Skip to content

Wireshark is an open-source network protocol analyzer used for capturing and inspecting network traffic in real time. It allows users to analyze packets at a granular level, helping in troubleshooting network issues, monitoring security threats, and understanding network protocols.

Key Features of Wireshark

βœ… Packet Capture – Captures live network traffic from wired and wireless interfaces.
βœ… Deep Packet Inspection – Analyzes protocols and packet details.
βœ… Filtering & Searching – Supports display and capture filters to refine data.
βœ… Traffic Analysis – Helps diagnose slow networks, dropped packets, or security threats.
βœ… Decryption Support – Can decrypt protocols like TLS/SSL (if keys are available).
βœ… Cross-Platform – Works on Windows, Linux, and macOS.

πŸ’‘ Use Case Examples
πŸ”Ή Debugging network issues (e.g., packet loss, latency).
πŸ”Ή Analyzing HTTP requests for web applications.
πŸ”Ή Detecting unauthorized access attempts or cyber threats.

Wireshark Interface Overview

Wireshark's interface is divided into several key sections, making it easy to capture, filter, and analyze network packets. Below is a breakdown of its interface:

1. Menu Bar

Located at the top, the Menu Bar provides access to various Wireshark functions.

  • File – Open, save, and export capture files.

  • Edit – Preferences, find packets, and configure Wireshark.

  • View – Customize layout, coloring, and zoom levels.

  • Capture – Start, stop, restart, and configure capture settings.

  • Analyze – Apply display filters and follow network streams.

  • Statistics – View protocol hierarchy, I/O graphs, and conversation details.

  • Help – Access documentation and Wireshark community support.

2. Toolbar

Below the menu bar, the Toolbar provides quick access to essential functions.

πŸ”Ή Start/Stop Capture – Buttons to control packet capture.
πŸ”Ή Capture Options – Configure interfaces, buffer size, and packet limits.
πŸ”Ή Open File – Load previous captures (.pcapng, .pcap).
πŸ”Ή Apply Display Filter – Enter filters like ip.addr == 192.168.1.1.
πŸ”Ή Color Filters – Highlights specific protocols (TCP, DNS, ARP).

3. Interface List (Capture Section)

When starting Wireshark, you’ll see a list of available network interfaces (Wi-Fi, Ethernet, loopback, etc.).

  • Select an interface (e.g., eth0 for Ethernet, wlan0 for Wi-Fi) to begin packet capture.

  • Live traffic statistics (packet count, bytes per second) are displayed next to each interface.

πŸ’‘ Tip: Use Capture β†’ Options to customize capture settings before starting.

4. Packet List Pane (Top Section)

This pane displays captured packets in real-time.

Columns include:

  • No. – Packet number in capture.

  • Time – Timestamp (relative or absolute).

  • Source – Sender’s IP address.

  • Destination – Receiver’s IP address.

  • Protocol – Identified protocol (e.g., TCP, HTTP, DNS).

  • Length – Packet size in bytes.

  • Info – Brief packet description.

πŸ”Ή Clicking a packet selects it for detailed analysis.

5. Packet Details Pane (Middle Section)

This pane shows a structured breakdown of the selected packet.

  • Frame Header – Metadata (time, interface, length).

  • Ethernet Layer – MAC addresses and frame type.

  • IP Layer – Source/destination IP addresses, TTL, checksum.

  • Transport Layer – TCP/UDP details (ports, sequence numbers).

  • Application Layer – HTTP headers, DNS queries, encrypted payloads.

πŸ’‘ Tip: Right-click on a field β†’ Apply as Filter to quickly filter packets.

6. Packet Bytes Pane (Bottom Section)

This pane displays the raw data of the selected packet in hexadecimal and ASCII format.

πŸ”Ή Useful for deep-level protocol analysis or investigating malware payloads.
πŸ”Ή Can be copied/exported for further analysis.

7. Status Bar (Bottom Section)

Displays summary information about the capture session.

  • Packet count – Total captured packets.

  • Displayed packets – Number of packets after applying a filter.

  • Dropped packets – Shows if any packets were lost during capture.

  • Profile selection – Switch between custom analysis profiles.

Steps to Capture and Save Packets in Wireshark

1️⃣ Open Wireshark
2️⃣ Select a Network Interface (e.g., Ethernet, Wi-Fi)
3️⃣ Start Capture (Click the Shark Fin icon or press Ctrl + E)
4️⃣ Stop Capture (Click the Red Square icon or press Ctrl + E)
5️⃣ Save Capture β†’ File β†’ Save As β†’ Choose .pcapng or .pcap

βœ… Done! Your packet capture is saved for analysis. πŸš€

Filters in Wireshark

Filters in Wireshark help refine captured network traffic for easier analysis. They allow users to focus on specific packets based on IP addresses, protocols, ports, or other parameters.

Types of Filters in Wireshark

1️⃣ Capture Filters (Before capturing packets)

  • Applied before packet capture to limit data collection.

  • Example:

    host 192.168.1.10  # Capture traffic from/to this IP
port 80            # Capture only HTTP traffic

2️⃣ Display Filters (After capturing packets)

  • Applied after packet capture to refine displayed results.

  • Example:

    ip.addr == 192.168.1.10  # Show packets from/to this IP
tcp.port == 443          # Show only HTTPS traffic
dns                      # Show only DNS packets

πŸ’‘ Tip: Use Expression Editor in Wireshark to create complex filters easily! πŸš€

How to Capture and View Unencrypted HTTP Data in Wireshark

🚨 Note: This works only for unencrypted HTTP traffic. If the website uses HTTPS (TLS encryption), you won’t see readable data unless you have the decryption keys.

Steps to Capture HTTP Packets

1️⃣ Open Wireshark
2️⃣ Select Network Interface (e.g., Wi-Fi or Ethernet)
3️⃣ Apply Capture Filter (Optional)

tcp port http

4️⃣ Start Capture (Ctrl + E) and Visit an HTTP Website

  • Example: http://example.com
    5️⃣ Stop Capture (Ctrl + E)
    6️⃣ Apply Display Filter to Show Only HTTP Traffic
http.request.method

7️⃣ Analyze HTTP Packets

  • Find GET and POST requests.

  • Click a packet β†’ Expand Hypertext Transfer Protocol.

  • Right-click β†’ Follow HTTP Stream to see raw data.

βœ… Now you can see unencrypted data (usernames, passwords, cookies) if the site does not use HTTPS! πŸš€

Wireshark Filters: Protocol, Address, and Port Filters

1️⃣ Protocol Filters (Filter by network protocol)

Used to display packets for a specific protocol (TCP, UDP, HTTP, DNS, etc.).

πŸ“Œ Examples:

http        # Show only HTTP traffic  
dns         # Show only DNS packets  
tcp         # Show only TCP packets  
udp         # Show only UDP packets  
icmp        # Show only ICMP (ping) packets

2️⃣ Address Filters (Filter by IP/MAC address)

Used to show packets from or to a specific device.

πŸ“Œ Examples:

ip.addr == 192.168.1.10       # Show packets where 192.168.1.10 is source or destination  
ip.src == 192.168.1.10        # Show packets where 192.168.1.10 is the source  
ip.dst == 192.168.1.10        # Show packets where 192.168.1.10 is the destination  
eth.addr == 00:1A:2B:3C:4D:5E # Show packets from/to a specific MAC address

3️⃣ Port Filters (Filter by network ports)

Used to filter packets based on source or destination port numbers.

πŸ“Œ Examples:

tcp.port == 80       # Show only HTTP packets  
udp.port == 53       # Show only DNS packets  
tcp.srcport == 443   # Show packets where the source port is HTTPS  
tcp.dstport == 22    # Show packets where the destination port is SSH

πŸ’‘ Tip: You can combine filters!

ip.addr  192.168.1.10 && tcp.port  80

This shows only HTTP traffic from/to 192.168.1.10. πŸš€

Logical Operators in Wireshark Filters

Wireshark supports logical operators to combine multiple filter conditions for precise packet analysis.

1️⃣ AND Operator (&& or and)

βœ… Matches all conditions (both must be true).
πŸ“Œ Example:

ip.addr  192.168.1.10 && tcp.port  80

πŸ”Ή Shows HTTP traffic only from/to 192.168.1.10.

2️⃣ OR Operator (|| or or)

βœ… Matches any condition (at least one must be true).
πŸ“Œ Example:

tcp.port  80 || tcp.port  443

πŸ”Ή Shows both HTTP (80) and HTTPS (443) traffic.

3️⃣ NOT Operator (! or not)

βœ… Excludes packets that match the condition.
πŸ“Œ Example:

!http

πŸ”Ή Hides all HTTP packets, showing everything else.

4️⃣ Combining Operators

βœ… Complex filters using multiple conditions.
πŸ“Œ Example:

(ip.src  192.168.1.10 || ip.src  192.168.1.20) && tcp.port == 22

πŸ”Ή Shows SSH traffic (22) from either 192.168.1.10 or 192.168.1.20.

πŸ’‘ Tip: Use parentheses () for clarity! πŸš€

Wireshark Coloring Rules 🎨

Wireshark uses coloring rules to highlight packets for quick identification. These colors help distinguish protocols, errors, or specific traffic patterns.

1️⃣ Default Coloring Rules

Wireshark applies default colors:

  • πŸ”΅ Light Blue β†’ TCP traffic

  • 🟒 Green β†’ HTTP traffic

  • 🟑 Yellow β†’ Warnings (e.g., retransmissions)

  • πŸ”΄ Red β†’ Errors (e.g., malformed packets)

  • ⚫ Black β†’ Rejected or dropped packets

2️⃣ Viewing & Editing Coloring Rules

πŸ“Œ Steps to Open Coloring Rules:

  • Go to View β†’ Coloring Rules

  • Modify existing rules or add new ones

πŸ“Œ Creating a New Rule:

  1. Click + (Add Rule)

  2. Enter a filter condition (e.g., tcp.port == 443)

  3. Choose a foreground & background color

  4. Click OK β†’ Apply

3️⃣ Example Custom Rules

βœ… Highlight all DNS traffic in Purple:

dns

βœ… Mark all SSH packets in Orange:

tcp.port == 22

βœ… Highlight traffic from a specific IP in Pink:

ip.addr == 192.168.1.100

Wireshark Profiles πŸ› οΈ

A Wireshark Profile is a customized workspace with specific settings for different analysis needs.

1️⃣ Features of Profiles

  • Custom Display Filters

  • Coloring Rules

  • Capture Settings

  • Column Layouts

2️⃣ Create a New Profile

πŸ“Œ Steps:

  1. Edit β†’ Configuration Profiles

  2. Click New β†’ Enter a Name

  3. Customize settings (filters, columns, colors, etc.)

  4. Click OK to save

3️⃣ Switching Profiles

  • Bottom-right corner β†’ Select a profile from the list

  • Edit β†’ Configuration Profiles to manage profiles

Wireshark Statistics Explained πŸ“Š

Wireshark provides various statistical tools for analyzing network traffic. Below is a detailed explanation of each option available under the Statistics menu.

1️⃣ Capture File Properties

πŸ“Œ Location: Statistics β†’ Capture File Properties πŸ”Ή Provides basic information about the capture file:

File name, size, and format Capture duration (start & end time) Packet count and average packet size Interface and capture filter used

2️⃣ Resolved Addresses

πŸ“Œ Location: Statistics β†’ Resolved Addresses πŸ”Ή Displays resolved MAC, IP, and DNS names from packet captures. βœ… Useful for identifying human-readable names instead of raw IPs or MACs.

3️⃣ Protocol Hierarchy

πŸ“Œ Location: Statistics β†’ Protocol Hierarchy πŸ”Ή Shows the breakdown of network protocols used in the capture. βœ… Useful for understanding protocol distribution and identifying dominant traffic types.

4️⃣ Conversations

πŸ“Œ Location: Statistics β†’ Conversations πŸ”Ή Displays active connections based on:

Ethernet (MAC addresses) IPv4/IPv6 (IP addresses) TCP/UDP (ports used in communication) βœ… Helps analyze communication between specific devices.

5️⃣ Endpoints

πŸ“Œ Location: Statistics β†’ Endpoints πŸ”Ή Shows all network devices involved in communication. βœ… Useful for identifying top talkers and analyzing device-level traffic.

6️⃣ Packet Lengths

πŸ“Œ Location: Statistics β†’ Packet Lengths πŸ”Ή Displays the distribution of packet sizes in the capture. βœ… Helps detect: Too many small packets (inefficiency) Too many large packets (bulk data transfers)

7️⃣ I/O Graph

πŸ“Œ Location: Statistics β†’ I/O Graph πŸ”Ή Provides a graphical representation of network traffic over time. βœ… Helps in performance monitoring, DDoS detection, and traffic analysis.

8️⃣ Service Response Time

πŸ“Œ Location: Statistics β†’ Service Response Time πŸ”Ή Measures response time of different services (HTTP, DNS, etc.). βœ… Helps detect latency issues in network services.

9️⃣ DHCP (BOOTP) Statistics

πŸ“Œ Location: Statistics β†’ DHCP (BOOTP) πŸ”Ή Displays statistics on DHCP requests, offers, and leases. βœ… Useful for analyzing DHCP issues in networks.

πŸ”Ÿ NetPerfMeter Statistics

πŸ“Œ Location: Statistics β†’ NetPerfMeter πŸ”Ή Analyzes network performance metrics, such as bandwidth and delay.

11️⃣ ONC-RPC Programs

πŸ“Œ Location: Statistics β†’ ONC-RPC Programs πŸ”Ή Displays statistics for Remote Procedure Calls (RPCs). βœ… Helps troubleshoot NFS and other RPC-based services.

12️⃣ 29West Statistics

πŸ“Œ Location: Statistics β†’ 29West πŸ”Ή Displays statistics related to 29West messaging middleware (used in financial services).

13️⃣ ANCP Statistics

πŸ“Œ Location: Statistics β†’ ANCP πŸ”Ή Displays statistics for Access Node Control Protocol (ANCP), used in DSL networks.

14️⃣ BACnet Statistics

πŸ“Œ Location: Statistics β†’ BACnet πŸ”Ή Analyzes BACnet protocol (used in building automation).

15️⃣ Collectd Statistics

πŸ“Œ Location: Statistics β†’ Collectd πŸ”Ή Displays statistics for Collectd, a system performance monitoring daemon.

16️⃣ DNS Statistics

πŸ“Œ Location: Statistics β†’ DNS πŸ”Ή Provides an overview of DNS queries and responses. βœ… Helps detect slow DNS resolution or DNS attacks.

17️⃣ Flow Graph

πŸ“Œ Location: Statistics β†’ Flow Graph πŸ”Ή Visualizes packet flow between devices. βœ… Helps in troubleshooting network communication issues.

18️⃣ HART-IP Statistics

πŸ“Œ Location: Statistics β†’ HART-IP πŸ”Ή Analyzes HART-IP protocol (used in industrial automation).

19️⃣ HPFeeds Statistics

πŸ“Œ Location: Statistics β†’ HPFeeds πŸ”Ή Displays statistics for HPFeeds, a protocol for honeypot data collection.

20️⃣ HTTP Statistics

πŸ“Œ Location: Statistics β†’ HTTP πŸ”Ή Shows HTTP traffic details:

Requests & responses

Top accessed URLs

Response codes (200, 404, etc.) βœ… Helps analyze web traffic & performance issues.

21️⃣ HTTP2 Statistics

πŸ“Œ Location: Statistics β†’ HTTP2 πŸ”Ή Similar to HTTP statistics, but for the HTTP/2 protocol.

22️⃣ Sametime Statistics

πŸ“Œ Location: Statistics β†’ Sametime πŸ”Ή Displays statistics for IBM Sametime, an enterprise messaging service.

23️⃣ TCP Stream Graph

πŸ“Œ Location: Statistics β†’ TCP Stream Graph πŸ”Ή Graphs TCP performance metrics like:

Round Trip Time (RTT)

Throughput

Packet retransmissions βœ… Helps diagnose network slowness & packet loss.

24️⃣ UDP Multicast Streams

πŸ“Œ Location: Statistics β†’ UDP Multicast Streams πŸ”Ή Displays multicast traffic statistics, used in IPTV and VoIP.

25️⃣ Reliable Server Pooling (RSerPool)

πŸ“Œ Location: Statistics β†’ RSerPool πŸ”Ή Displays statistics for RSerPool, a protocol for high-availability server pooling.

26️⃣ SOME/IP Statistics

πŸ“Œ Location: Statistics β†’ SOME/IP πŸ”Ή Analyzes SOME/IP protocol (used in automotive communication).

27️⃣ DTN Statistics

πŸ“Œ Location: Statistics β†’ DTN πŸ”Ή Displays statistics for Delay-Tolerant Networking (DTN), used in space communication.

28️⃣ F5 Statistics

πŸ“Œ Location: Statistics β†’ F5 πŸ”Ή Shows traffic related to F5 load balancers.

29️⃣ IPv4 Statistics

πŸ“Œ Location: Statistics β†’ IPv4 πŸ”Ή Provides insights into IPv4 traffic, including:

Packet count & errors

Fragmentation analysis

30️⃣ IPv6 Statistics

πŸ“Œ Location: Statistics β†’ IPv6 πŸ”Ή Similar to IPv4 statistics, but for IPv6 traffic.

TCP Three-Way Handshake in Wireshark πŸ•΅οΈβ€β™‚οΈ

The TCP three-way handshake is the process of establishing a reliable connection between a client and a server. It ensures both sides are ready before data transfer begins.

πŸ”Ή Steps in the Three-Way Handshake

1️⃣ SYN (Synchronize)

πŸ“Œ The client sends a SYN packet to the server.
πŸ”Ή This packet contains:

  • SYN flag = 1 (indicates connection request)

  • Initial Sequence Number (ISN) (random number)

πŸ‘‰ Client β†’ Server: SYN (Seq=1000)

2️⃣ SYN-ACK (Synchronize-Acknowledge)

πŸ“Œ The server responds with a SYN-ACK packet.
πŸ”Ή This packet contains:

  • SYN = 1 (server agrees to start connection)

  • ACK = 1 (acknowledges client's SYN)

  • Server's ISN

πŸ‘‰ Server β†’ Client: SYN-ACK (Seq=2000, Ack=1001)

3️⃣ ACK (Acknowledge)

πŸ“Œ The client sends a final ACK packet to confirm the connection.
πŸ”Ή This packet contains:

  • ACK = 1 (acknowledges server's SYN)

πŸ‘‰ Client β†’ Server: ACK (Seq=1001, Ack=2001)

βœ… Connection Established! πŸŽ‰

πŸ”Ή RST (Reset) Packet

πŸ“Œ RST is used to abruptly terminate a connection due to errors or unexpected behavior.
πŸ”Ή When an RST packet is sent:

  • The connection is immediately closed

  • No further communication happens

πŸ‘‰ Example: Server sends RST if it receives unexpected data.

πŸ”Ή Viewing TCP Handshake in Wireshark

πŸ›  Steps to Capture TCP Handshake

  1. Open Wireshark and start capturing packets.

  2. Apply a filter to focus on TCP handshakes:

    tcp.flags.syn == 1

  3. Initiate a connection, like opening a website or using SSH.

  4. Stop the capture and analyze the handshake.

πŸ”Ή Identifying Handshake Packets in Wireshark

Step Source β†’ Destination Flags Info
1️⃣ SYN Client β†’ Server SYN SYN, Seq=1000
2️⃣ SYN-ACK Server β†’ Client SYN, ACK SYN, ACK, Seq=2000, Ack=1001
3️⃣ ACK Client β†’ Server ACK ACK, Seq=1001, Ack=2001

βœ… Connection Established!

πŸ”Ή Filtering TCP Reset (RST) Packets

To find connections that were abruptly closed:

tcp.flags.reset == 1

This will show RST packets, which indicate a connection reset.

πŸ”Ή TCP Stream Graph in Wireshark

  1. Right-click on a TCP packet β†’ "Follow TCP Stream"

  2. See the full conversation between client and server.

  3. Analyze TCP flow in Statistics β†’ TCP Stream Graphs

πŸ“Œ Quick Wireshark Filters

Filter Description
tcp Show all TCP packets
tcp.flags.syn == 1 Show only SYN packets
tcp.flags.ack == 1 Show only ACK packets
tcp.flags.reset == 1 Show only RST packets

Now you can analyze TCP handshakes like a pro! πŸš€

UDP, DNS, and DHCP in Wireshark πŸ•΅οΈβ€β™‚οΈ

πŸ”Ή UDP (User Datagram Protocol)

UDP is a connectionless transport protocol used for fast, lightweight communication. Unlike TCP, it does not require a handshake or error correction.

πŸ›  Capturing UDP Packets in Wireshark

  1. Open Wireshark and start capturing packets.

  2. Apply the UDP filter:

    udp

  3. Look for source and destination ports (e.g., 53 for DNS, 67/68 for DHCP).

πŸ”Ή Key UDP Fields

  • Source Port: The port from which the packet was sent.

  • Destination Port: The receiving port.

  • Length: Size of the UDP packet.

  • Checksum: Used for error checking.

πŸ”Ή DNS (Domain Name System)

DNS translates domain names (e.g., google.com) into IP addresses. It mainly uses UDP port 53 but can use TCP for larger queries.

πŸ›  Capturing DNS Packets in Wireshark

  1. Start a capture and filter for DNS:

    dns

  2. Visit any website or run:

    nslookup google.com

  3. Look for:

    • Query (Standard query A)

    • Response (Answer contains the IP address)

πŸ”Ή Key DNS Fields

  • Query Name: The domain being resolved.

  • Response: The resolved IP address.

  • Transaction ID: Unique identifier for the request.

πŸ”Ή DHCP (Dynamic Host Configuration Protocol)

DHCP assigns IP addresses dynamically to devices on a network. It uses UDP ports 67 (server) and 68 (client).

πŸ›  Capturing DHCP Packets in Wireshark

  1. Start a capture and filter for DHCP:

    bootp

    (DHCP was originally called BOOTP, so Wireshark uses bootp for filtering.)

  2. Restart your network interface to trigger a DHCP request.

πŸ”Ή Key DHCP Messages

Message Description
Discover Client requests an IP address.
Offer Server offers an available IP.
Request Client requests the offered IP.
ACK Server confirms the lease.

πŸ“Œ Quick Wireshark Filters

Filter Description
udp Show all UDP packets
dns Show only DNS packets
bootp Show only DHCP packets
udp.port == 53 Show only DNS traffic
`udp.port == 67

Now you can analyze UDP, DNS, and DHCP like a pro! πŸš€