Isn't wireshark for the most part useless these days, as malware usually uses HTTPS? Or so I've heard
The claim that Wireshark is irrelevant today because malware uses HTTPS encryption is a major misunderstanding of the tool's purpose.
While it’s true that encryption stops us from seeing the payload, or the content of the traffic, Wireshark is still essential because it captures and analyzes the unencrypted network metadata, the fundamental headers of every packet. This metadata, which includes source and destination IP addresses, port numbers, connection timing, and volume is crucial for network troubleshooting and performance analysis.
More importantly, this is exactly the data security analysts use to find backdoors and Command and Control (C2) activity. Malware traffic usually has tell-tale suspicious behaviors, such as rhythmic "beaconing" to a foreign server, connecting to known low-reputation IP addresses, or unusual use of basic protocols like DNS or ICMP. Simply put, Wireshark is not only relevant but remains the industry-standard tool for deep network forensics and debugging.
While metadata is key, there are methods to extend Wireshark's visibility to include the content of encrypted streams when necessary. Although not strictly Wireshark "plugins," other utilities are used in conjunction with it for decryption, often by acting as a Man-in-the-Middle (MitM) proxy or by exporting session keys.
Proxies such as Fiddler, Burp Suite, mitmproxy, or PolarProxy intercept, decrypt, and re-encrypt the traffic. These tools can then either export the decrypted session secrets (keys) for Wireshark to process the original capture file, or they can save the entirely decrypted traffic directly into a new PCAP file that Wireshark can read.
