets to find those all-important login details.

4.1. Selecting the Right Packet

Once you’ve applied the appropriate filters (like filtering for HTTP POST requests or FTP login traffic), Wireshark will show you a list of packets that match your criteria. Each packet is like a small snapshot of data being transferred over the network, and some of these packets contain login information.

To get started, find a packet in the list that looks promising — maybe a POST request for HTTP or an FTP `USER` or `PASS` command. Click on the packet to highlight it. The details of that packet will now appear in the Packet Details pane below the packet list.

4.2. Expanding Protocol Layers

In the Packet Details pane, Wireshark breaks down each packet into different protocol layers. This is where you can start drilling into the juicy details. For example, if you’re inspecting an HTTP packet, you’ll see layers like Ethernet, IP, TCP, and then HTTP itself. Expand each layer by clicking the small triangle next to it. The deeper you go, the closer you’ll get to the actual data being transmitted.

  • Ethernet, IP & TCP layers tell you how the packet was routed through the network.
  • HTTP layer contains the information we care about, like the POST request data.

In an FTP packet, you’ll want to expand layers like TCP and FTP, and for Telnet, look for the Telnet layer where login data may be visible.

4.3. Finding Login Data in HTTP Packets

If you’re inspecting an HTTP packet, especially one that matches the POST filter (`http.request.method == “POST”`), you’ll often see form submission data. Expand the HTTP layer, and scroll down until you see the section called Form Data or Authorization.

Figure 4: A display filter identifies TCP packets that include the word “login” in their content. (Asherorr, 2023)

- Form Data: In older or insecure websites, usernames and passwords can be found in this section. Look for fields like `username=` and `password=` in plaintext.

- Authorization Headers: Some websites use HTTP basic authentication, which sends a base64-encoded username and password. If you see an `Authorization: Basic` header, copy the encoded string and decode it using any online base64 decoder to reveal the username and password.

For example, a POST request might show something like this in the Form Data:

username=admin&password=123456

Boom — you’ve just captured a login attempt!

4.4. Extracting Credentials from FTP & Telnet Packets

When dealing with FTP or Telnet packets, the process is similar but even easier because these protocols often send login data in **clear text**. After filtering for `ftp` or `telnet`, look at the Packet Details pane and expand the FTP or Telnet layers.

In Telnet, it’s the same concept — look for the actual text of the login conversation between the client and server. You’ll typically see both the username and password in plain sight.

4.5. Using the Packet Bytes Pane for Raw Data

If you’re having trouble finding the credentials in the expanded protocol layers, you can always switch to the Packet Bytes pane at the very bottom of Wireshark. This pane shows you the raw data in both hexadecimal and plain text. Scroll through the plain text column, and you might just see the username and password sitting there, especially in protocols like FTP and Telnet. For example, in the Packet Bytes pane of an FTP login packet, you might spot something like this:

USER admin
PASS 123456

It doesn’t get much clearer than that!

4.6. Analyzing Multiple Packets

Sometimes login data is spread across multiple packets. For instance, the USER and PASS commands in FTP might be in two separate packets. If that’s the case, you can either inspect them one by one or use Wireshark’s Follow TCP Stream feature (which we’ll cover in the next section) to see the entire conversation in one view.

By carefully inspecting these packets, you’ll be able to uncover login credentials and see how vulnerable plaintext protocols are to interception. Whether it’s an HTTP form submission, FTP login, or Telnet command, Wireshark gives you all the tools you need to reveal what’s going on beneath the surface. In the next section, we’ll take things further by showing you how to use Follow TCP Stream to piece together entire conversations and make credential hunting even easier. Stay tuned!

5- Extracting Credentials from Packets

Alright, you’ve captured network traffic, filtered it for login protocols, and inspected individual packets. Now comes the most exciting part — extracting credentials! This is where you’ll pull usernames, passwords, and other sensitive information directly from the packets. If you’ve followed the steps so far, you’re on the verge of seeing how attackers could harvest login data from unsecured connections. Here’s how to extract credentials from different protocols.

Figure 5: The visible part of the interface includes three sections. The top section displays the captured frames, the middle section provides metadata for each frame, and the bottom section reveals the actual details. The search field is used to locate frames with specific information. (WPSec, 2017)

5.1. Extracting Credentials from HTTP Packets

When it comes to HTTP, the key information you’re looking for will often be found in POST requests (where login forms are submitted). After applying the `http.request.method == “POST”` filter, click on a packet in the list to dive into the details.

  • In the Packet Details pane, expand the HTTP layer.
  • Look for sections labeled Form Data or Query String Parameters.
  • If the website isn’t using HTTPS, you might find the username and password sitting right there in plaintext.

For example, you could see something like this in the Form Data section:

username=admin&password=123456

This is the exact data a hacker could use to log into the account! It’s all visible because the website is using HTTP, which doesn’t encrypt the data sent between the browser and server.

5.2. Dealing with HTTP Basic Authentication

Some websites or applications use HTTP Basic Authentication, which sends credentials in a special `Authorization` header. While the credentials aren’t exactly in plaintext, they’re only base64 encoded — which is incredibly easy to decode.

If you spot an Authorization: Basic header, you’ll see a string of characters that look something like this:

Authorization: Basic YWRtaW46MTIzNDU2

Here’s what to do:

  1. Copy the encoded string after “Basic” (in this case, `YWRtaW46MTIzNDU2`).
  2. Use any online base64 decoder to decode it, or you can decode it in Python or another programming language. For this example, decoding `YWRtaW46MTIzNDU2` reveals: `admin:123456`
  3. Boom! You’ve just extracted the username (`admin`) and password (`123456`).

5.3. Extracting FTP Credentials

FTP is an old protocol that sends login credentials in clear text, making it easy to extract usernames and passwords. After applying the **ftp** filter, look for packets that include the USER & PASS commands.

  • Click on an FTP packet in the list and expand the FTP layer in the Packet Details pane. Look for commands like:
USER admin
PASS 123456

The `USER` command will show you the username, and the `PASS` command will show you the password. It’s as simple as that! These login details are sent in clear text over FTP, which is why using **SFTP** (the secure version of FTP) is recommended to protect sensitive data.

5.4. Extracting Telnet Credentials

Telnet is another protocol that sends login data in plaintext, making it an easy target for packet sniffing. Just like with FTP, use the `telnet` filter in Wireshark to isolate Telnet traffic.

  • Look at the Telnet layer in the Packet Details pane for login commands.
  • You’ll see the username and password sent in clear text during the Telnet session.

In Telnet, the credentials may be spread across multiple packets. You’ll often see each letter of the username and password in a separate packet, so it might take some patience to piece it all together. But the result is the same — credentials are fully visible to anyone capturing the traffic.

5.5. Using the “Follow TCP Stream” Feature

To make your life easier, Wireshark has a feature called Follow TCP Stream that can help you see the entire conversation between a client and server in one place. This is especially useful for protocols like HTTP, FTP, and Telnet, where the login process may span multiple packets. Here’s how to use it:

1. Right-click on a packet that looks like it contains login data (such as an HTTP POST request or FTP USER command).

2. Select Follow > TCP Stream from the context menu.

This opens a window showing the full conversation between the client and server. If there are any usernames, passwords, or other sensitive data, you’ll see them here, often in plain text. You can scroll through the conversation to see the login process in action and easily spot the credentials.

5.6. Understanding the Importance of Encryption

The reason you’re able to extract credentials so easily from these protocols is that they transmit data without encryption. Whether it’s HTTP, FTP, or Telnet, these protocols expose sensitive information to anyone listening in. In contrast, encrypted protocols like HTTPS, SSH, or SFTP protect this data by scrambling it, making it unreadable to anyone monitoring the network.

As you extract credentials using Wireshark, it becomes clear why encryption is so crucial for protecting sensitive information. Unencrypted traffic is an open door for attackers, which is why you should always ensure that any login process uses secure protocols.

With these steps, you’ve successfully learned how to extract usernames and passwords from network traffic using Wireshark. From HTTP form data to FTP login commands, Wireshark reveals how vulnerable plaintext protocols can be. In the next section, we’ll dive deeper into how ”Follow TCP Stream” can help you analyze entire conversations and strengthen your understanding of network traffic analysis.

6- Using Wireshark’s “Follow TCP Stream” Feature

At this point, you’ve learned how to filter traffic and inspect individual packets to find login credentials. But what if you want to see the entire conversation between a client and server?

That’s where Wireshark’s ”Follow TCP Stream” feature comes in — it simplifies the process of piecing together multiple packets, giving you a clear view of everything happening in a single connection.

Figure 6: Apply the ‘http’ filter to show only the HTTP requests and responses in the packet view. Select one of the response packets labeled (HTTP 1.1 200 OK). At the bottom of the response packet, Wireshark decodes the body of the response. (Stackoverflow, 2012)

This feature is like having a highlight reel of the back-and-forth communication between two devices, making it much easier to spot sensitive data like usernames and passwords.

a. What Is “Follow TCP Stream”?

In network communication, a single action — like logging into a website or sending an email — doesn’t happen in just one packet. Instead, it involves multiple packets exchanged between the client (your device) and the server (the website or service). ”Follow TCP Stream” allows you to view this entire sequence of packets as one continuous conversation.

Think of it as turning dozens of little puzzle pieces into one complete picture. Instead of having to click through individual packets and piece the data together yourself, Wireshark does the heavy lifting by showing the full interaction in one easy-to-read window.

b. How to Use “Follow TCP Stream”

Using the “Follow TCP Stream” feature is super simple, and it’s one of the most powerful tools in Wireshark for tracking down sensitive information.

  • Identify a Packet: Start by finding a packet that’s part of the conversation you’re interested in. For example, if you’re looking for login credentials from an HTTP POST request or FTP login, filter the traffic accordingly and click on one of the packets that look promising.
  • Right-click the Packet: Once you’ve selected the packet, right-click on it.
  • Select “Follow > TCP Stream”: In the menu that pops up, choose Follow > TCP Stream. This will open a new window displaying the entire conversation between the client and the server.

c. Interpreting the Stream

When the TCP Stream window opens, you’ll see the entire conversation in a human-readable format. It shows both the **client’s requests** and the server’s responses, making it much easier to track down sensitive data.

- In HTTP traffic, you’ll see everything from GET and POST requests to cookies and form data. This is where you might spot login credentials, particularly in HTTP POST requests where form data (like `username=admin & password=123456`) is sent.

- For FTP or Telnet, you’ll see the `USER` and `PASS` commands, which reveal the username and password in plain text.

The color-coding in this window helps too. The red text typically represents the client (your device), while the blue text shows the server’s responses. This makes it easy to follow the flow of the conversation from the login request to the server’s confirmation.

d. Extracting Credentials from the Stream

Once you’ve got the full conversation in front of you, it’s often easy to spot the credentials. For example:

  • HTTP POST request: You might see something like:
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

username=admin&password=123456
Here, `admin` is the username, and `123456` is the password, all transmitted in plaintext because the site isn’t using HTTPS.
  • FTP login: The stream might show:
USER admin
PASS 123456

Both the username and password are right there, passed unencrypted over the network. You no longer have to hunt through individual packets for pieces of data — you get to see the whole interaction, making it much easier to identify and extract credentials.

e. Analyzing the Stream for Security Issues

Once you’ve extracted the credentials, it’s a good time to reflect on why these protocols are so vulnerable. The fact that Wireshark can reveal passwords so easily highlights the importance of using encrypted protocols like HTTPS, SFTP, and SSH.

Without encryption, anyone with access to the network can use a tool like Wireshark to intercept traffic and see sensitive information in plain text. It’s a reminder that older protocols like HTTP, FTP, and Telnet are inherently insecure when used without encryption.

f. Saving the TCP Stream

If you need to analyze the conversation later or present your findings, Wireshark allows you to save the TCP stream. Simply click the Save As button in the TCP Stream window, choose a file format (like plain text), and store it on your computer. This is especially useful for documenting potential vulnerabilities during a security audit or penetration test.

By using Wireshark’s ”Follow TCP Stream” feature, you can easily track full conversations between devices and quickly find login credentials or other sensitive information. Whether you’re analyzing HTTP form data, FTP logins, or Telnet sessions, this tool simplifies the process of extracting useful data from the network.

Remember, though, this exercise underscores the critical need for encryption. Wireshark’s ability to reveal credentials so easily should serve as a reminder of why secure protocols like HTTPS and SFTP are essential in protecting sensitive information from prying eyes.

7- Conclusion

Congratulations! You’ve journeyed through the fascinating world of Wireshark, from capturing network traffic to filtering for login protocols, inspecting packets, and extracting credentials. Along the way, you’ve seen how powerful this tool can be in identifying security risks — especially when dealing with unencrypted traffic. Wireshark allows you to see, in real-time, just how exposed unencrypted data can be. With just a few filters and clicks, sensitive information like usernames and passwords can be extracted from HTTP, FTP, or Telnet traffic.

But the goal here isn’t just to learn how to pull credentials — it’s to understand why strong encryption practices matter and how we can secure our communications. Encryption protocols like HTTPS, SFTP, and SSH provide a much-needed layer of security, preventing anyone from eavesdropping on our sensitive information. For cybersecurity enthusiasts, understanding the vulnerabilities of unencrypted protocols is the first step towards building better defenses. Whether you’re learning for personal growth or to improve your security skills, this knowledge is crucial for staying ahead in an increasingly digital world.

So, what’s next? Keep exploring! Wireshark is an incredible tool with a ton of features waiting to be discovered. Whether you’re digging deeper into packet analysis or learning to secure your own network, Wireshark is your go-to tool for understanding how data flows across the internet — and how to protect it.

Remember, every packet tells a story.

Let’s make sure it’s a secure one!

--

--

Ahmed
Ahmed

Written by Ahmed

I am interested in Data Science | Security Research | Cloud Computing https://mawgoud.medium.com/subscribe

No responses yet