Wireshark is a powerful and widely-used network protocol analyzer that lets you capture, filter, and analyze network traffic in great detail. This comprehensive guide will teach you the basics of capturing and reading packets in Wireshark.
Table of Contents
Getting Started with Wireshark
Wireshark needs to be installed on the computer you want to use to capture packets. It is available for Windows, Linux, and macOS.
Requirements:
- Administrator or root access to install Wireshark
- Ethernet or wireless network adapter to connect to the network you want to analyze
Once installed, launch Wireshark and you will see the main interface with a list of available network interfaces on your computer.
Selecting a Network Interface
The first step is to select the correct network interface that you want Wireshark to “listen” on. Common options include:
- Wired ethernet – Used to capture traffic on a wired LAN
- Wireless interface – Used to capture traffic on Wi-Fi networks
- VPN interfaces – Virtual interfaces created by VPN clients
- Loopback interface – To capture traffic generated locally on your computer
Note: Capturing on some interfaces like ethernet may require elevated privileges in Wireshark.
Starting a Packet Capture
To start capturing packets, click on the blue shark fin icon on the top menu. This will start recording all network traffic on the selected interface.
There are several ways to control the capture:
- Set a capture filter to only record certain protocols/traffic
- Stop the capture manually when ready
- Limit capture duration or file size
Viewing Captured Packets
Once packets are captured, Wireshark displays them in a table with summary information about each one:
- No. – The packet number
- Time – The timestamp when the packet was recorded
- Source – The device that sent the packet
- Destination – The destination device
- Protocol – The network protocol used by the packet
- Length – Size of the packet in bytes
- Info – Summary of the packet content
wireshark packets
Clicking on a packet shows full details about its contents in the middle pane, while the bottom pane displays the hexadecimal and ASCII representation of the packet.
Applying Display Filters
Display filters allow you to filter captured packets to only show certain types of traffic you are interested in analyzing:
- Filter by IP address, protocol type, port numbers
- Show only HTTP, DNS, or other requests/responses
- Isolate traffic in one direction (inbound/outbound)
Examples:
http– Show only HTTP protocol trafficip.addr == 192.168.1.1– Filter by IP addresstcp.port == 80– Filter TCP port 80 traffic
Saving and Exporting Captures
To save your captured packets for later analysis, go to File > Save in Wireshark. You can also export in other formats like plain text, CSV, JSON etc.
This allows you to share captures with others and analyze them in other tools.
Useful Wireshark Features
Wireshark provides many advanced features for network analysis:
- Statistics – Metrics on protocols, conversations, endpoints etc.
- IO Graphs – Charts showing throughput and other metrics
- Expert Info – Warnings about potential issues found
- Follow TCP Stream – Reconstruct TCP conversations
- Coloring Rules – Color packets based on display filters
And many more! The best way to learn is to start capturing and analyzing real network traffic.
Useful Tips
- Use capture and display filters to narrow your analysis
- Understand what normal “baseline” traffic looks like on your network
- Compare working and problematic network captures to identify issues
- Integrate with other tools like Syslog, SNMP traps for correlations
- Use Wireshark on a SPAN/mirror port to avoid impacting production traffic
Wireshark is an invaluable tool for network troubleshooting and analysis. This article should help you get started with basic packet capturing and analysis using its extensive feature set.
