Tool Guide

Wireshark for Beginners

Wireshark is the industry-standard packet analyzer — it shows you every packet on the wire, decoded field by field. Learn five things and you are productive: capture on an interface, apply display filters, read the packet panes, follow a stream, and spot the classics (handshakes, DNS, retransmissions).

Capture your first packets

Install Wireshark (free, all platforms), pick your active interface (the one with a moving traffic graph), press the shark-fin Start button, browse a website for ten seconds, then Stop. Everything your machine sent and received is now in front of you — that flood is normal; filters tame it.

The display filters that matter

FilterShows
ip.addr == 8.8.8.8Traffic to/from one host
dnsOnly DNS queries and answers
tcp.port == 443One service's traffic
httpPlain HTTP requests/responses
tcp.flags.syn == 1Connection openings (handshakes)
tcp.analysis.retransmissionRetransmissions — the smell of packet loss

Type them into the filter bar (green = valid). Combine with && and ||. Display filters hide packets after capture; capture filters (BPF syntax, set before starting) limit what is recorded.

Reading the three panes

Packet list (every packet, one line), packet detail (the selected packet decoded by layer — Ethernet → IP → TCP → application, literally the OSI model in a window), and raw bytes. Click a field in the detail pane and Wireshark highlights its exact bytes — the fastest protocol lesson there is.

Follow the stream — see a whole conversation

Right-click any TCP packet → Follow → TCP Stream and Wireshark reassembles the entire conversation in order. On plain HTTP you can read every header and body — the most convincing demonstration you will ever see of why HTTPS matters.

Three classics to find in your first capture

  • The three-way handshake — filter tcp.flags.syn == 1 and watch SYN, SYN-ACK, ACK happen for real.
  • A DNS lookup — filter dns, find the query and its answer with the returned IP and TTL (how DNS works).
  • Retransmissionstcp.analysis.retransmission. A few are normal; bursts mean packet loss worth hunting.

Wireshark on your PC pairs with tcpdump on servers (see Linux commands) — same filters, no GUI. Packet analysis is also a core CyberOps/SOC skill.

Frequently asked questions

What is Wireshark used for?

Capturing and decoding network packets so you can see exactly what is happening on the wire — used for troubleshooting, learning protocols, and security analysis.

Is Wireshark free?

Yes — Wireshark is free, open-source and available for Windows, macOS and Linux.

What is the difference between capture filters and display filters?

Capture filters (BPF syntax) limit what gets recorded and are set before capturing. Display filters hide packets from view after capture and can be changed at any time — beginners should mostly use display filters.

Can Wireshark read HTTPS traffic?

It captures HTTPS packets but the payload is TLS-encrypted, so you see the handshake and metadata, not page content — exactly the protection HTTPS is designed to give.

Is Wireshark legal to use?

Yes on networks you own or are authorised to analyse. Capturing traffic on networks without permission can be illegal — always have authorisation.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.