How to Use Wireshark: A Detailed Guide with Examples

Wireshark is one of the most powerful and widely used tools for analyzing network traffic. It helps users capture, view, and understand the packets of data traveling across a network in real time. Whether you’re a network administrator diagnosing a connection issue, a cybersecurity analyst investigating suspicious traffic, or a student learning how network communication works, Wireshark gives you an inside look into the flow of information.

This detailed guide will walk you through everything you need to know about using Wireshark—from installation and packet capture to filters, advanced features, and real-world examples. By the end, you’ll have a solid foundation to begin exploring and mastering this essential tool.

Introduction to Wireshark

Wireshark is an open-source network protocol analyzer that allows users to inspect the details of network traffic at a microscopic level. It captures packets in real time and presents them in a readable, structured format. Each packet—whether it’s an HTTP request, DNS query, or TCP handshake—is broken down into layers and fields that can be analyzed in detail.

Wireshark supports hundreds of protocols (from common ones like TCP, UDP, and HTTP to specialized industrial and wireless protocols) and runs on major platforms, including Windows, macOS, and Linux. Its graphical user interface (GUI) makes it intuitive, while advanced features like filters, stream following, and expert analysis make it suitable for professional use.

In short, Wireshark acts as a microscope for your network. It helps you see what’s really happening behind the scenes—which can be invaluable for troubleshooting, security analysis, and performance optimization.

Getting Started with Wireshark

1. Installation

Wireshark is free and open-source. Here’s how to get started:

1. Download Wireshark:
   Visit the official website at https://www.wireshark.org/download.html. Choose the version that matches your operating system.
2. Install the Software:
   • On Windows, you’ll be prompted to install Npcap or WinPcap, which are packet capture libraries allowing Wireshark to access network interfaces.
   • On macOS, Wireshark uses built-in libraries for capture.
   • On Linux, you can typically install Wireshark via your package manager (sudo apt install wireshark for Ubuntu).
3. Launch Wireshark:
   Once installed, open the application. You’ll see a list of network interfaces (Ethernet, Wi-Fi, Bluetooth, etc.). These represent the network connections available on your computer.

2. Understanding the Interface

When Wireshark opens, you’ll notice three main panes:

• Packet List Pane: Shows all captured packets in order of arrival.
• Packet Details Pane: Displays decoded details of the selected packet, layer by layer (Ethernet, IP, TCP, HTTP, etc.).
• Packet Bytes Pane: Shows the raw hexadecimal and ASCII representation of the packet.

This layered structure reflects the OSI model, helping you understand how each packet travels through network layers—from the physical layer up to the application layer.

Capturing Network Traffic

1. Selecting a Network Interface

Wireshark can only capture traffic from one or more network interfaces at a time. You’ll see a list of interfaces when you launch the program.

• Wi-Fi – captures wireless network packets.
• Ethernet – captures wired LAN traffic.
• Loopback Interface—used for capturing local traffic (useful for testing web apps on your own machine).

Select the interface connected to the network you want to monitor. You’ll see a small live graph next to each interface showing the traffic rate—this helps identify active ones.

2. Starting and Stopping a Capture

• Click the blue shark fin icon or press Ctrl + E to start capturing packets.
• Wireshark will instantly begin displaying packets as they’re captured.
• To stop capturing, click the red square icon or press Ctrl + E again.

Each packet will appear with a timestamp, source address, destination address, protocol, and brief info. Depending on network activity, you may see hundreds or thousands of packets per minute.

3. Saving Your Capture

To save your captured data for later analysis:

• Go to File > Save As.
• Choose a location and file name.
• Save it as .pcap or .pcapng.

These files can be reopened later for offline analysis or shared with others for troubleshooting.

Analyzing Captured Data

Once you’ve captured some packets, it’s time to analyze what’s going on in your network.

1. Using Filters

Wireshark captures everything by default, which can be overwhelming. Filters help narrow down what you see.

Display Filters

Display filters let you focus on specific packets after capture.

Examples:

• http → Shows only HTTP traffic.
• ip.addr == 192.168.1.5 → Shows packets to/from a specific IP address.
• tcp.port == 443 → Displays HTTPS (port 443) traffic.
• DNS → Filters all DNS queries and responses.

You can even combine filters:

http && ip.src == 192.168.1.10

Capture Filters

Capture filters limit what Wireshark records before the capture begins. They use a different syntax (based on BPF—Berkeley Packet Filter).

Examples:

• tcp → Capture only TCP packets.
• host google.com → Capture traffic to/from Google.
• port 80 → Capture HTTP traffic.

2. Example: Analyzing HTTP Traffic

Let’s say you want to analyze a website’s communication.

1. Start capturing on your Wi-Fi or Ethernet interface.
2. Open a browser and visit any website (e.g., example.com).
3. Apply the filter:http Wireshark will now display only HTTP packets.
4. Inspect packets: Click on one to see its structure. You’ll find details like
   • HTTP method (GET, POST, etc.)
   • Request URI and headers
   • Response code (200 OK, 404 Not Found)
   • Server and user-agent information

This is particularly useful for debugging web applications or understanding how browsers interact with servers.

3. Example: Analyzing DNS Queries

DNS traffic reveals how your computer resolves domain names into IP addresses.

1. Start capturing packets.
2. In the filter bar, type:DNS
3. Visit any website. You’ll see query packets (client to DNS server) and responses (DNS server to client).
4. Select a DNS packet and expand the Domain Name System (DNS) section in the details pane.
   You’ll see:
   • The queried domain name (e.g., openai.com)
   • The response IP address
   • Query types (A, AAAA, MX, etc.)

This is very helpful when troubleshooting slow or failed domain lookups.

Advanced Features

Wireshark is much more than just a packet sniffer. It includes advanced tools that make deep analysis easier and more insightful.

1. Following Streams

Sometimes, you want to see the entire conversation between two endpoints (e.g., your browser and a web server). Wireshark can reconstruct and display the full exchange.

How to Follow a Stream

1. Select any TCP packet in the packet list.
2. Right-click it and choose Follow > TCP Stream.
3. A new window appears showing the entire conversation—including request and response data.

This feature is excellent for analyzing web traffic, chat applications, or APIs.

Example: Following an HTTP Stream

• Capture traffic while loading a website.
• Apply the HTTP display filter.
• Choose one HTTP packet, right-click → Follow → TCP Stream.
• You’ll see the entire HTTP conversation (headers, cookies, HTML content).

You can also change the view to “Hex Dump” or “Raw” to see exact byte data.

2. Using the Expert Information Feature

Wireshark automatically flags unusual or problematic network behavior.

1. Go to Analyze > Expert Information or press Ctrl + Shift + E.
2. You’ll see categorized messages:
   • Errors: serious protocol problems.
   • Warnings: unusual but not necessarily harmful.
   • Notes: informational items.

Clicking on an entry jumps directly to the relevant packet. This is helpful for diagnosing retransmissions, handshake failures, or malformed packets.

3. Coloring Rules

Wireshark color-codes packets to make them easier to identify visually. For instance, TCP traffic may appear green, HTTP traffic blue, and DNS traffic purple. You can customize these rules via View > Coloring Rules.

4. Packet Reassembly

For large files or fragmented data, Wireshark can reassemble packets to show complete information. For example, if a large HTTP response is split across multiple packets, Wireshark can display it as one combined message under the TCP stream.

5. Statistics and Graphs

Wireshark provides statistical views that help summarize captured data:

• Protocol Hierarchy: Shows the breakdown of protocols in use (e.g., 40% TCP, 30% UDP).
• Conversations: Lists all communication pairs (source and destination IPs).
• Endpoints: Displays all active devices observed.
• IO Graphs: Visualize traffic over time—useful for identifying spikes or drops.

Go to Statistics in the top menu to explore these features.

Real-World Use Cases of Wireshark

1. Network Troubleshooting

Wireshark helps diagnose slow connections, packet loss, or retransmissions. For example:

• Filter TCP traffic and check for retransmission or “duplicate ACK” messages.
• Identify devices generating excessive broadcast traffic.

2. Security Analysis

Wireshark is a valuable tool for detecting malicious or suspicious activity.

• Monitor for unusual DNS queries (often used by malware).
• Identify communication with unknown or blacklisted IPs.
• Examine encrypted traffic patterns for anomalies.

3. Learning Networking

Students use Wireshark to visualize protocols taught in networking courses—such as ARP, ICMP, and TCP handshakes—and understand packet flow practically.

4. VoIP Analysis

Wireshark can decode VoIP (Voice over IP) calls. You can view SIP call setup messages and even reconstruct audio streams for troubleshooting call quality.

Saving and Exporting Captures

1. Saving a Capture File

Once you’ve finished analyzing:

• Go to File > Save As.
• Choose .pcap or .pcapng as your file format.
• Click Save to store your capture for later use.

You can reopen these files anytime or share them with others for analysis.

2. Exporting Objects

If you capture files transferred via HTTP, FTP, or SMTP, you can extract them.

1. Select a relevant packet.
2. Go to File > Export Objects > HTTP (or FTP, SMB, etc.).
3. Choose the object you want and click Save As.

This feature is particularly useful for retrieving files during forensic analysis or debugging file transfers.

Tips and Best Practices

1. Use Filters Wisely: Capturing too much traffic can slow your system. Apply capture filters to collect only relevant packets.
2. Run as Administrator: On some systems, administrative privileges are required to capture live traffic.
3. Avoid Capturing Sensitive Data: Wireshark can see everything, including passwords in plaintext protocols (like FTP or HTTP). Always capture responsibly.
4. Save Frequently: Long captures can be large and prone to crashes—save sessions periodically.
5. Learn Protocol Basics: Understanding how protocols like TCP, UDP, and IP work will make Wireshark analysis much easier.

Wireshark Alternatives and Add-ons

While Wireshark is comprehensive, other tools can complement it:

• Tshark: Wireshark’s command-line version, ideal for automation or servers.
• NetworkMiner: Focuses on extracting files and sessions.
• tcpdump: Lightweight capture tool commonly used on Linux servers.

These can work together with Wireshark for complete network monitoring setups.

Conclusion

Wireshark is more than just a packet sniffer—it’s a full-featured network analysis toolkit. With it, you can capture, filter, and examine network packets in incredible detail. Whether you’re diagnosing network performance issues, monitoring for security threats, or learning how data moves across a network, Wireshark gives you visibility and control that few other tools offer.

By mastering features like filters, stream following, expert analysis, and statistics, you’ll be able to solve complex network problems, understand how applications communicate, and keep your systems secure.

This guide covered everything from installation to advanced analysis—but Wireshark is a tool you truly master through practice. The more you experiment, the more insights you’ll uncover about your network’s inner workings.

🔹 References

1. Wireshark Official Documentation
   Comprehensive official user guide for installation, usage, and advanced features.
   🔗 https://www.wireshark.org/docs/
2. Wireshark User’s Guide (PDF)
   Official Wireshark manual with step-by-step usage instructions and command references.
   🔗 https://www.wireshark.org/docs/wsug_html_chunked/
3. Wireshark Wiki
   Community-maintained wiki explaining filters, capture setup, and troubleshooting tips.
   🔗 https://wiki.wireshark.org/
4. How-To Geek – How to Use Wireshark to Capture, Filter, and Inspect Packets
   Beginner-friendly article explaining Wireshark usage with screenshots.
   🔗 https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
5. GeeksforGeeks – Introduction to Wireshark
   Educational overview and practical examples for students learning network analysis.
   🔗 https://www.geeksforgeeks.org/introduction-to-wireshark/