blogs
Network Traffic Analysis with Wireshark: A Practical Beginner's Walkthrough
A practical, beginner-friendly walkthrough of using Wireshark to analyze network traffic and debug protocols.
Network Traffic Analysis with Wireshark: A Practical Beginner's Walkthrough
Wireshark is the standard tool for network traffic analysis. Whether you're debugging an application, investigating a potential security incident, or just learning how protocols work, Wireshark lets you see exactly what's on the wire. Here's how I learned to use it effectively.
Setting Up
Wireshark is free, open-source, and runs on Windows, macOS, and Linux. Download from wireshark.org. On Linux:
sudo apt install wireshark
sudo usermod -aG wireshark $USER # Add yourself to wireshark group
Log out and back in after adding yourself to the group so you can capture without sudo.
Understanding the Interface
When you open Wireshark, you'll see:
- Capture interface list: Select which network interface to capture on (eth0, wlan0, etc.)
- Packet list pane: One row per packet — time, source, destination, protocol, info
- Packet details pane: Hierarchical breakdown of the selected packet's headers
- Packet bytes pane: Raw hex and ASCII representation
Your First Capture
Click on your active network interface to start capturing. You'll immediately see traffic flowing. Browse to a website — observe DNS queries, TCP connections, HTTP or TLS traffic appearing in real time.
Press the red square to stop the capture. Save it as a .pcapng file for later analysis.
Display Filters: The Most Important Skill
Raw captures are noisy. Display filters let you see only what matters.
Common filters I use:
# Show only HTTP traffic
http
# Show traffic to/from specific IP
ip.addr == 192.168.1.100
# Show traffic between two IPs
ip.addr == 10.0.0.1 && ip.addr == 10.0.0.2
# DNS queries only
dns.flags.response == 0
# Failed TCP connections (RST packets)
tcp.flags.reset == 1
# Show traffic on a specific port
tcp.port == 443
# HTTP requests only (not responses)
http.request
# Look for specific HTTP method
http.request.method == "POST"
# Find packets containing a specific string
frame contains "password"
Following a TCP Stream
One of Wireshark's most useful features for security analysis: right-click any packet in a TCP session and select "Follow > TCP Stream." This reconstructs the full conversation in readable form — you can see HTTP request and response bodies, credentials sent in plaintext, commands in shell sessions, and more.
In a lab environment analyzing a captured HTTP session, I used this to reconstruct form submissions — including POST data — from unencrypted traffic. It's a powerful illustration of why HTTPS is mandatory.
Analyzing a Potential Port Scan
From my digital twin lab: after running an Nmap scan, I loaded the capture into Wireshark and applied a filter:
tcp.flags.syn == 1 && tcp.flags.ack == 0
This shows SYN packets (connection initiation) without the matching ACK — characteristic of a SYN scan. The packet list showed the attacking IP sending SYN packets to hundreds of sequential destination ports in rapid succession.
Statistics > Conversations gives a tabular view of all TCP sessions, sortable by packet count or bytes — useful for identifying high-volume sources.
Protocol Dissection
Wireshark understands hundreds of protocols and automatically dissects them. Click on any packet and expand the protocol layers in the detail pane:
- Ethernet layer: Source and destination MAC addresses
- IP layer: Source and destination IP, TTL, fragmentation
- TCP/UDP layer: Source and destination ports, flags, sequence numbers
- Application layer: HTTP headers and body, DNS query/response details, TLS handshake parameters
For TLS traffic, you can't see the encrypted payload — but you can see the handshake: which cipher suites were offered, which was selected, the server certificate (expandable to see the common name, validity period, and issuer).
Practical Security Use Cases
Finding credentials in cleartext: Filter on http and look at POST requests. Any HTTP (not HTTPS) form submission is visible in plaintext. This is a quick way to demonstrate the risk of unencrypted web forms to developers who "didn't think it mattered."
Identifying unusual DNS queries: Malware often uses DNS for command-and-control communication. Filter on dns and look for queries to unusual domains, high query rates, or unusually long DNS responses (potential DNS tunneling).
Detecting ARP spoofing: Filter on arp and look for multiple ARP replies claiming the same IP address maps to different MAC addresses — a sign of a man-in-the-middle attack in progress.
Analyzing TLS certificate issues: Filter on tls.handshake.type == 2 (Server Hello) to examine certificate details. Expired certificates, self-signed certs, or unexpected certificate issuers can flag security issues.
Exporting Data for Further Analysis
For large captures or automated analysis, export to CSV or use tshark (Wireshark's command-line version):
# Extract all HTTP request URLs
tshark -r capture.pcapng -Y "http.request" -T fields -e http.host -e http.request.uri
# Extract all DNS queries
tshark -r capture.pcapng -Y "dns.flags.response == 0" -T fields -e dns.qry.name
# Extract packet metadata as CSV
tshark -r capture.pcapng -T csv > capture.csv
These outputs can feed into Python scripts for further analysis — counting unique destination IPs, flagging known malicious domains, building connection graphs.
Wireshark is one of those tools where understanding it deeply makes you significantly better at security. Every protocol you learn to read in Wireshark is a protocol you understand well enough to attack or defend.
