What Is Wireshark?
Wireshark is a free, open-source network protocol analyzer that lets you capture and inspect every packet traveling across a network interface in real time. It's used by network engineers, security analysts, developers, and educators alike — making it one of the most versatile tools in the cybersecurity toolkit.
Whether you want to troubleshoot a slow network, learn how protocols work, or hunt for suspicious traffic, Wireshark delivers unparalleled visibility.
Installing Wireshark
Wireshark is available for Windows, macOS, and Linux. Download it from the official site at wireshark.org. During installation on Windows, you'll be prompted to install Npcap — the packet capture driver. Install it; without it, Wireshark cannot capture live traffic.
On Linux, you can install it via your package manager (e.g., sudo apt install wireshark on Debian/Ubuntu). Add your user to the wireshark group to capture without root privileges.
Capturing Your First Packets
- Open Wireshark — you'll see a list of available network interfaces with a live activity graph
- Double-click the interface you want to capture on (e.g., your Wi-Fi or Ethernet adapter)
- Packets will immediately begin scrolling in the main window
- Click the red Stop button when you have enough data to analyze
Tip: Capture on a quiet network or for a short burst. Even a few seconds of traffic on an active network can produce thousands of packets.
Understanding the Wireshark Interface
Wireshark's main window has three panes:
- Packet List (top) — a line-by-line summary of captured packets: time, source, destination, protocol, length, and info
- Packet Details (middle) — a tree view showing all protocol layers for the selected packet (Ethernet → IP → TCP → HTTP, for example)
- Packet Bytes (bottom) — the raw hexadecimal and ASCII representation of the packet
Essential Display Filters
Wireshark's display filters are one of its most powerful features. They don't remove captured packets — they just show or hide them. Here are the most useful ones:
| Filter | What It Shows |
|---|---|
http | All HTTP traffic |
dns | All DNS queries and responses |
tcp.port == 443 | All HTTPS traffic |
ip.addr == 192.168.1.1 | All traffic to/from a specific IP |
tcp.flags.syn == 1 | TCP SYN packets (connection initiations) |
!arp | Hide ARP packets to reduce noise |
frame contains "password" | Packets containing the text "password" |
Following a TCP Stream
One of Wireshark's most useful features for security analysis is Follow TCP Stream. Right-click any TCP packet and select Follow → TCP Stream. Wireshark reassembles the full conversation, displaying the data in a human-readable format. This is invaluable for seeing plaintext HTTP conversations, credentials in unencrypted protocols, and command-and-control communications.
Spotting Suspicious Traffic: What to Look For
- Large volumes of DNS requests — could indicate DNS tunneling used for data exfiltration
- Port scanning — rapid SYN packets to many ports on the same host
- Unusual destination IPs — use Statistics → Endpoints to spot unexpected external connections
- Cleartext credentials — FTP, Telnet, and basic HTTP auth transmit passwords in plaintext
- Repeated connection resets — may indicate firewall blocks or application issues
Saving and Sharing Captures
Save captures as .pcap or .pcapng files (File → Save As). These files can be reopened later, shared with colleagues, or analyzed with other tools like tcpdump or Zeek. Always anonymize captures before sharing — they may contain sensitive data.
Next Steps
Wireshark is a skill that deepens with practice. Once you're comfortable with basic filtering, explore the Statistics menu for conversation summaries and protocol hierarchies, and try the built-in Expert Information panel to surface potential anomalies automatically. The more you use it, the more intuitive network traffic becomes.