Wireshark for Beginners
Wireshark is the industry-standard packet analyzer — it shows you every packet on the wire, decoded field by field. Learn five things and you are productive: capture on an interface, apply display filters, read the packet panes, follow a stream, and spot the classics (handshakes, DNS, retransmissions).
Capture your first packets
Install Wireshark (free, all platforms), pick your active interface (the one with a moving traffic graph), press the shark-fin Start button, browse a website for ten seconds, then Stop. Everything your machine sent and received is now in front of you — that flood is normal; filters tame it.
The display filters that matter
| Filter | Shows |
|---|---|
ip.addr == 8.8.8.8 | Traffic to/from one host |
dns | Only DNS queries and answers |
tcp.port == 443 | One service's traffic |
http | Plain HTTP requests/responses |
tcp.flags.syn == 1 | Connection openings (handshakes) |
tcp.analysis.retransmission | Retransmissions — the smell of packet loss |
Type them into the filter bar (green = valid). Combine with && and ||. Display filters hide packets after capture; capture filters (BPF syntax, set before starting) limit what is recorded.
Reading the three panes
Packet list (every packet, one line), packet detail (the selected packet decoded by layer — Ethernet → IP → TCP → application, literally the OSI model in a window), and raw bytes. Click a field in the detail pane and Wireshark highlights its exact bytes — the fastest protocol lesson there is.
Follow the stream — see a whole conversation
Right-click any TCP packet → Follow → TCP Stream and Wireshark reassembles the entire conversation in order. On plain HTTP you can read every header and body — the most convincing demonstration you will ever see of why HTTPS matters.
Three classics to find in your first capture
- The three-way handshake — filter
tcp.flags.syn == 1and watch SYN, SYN-ACK, ACK happen for real. - A DNS lookup — filter
dns, find the query and its answer with the returned IP and TTL (how DNS works). - Retransmissions —
tcp.analysis.retransmission. A few are normal; bursts mean packet loss worth hunting.
Wireshark on your PC pairs with tcpdump on servers (see Linux commands) — same filters, no GUI. Packet analysis is also a core CyberOps/SOC skill.
Frequently asked questions
What is Wireshark used for?
Capturing and decoding network packets so you can see exactly what is happening on the wire — used for troubleshooting, learning protocols, and security analysis.
Is Wireshark free?
Yes — Wireshark is free, open-source and available for Windows, macOS and Linux.
What is the difference between capture filters and display filters?
Capture filters (BPF syntax) limit what gets recorded and are set before capturing. Display filters hide packets from view after capture and can be changed at any time — beginners should mostly use display filters.
Can Wireshark read HTTPS traffic?
It captures HTTPS packets but the payload is TLS-encrypted, so you see the handshake and metadata, not page content — exactly the protection HTTPS is designed to give.
Is Wireshark legal to use?
Yes on networks you own or are authorised to analyse. Capturing traffic on networks without permission can be illegal — always have authorisation.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.