Introduction to Wireshark
Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network.
Key Features
- Deep inspection of hundreds of protocols
- Live capture and offline analysis
- Multi-platform: Windows, Linux, macOS
- Rich VoIP analysis
- Powerful display filters
Interface Components
- Packet List Pane (top)
- Packet Details Pane (middle)
- Packet Bytes Pane (bottom)
- Display Filter Bar
- Status Bar
Pro Tip
Use the official Wireshark Sample Captures for practice: wiki.wireshark.org/SampleCaptures
Capture Filters (BPF Syntax)
Capture filters limit what traffic is captured, reducing file size and resource usage. Set these before starting the capture.
| Filter | Description |
|---|
| host 192.168.1.1 | Capture traffic to/from IP 192.168.1.1 |
| net 192.168.0.0/24 | Capture traffic on subnet 192.168.0.0/24 |
| port 80 | Capture traffic on port 80 (HTTP) |
| port 80 or port 443 | Capture HTTP or HTTPS traffic |
| not port 53 | Capture everything except DNS traffic |
| tcp | Capture only TCP traffic |
| udp | Capture only UDP traffic |
| ether host 00:11:22:33:44:55 | Capture by MAC address |
| ip | Capture only IPv4 traffic |
| ip6 | Capture only IPv6 traffic |
| vlan | Capture only VLAN traffic |
| tcp port 80 and host 192.168.1.1 | HTTP traffic to/from specific host |
Display Filters
Display filters show only relevant traffic after capture. These use Wireshark-specific syntax.
Syntax Operators
| Operator | Meaning | Example |
|---|
| == or eq | Equal | ip.addr == 192.168.1.1 |
| != or ne | Not Equal | ip.addr != 192.168.1.1 |
| > or gt | Greater than | frame.len > 1500 |
| < or lt | Less than | tcp.window_size < 1000 |
| && or and | Logical AND | tcp.port == 80 and ip.src == 10.0.0.1 |
| || or or | Logical OR | http or dns |
| ! or not | Logical NOT | !arp |
| contains | Search payload | frame contains “password” |
Common Display Filters
| Filter | Description |
|---|
| ip.addr == 192.168.1.1 | IP address (source or destination) |
| ip.src == 192.168.1.1 | Source IP address |
| ip.dst == 192.168.1.1 | Destination IP address |
| tcp.port == 80 | TCP port (source or destination) |
| http | Show all HTTP traffic |
| http.request | Show only HTTP requests |
| http.response.code == 404 | Show HTTP 404 Not Found errors |
| tcp.flags.syn == 1 | Show TCP SYN packets |
| tcp.flags.reset == 1 | Show TCP Reset (RST) packets |
| icmp | Show ICMP (Ping) traffic |
| dns | Show DNS traffic |
| dns.qry.name contains “google” | Find DNS queries for “google” |
| tcp.analysis.retransmission | Show retransmitted packets (Network issues) |
| _ws.col.Info contains “GET” | Filter Info column text |
Coloring Rules
Wireshark helps you identify traffic types visually using default coloring rules.
| Color | Traffic Type | Description |
|---|
| Light Blue | TCP | Standard TCP traffic |
| Light Green | UDP | Standard UDP traffic |
| Light Purple | TCP SYN/FIN | Connection establishment/termination |
| Light Red | Errors | TCP Resets, Retransmissions, Checksum errors |
| Light Yellow | Routing | SMB, OSPF, Routing protocols |
| Light Orange | Application | HTTP, DNS (Application layer) |
Protocol-Specific Analysis
| http.request.method == “GET” | HTTP GET requests |
| http.request.method == “POST” | HTTP POST requests |
| http.response.code == 200 | HTTP 200 OK responses |
| http.response.code == 404 | HTTP 404 Not Found |
| http.host == “example.com” | Traffic to specific host |
| http.user_agent contains “Mozilla” | Filter by User Agent |
| http.request.uri contains “login” | Find login pages |
| dns.qry.name == “example.com” | Query for specific domain |
| dns.qry.type == 1 | A Record (IPv4) queries |
| dns.qry.type == 28 | AAAA Record (IPv6) queries |
| dns.flags.rcode != 0 | DNS Errors (e.g., NXDOMAIN) |
| dns.resp.ttl < 60 | Short TTL responses |
| tcp.analysis.retransmission | Retransmissions (Packet loss) |
| tcp.analysis.duplicate_ack | Duplicate ACKs |
| tcp.analysis.zero_window | Zero Window (Client/Server overwhelmed) |
| tcp.flags.syn==1 && tcp.flags.ack==0 | SYN packet (Handshake start) |
| tcp.flags.reset==1 | RST packet (Connection kill) |
| tls | All TLS/SSL traffic |
| tls.handshake | TLS Handshake packets |
| tls.handshake.type == 1 | Client Hello |
| tls.handshake.type == 2 | Server Hello |
| tls.alert.description | TLS Alert (Errors) |
| icmp | All ICMP traffic |
| icmp.type == 8 | Echo Request (Ping) |
| icmp.type == 0 | Echo Reply (Pong) |
| icmp.type == 3 | Destination Unreachable |
| arp | All ARP traffic |
| arp.opcode == 1 | ARP Request (Who has?) |
| arp.opcode == 2 | ARP Reply (I have) |
| arp.duplicate-address-detected | Duplicate IP detection |
Keyboard Shortcuts
| Shortcut | Action |
|---|
| Ctrl + E | Start/Stop capture |
| Ctrl + K | Capture Options |
| Ctrl + F | Find Packet |
| Ctrl + G | Go to Packet Number |
| Ctrl + R | Reload Capture File |
| Ctrl + W | Close Capture File |
| Ctrl + M | Mark/Unmark Packet |
| Ctrl + N | Next Packet |
| Ctrl + P | Previous Packet |
| Ctrl + Shift + O | Follow TCP Stream |
Statistics & Analysis Tools
| Tool Location | Description |
|---|
| Statistics → Protocol Hierarchy | Traffic breakdown by protocol % |
| Statistics → Conversations | Traffic between specific hosts (IP to IP) |
| Statistics → Endpoints | Top talkers (Sources/Destinations) |
| Statistics → I/O Graphs | Visualize traffic spikes over time |
| Statistics → HTTP → Requests | Summary of HTTP calls |
| Analyze → Follow → TCP Stream | Reconstruct the data stream of a connection |
Common Troubleshooting Scenarios
| Issue | Filter | Description |
|---|
| High Latency | tcp.analysis.ack_rtt > 0.1 | TCP ACKs taking > 100ms |
| Packet Loss | tcp.analysis.retransmission | Packets being resent |
| Connection Drops | tcp.flags.reset == 1 | Connections being forcibly closed |
| Slow Server | tcp.analysis.zero_window | Server buffer full, asking client to wait |
| DNS Failures | dns.flags.rcode != 0 | Server returning DNS errors |
| HTTP Errors | http.response.code >= 400 | Client (4xx) or Server (5xx) errors |
TShark (Command Line)
TShark is the terminal version of Wireshark, great for remote servers.
| Command | Description |
|---|
| tshark -D | List interfaces |
| tshark -i eth0 | Capture on interface eth0 |
| tshark -r file.pcap | Read a pcap file |
| tshark -Y “http” | Apply display filter (view only) |
| tshark -f “port 80” | Apply capture filter (record only port 80) |
| tshark -z io,phs | Print protocol hierarchy statistics |
Best Practices
- Always use Capture Filters on high-traffic networks to keep file sizes manageable.
- Save captures frequently. Wireshark runs in memory and can crash on massive files.
- Use Coloring Rules to visually spot errors (usually Red/Black).
- Right-click a packet field and use “Apply as Filter” to quickly isolate traffic.
- Use “Follow TCP Stream” to see the human-readable conversation (like viewing the whole email or HTML page).
