Wireshark Network Analysis

What Is Wireshark

Wireshark is the world's most widely used network protocol analyzer. It lets you capture live network traffic and inspect it at a granular level -- down to individual packets and the bytes within them. Network administrators use it to troubleshoot connectivity issues, security professionals use it to investigate suspicious activity, and developers use it to debug application protocols.

Wireshark is open-source, cross-platform, and completely free. It supports hundreds of protocols and can read capture files from many other tools, making it the de facto standard for network analysis.

⚠️

Ethics and Legality

Only capture and analyze traffic on networks you own or have explicit written authorization to monitor. Intercepting network traffic without permission is illegal in most jurisdictions. In corporate environments, always obtain approval from your IT department or management before running Wireshark. This tutorial is strictly for authorized, educational, and defensive purposes.

Packet A small unit of data transmitted over a network. Every email, web page, and video stream is broken into packets for delivery.

Protocol A set of rules that governs how data is formatted and transmitted. Examples include TCP, UDP, HTTP, DNS, and TLS.

PCAP Packet Capture -- the standard file format for storing captured network traffic. Wireshark saves captures as .pcapng files by default.

Installing Wireshark

Wireshark is available in the default repositories of most Linux distributions and can be downloaded directly for Windows and macOS.

Ubuntu / Debian

# Install Wireshark
sudo apt update
sudo apt install wireshark

# During installation, select "Yes" when asked whether
# non-superusers should be able to capture packets

After installation, add your user to the wireshark group so you can capture packets without running as root:

# Add your user to the wireshark group
sudo usermod -aG wireshark $USER

# Log out and log back in for the group change to take effect

💡

Why not run as root?

Running Wireshark as root is a security risk. The capture engine (dumpcap) processes raw network data, and a malformed packet could theoretically exploit a vulnerability. By running only dumpcap with elevated privileges and the GUI as a normal user, you limit the attack surface.

Fedora / RHEL

sudo dnf install wireshark wireshark-qt
sudo usermod -aG wireshark $USER

Windows

Download the installer from https://www.wireshark.org/download.html

Run the installer. When prompted, install Npcap (the packet capture driver for Windows). Accept the default settings.

Launch Wireshark from the Start Menu. No additional group configuration is needed on Windows.

Verify the installation by opening Wireshark. You should see a list of available network interfaces on the welcome screen.

Capturing Packets

Capturing is the core function of Wireshark. You select a network interface, start the capture, and Wireshark records every packet that passes through that interface.

Selecting an Interface

When you open Wireshark, the welcome screen displays all available network interfaces along with a small sparkline graph showing current activity on each one. Choose the interface that carries the traffic you want to analyze:

eth0 / ens33 Wired Ethernet connection. Use this for traffic on your physical LAN cable.

wlan0 / wlp2s0 Wireless (Wi-Fi) interface. Captures traffic your wireless adapter sends and receives.

lo (loopback) The loopback interface (127.0.0.1). Useful for capturing traffic between local services on the same machine.

any A pseudo-interface on Linux that captures traffic from all interfaces simultaneously.

Starting and Stopping a Capture

Double-click an interface on the welcome screen, or select it and click the blue shark fin icon in the toolbar to start capturing.

Packets will begin appearing in the packet list pane in real time. Each row is one packet.

Click the red square icon in the toolbar to stop the capture. You can now browse, filter, and analyze the captured data.

Ctrl + E -- Start or stop a capture

You can also capture from the command line using tshark, the terminal-based companion to Wireshark:

# Capture 100 packets on eth0 and save to file
tshark -i eth0 -c 100 -w capture.pcapng

# Capture with a display filter (HTTP traffic only)
tshark -i eth0 -Y "http" -c 50

Saving Captures

Save your capture for later analysis using File > Save As. Wireshark defaults to the .pcapng format, which supports annotations and multiple interfaces. You can also export as the older .pcap format for compatibility with other tools.

Display Filters

A busy network can produce thousands of packets per second. Display filters let you narrow down the packet list to only the traffic you care about. The filter bar is located at the top of the main window -- type a filter expression and press Enter.

💡

Display filters vs. Capture filters

Display filters hide packets from view but keep them in the capture file. Capture filters (set before starting a capture) prevent packets from being recorded at all. For beginners, display filters are safer because you can always remove the filter and see everything again.

Essential Display Filters

ip.addr == 192.168.1.100 Show all traffic to or from a specific IP address.

ip.src == 10.0.0.5 Show only traffic originating from this IP.

ip.dst == 10.0.0.1 Show only traffic destined for this IP.

tcp.port == 443 Show all TCP traffic on port 443 (HTTPS).

udp.port == 53 Show DNS traffic (UDP port 53).

http Show all HTTP traffic. Note: HTTPS traffic appears as TLS, not HTTP, because the content is encrypted.

dns Show DNS queries and responses. Very useful for troubleshooting name resolution issues.

tcp.flags.syn == 1 Show TCP SYN packets -- the first step of a TCP handshake. Useful for seeing new connections being established.

Combining Filters

You can combine multiple conditions using logical operators:

# Traffic from a specific IP on port 80
ip.addr == 192.168.1.100 && tcp.port == 80

# DNS or HTTP traffic
dns || http

# All traffic except ARP broadcasts
!arp

# TCP traffic from a subnet
ip.src == 10.0.0.0/24 && tcp

The filter bar turns green when the syntax is valid and red when there is an error. Wireshark also provides autocomplete suggestions as you type.

Following TCP Streams and Color Coding

One of Wireshark's most powerful features is the ability to reconstruct and view an entire TCP conversation between two hosts.

Following a TCP Stream

Right-click on any packet that is part of a TCP connection.

Select Follow > TCP Stream from the context menu.

A new window shows the entire conversation. Client data appears in red, server responses in blue.

This is invaluable for reading HTTP requests and responses, analyzing cleartext protocols, and understanding the flow of a connection. You can also follow UDP and TLS streams using the same right-click menu.

Understanding Color Coding

Wireshark applies color coding to packets in the packet list to help you identify traffic types at a glance. The default color rules include:

Light purple TCP traffic.

Light blue UDP traffic.

Light green HTTP traffic.

Black with red text Packets with errors (bad checksum, malformed packets).

Dark yellow ARP traffic.

You can customize color rules through View > Coloring Rules. Custom rules let you highlight traffic that matters most to your analysis.

Common Use Cases

Wireshark is a versatile tool with applications across networking, security, and development. Here are some common scenarios where it provides critical visibility.

Network Troubleshooting

Slow connections -- Look for TCP retransmissions (tcp.analysis.retransmission) which indicate packet loss.
DNS failures -- Filter with dns to see if queries are failing or returning unexpected results.
Connection refused -- Look for TCP RST (reset) packets using tcp.flags.reset == 1 to identify rejected connections.
Duplicate IPs -- Filter for ARP traffic to detect IP address conflicts on your LAN.

Security Analysis

Unusual outbound connections -- Filter for traffic leaving your network to unexpected IP addresses or on unusual ports.
Cleartext credentials -- Protocols like FTP, Telnet, and HTTP Basic Auth send credentials in plain text. Following the TCP stream reveals them instantly.
DNS tunneling -- Look for abnormally long DNS queries or high volumes of DNS traffic to a single server, which may indicate data exfiltration.
Port scanning -- Many SYN packets to sequential ports from a single source IP indicates a port scan in progress.

Application Debugging

API troubleshooting -- Capture HTTP traffic to see exact request headers, body content, and response codes.
TLS handshake failures -- Filter with tls.handshake to diagnose certificate or cipher negotiation problems.
Performance profiling -- Use Statistics > IO Graphs to visualize throughput over time and identify bottlenecks.

💡

Useful Statistics Menu

Wireshark's Statistics menu provides powerful summaries: Conversations shows top talkers on your network, Protocol Hierarchy breaks down traffic by protocol, and Endpoints lists every host that appeared in the capture.

Summary

In this tutorial, you learned the fundamentals of Wireshark network analysis:

What Wireshark does -- captures and dissects network traffic at the packet level
Installation -- available on Linux, Windows, and macOS with proper user group configuration
Capturing -- selecting interfaces, starting/stopping captures, and saving results
Display filters -- filtering by IP, port, protocol, and combining conditions with logical operators
TCP stream following -- reconstructing full conversations between hosts
Practical use cases -- troubleshooting, security monitoring, and application debugging

⚠️

Remember: Authorization is mandatory.

Never use Wireshark to capture traffic on networks you do not own or have explicit permission to monitor. Unauthorized packet capture is a criminal offense in many countries. Use this knowledge responsibly and ethically.

🎉

Well done!

You now have the foundational skills to capture and analyze network traffic with Wireshark. Practice on your own home network to build familiarity with the interface and common traffic patterns.