Sniffing for Passwords with Wireshark

Installing the Wireshark Packet Sniffer

What you need for this task:
  • A computer with Internet access. You need administrator privileges.
  • I wrote the instructions with Windows 7
Open a Web browser and go to WireShark.org

Download and install the latest version of Wireshark. The installer will also install WinPCap.

Reboot the machine to load the WinPCap driver

Note: If you have problems with WinPCap under Windows 10, get the driver from http://www.win10pcap.org/

Starting a Packet Capture

Start Wireshark.

In the Capture menu, select Options


Make sure your interfaces are in promiscuous mode. Press Manage Interfaces.


In the Manage Interfaces windows, select the desired interface where you want to capture traffic


Back to the starting windows, double click on the interface to start the capture


You should see packets being captured and scrolling by, as shown below on this page. Every packet sent from or to your machine is shown here. But it shows a lot more information than you usually want to know.



Sending a password to a test site

Open a Web browser and go to:




Enter a Username of YOURNAME@SOMEDOMAIN.LOCAL (using your own name, not the literal string "YOURNAME") and a password like topsecretpassword, as shown below:


Click the "login" button.

The login will fail but that is not important.

In the Wireshark window click on the red square button to stop the capture


Finding the password in Wireshark

In the Wireshark window, in the Filter bar, type as filter some of the text you entered as username, as shown below:

frame contains rumos.local


Wireshark shows an HTTP packet containing the searched text. In the upper pane of Wireshark, right-click the HTTP packet and click "Follow/TCP Stream", as shown below.


Expand the "Follow TCP Stream" box so that you can see YOURNAME and the topsecretpassword, as shown below.



When login into plain http websites, your credentials are sent in plaintext and can be easily captured and discovered.


Using a secure website

Start another packet capture by going to Wireshark’s menu bar, click Capture, Start (or click the blue fin button on the top left. A pops up asks "Do you want to save the captured packets before starting a new capture?" Click "Continue without saving".

In a Web browser, go to http://gmail.com. Notice you are immediately redirected to https://accounts.google.com. (You can go to any safe website, it doesn’t have to be on GMail)

Enter a valid Gmail account and the same password topsecretpassword, as shown below.

Click the "Sign in" button.


Gmail will reject the credentials, just like the other website did.

In the Wireshark window, click Capture/Stop.

Searching for the password in Wireshark

In the Wireshark menu, click Edit/Find Packet.


In the "Wireshark: Find Packet" box, click the String button.

Enter a search string of secret, as shown below.


In the "Search In" section, click "Packet bytes". Click Find.


A message appears briefly in the status bar at the bottom of the Wireshark window, saying "No packet contained that string", as shown below. This means the password text cannot be found in any of the captured packets because the information exchange with Gmail’s website was properly encrypted.



When login into secure websites, user credentials are encrypted by the SSL/TLS protocol and although the packet sniffers manages to captures the traffic, it’s virtually impossible to see the content of the encrypted information exchanged with the secure website

Previous post: Securing Virtual Machines in Windows 10

Next post: Cracking Windows Passwords