Getting Started with Wireshark: A Beginner's Guide to Network Traffic Analysis

What Is Wireshark?

Wireshark is a free, open-source network protocol analyzer used by network engineers, security analysts, developers, and students worldwide. It allows you to capture and interactively browse the traffic running on a computer network in real time. Think of it as a microscope for your network — every packet of data flowing through your network interface can be inspected in detail.

Wireshark is available for Windows, macOS, and Linux, and it's an essential tool for learning how protocols work, diagnosing network problems, and identifying suspicious traffic patterns.

Installing Wireshark

Download Wireshark from the official site at wireshark.org — always use the official source to avoid tampered versions.

Windows: The installer includes WinPcap or Npcap (the packet capture driver). Install Npcap when prompted.
macOS: Use the official .dmg installer. You may need to install ChmodBPF for capture permissions.

Linux:

sudo apt install wireshark

wireshark

Capturing Your First Packets

When you launch Wireshark, you'll see a list of available network interfaces with a live graph showing current activity. To begin a capture:

Select the interface you want to capture on (usually your primary Ethernet or Wi-Fi adapter — look for the one showing activity).
Click the blue shark-fin Start Capture button (or double-click the interface name).
Browse a website, ping a host, or perform whatever activity you want to analyze.
Click the red square Stop Capture button when you have enough data.
Save the capture as a .pcap or .pcapng file for later analysis.

Note: Only capture traffic on networks you own or have explicit permission to monitor. Capturing traffic on unauthorized networks is illegal.

Understanding the Wireshark Interface

The main Wireshark window has three primary panels:

Packet List pane (top): A row-by-row list of captured packets showing time, source/destination IP, protocol, length, and a summary. Color coding helps identify different traffic types.
Packet Details pane (middle): A tree view of the selected packet, breaking it down layer by layer — Frame → Ethernet → IP → TCP/UDP → Application protocol. You can expand each layer to see all fields and values.
Packet Bytes pane (bottom): The raw hexadecimal and ASCII representation of the packet. Selecting a field in the Details pane highlights the corresponding bytes here.

Using Display Filters

A busy capture can contain thousands of packets. Display filters let you isolate exactly what you're looking for without re-capturing. Filters use a specific syntax:

Filter	What It Shows
`http`	Only HTTP traffic
`ip.addr == 192.168.1.1`	Traffic to or from that IP
`tcp.port == 443`	HTTPS traffic (port 443)
`dns`	All DNS queries and responses
`icmp`	Ping traffic
`!(arp or dns)`	Exclude ARP and DNS noise

Type your filter in the green filter bar at the top and press Enter. A valid filter turns the bar green; an invalid one turns it red.

Practical Use Cases for Beginners

Learning protocols: Browse a website with HTTP (not HTTPS) and observe the full request-response cycle. See TCP handshakes, HTTP GET requests, and server responses laid out packet by packet.
DNS analysis: Filter for dns and watch every domain lookup your machine makes — revealing background activity from apps and services.
Spotting ARP spoofing: Unusual ARP replies where multiple IP addresses map to the same MAC address can indicate a man-in-the-middle attack.
CTF challenges: Capture the Flag competitions frequently include .pcap files to analyze — Wireshark is indispensable for these.

Free Learning Resources for Wireshark

Wireshark Documentation: wireshark.org/docs — thorough official reference.
Sample captures: The Wireshark Wiki hosts sample pcap files covering dozens of protocols — ideal for practice without generating your own traffic.
TryHackMe & Hack The Box: Both platforms include Wireshark-focused rooms and challenges for hands-on practice.