Wireshark Tutorial
for Beginners
Learn to capture, navigate, filter, and analyse network traffic with Wireshark — the world’s most powerful open-source packet analyser. No prior experience required.
What is Wireshark?
Wireshark is a free, open-source, cross-platform network packet analyser. It captures live network traffic in real time and lets you inspect every single packet flowing through your network interface — from raw bytes all the way up to the application layer.
Originally released in 1998 under the name Ethereal, it was renamed Wireshark in 2006 and has since become the industry-standard tool for network forensics, troubleshooting, and security analysis. It is used daily by network engineers, security analysts, pentesters, and students worldwide.
Wireshark is a passive read-only tool. It captures and reads packets but never modifies, injects, or blocks them. It is not an IDS (Intrusion Detection System) and not a firewall. Think of it as a microscope for your network — it reveals what’s happening, but the analysis and decisions are entirely yours.
Main use cases
- Network troubleshooting — diagnose slow connections, identify bandwidth hogs, find packet loss and retransmissions
- Security analysis — detect rogue devices, unusual port usage, cleartext credentials, and suspicious traffic patterns
- Protocol learning — understand exactly how HTTP, TCP, DNS, TLS and other protocols work at the packet level
- Incident response — investigate a breach by replaying captured traffic (PCAP files) to reconstruct what happened
- CTF / bug bounty — extract hidden data, credentials, or flags from capture files in competition challenges
Installation
Wireshark is available on Windows, macOS, and Linux. Download the latest stable version from the official website: wireshark.org/download.html
sudo apt update
sudo apt install wireshark -y
# Add your user to the wireshark group to capture without root
sudo usermod -aG wireshark $USER
newgrp wireshark
On Linux, capturing live traffic requires elevated privileges.
Adding your user to the wireshark group (as shown above)
is the recommended approach — avoid running Wireshark as root directly.
On Windows and macOS, the installer handles this automatically via WinPcap / Npcap / libpcap.
The Interface: 5 Key Areas
When you open Wireshark, the main window is divided into five distinct sections. Understanding each one is the foundation of everything else.
| Area | Role |
|---|---|
| Toolbar | Quick access to capture controls (start, stop, restart), open/save files, and filters |
| Display Filter Bar | The main search and filter input — the most important area for analysis |
| Recent Files | Quick re-open of recently analysed PCAP files with a double-click |
| Capture Interfaces | Lists all available network interfaces on your machine with live traffic graphs — click one to start capturing |
| Status Bar | Shows the active profile, sniffing interface, and packet counters |
Opening a PCAP File
A PCAP (Packet CAPture) file is a recording of network traffic. You can open one via File → Open, by dragging it into the window, or by double-clicking it in your file manager. Once loaded, three new panes appear — the heart of Wireshark’s analysis interface.
Summary of all packets
One row per packet. Shows number, timestamp, source/destination IPs, protocol, length, and a brief info summary. Click any row to inspect it.
Full protocol breakdown
Shows the OSI layer decomposition of the selected packet. Expand each layer to see every field and its value.
Raw hex + ASCII
The raw bytes of the packet in hexadecimal and decoded ASCII side by side. Clicking a field in the Details pane highlights the corresponding bytes here.
Colour Coding: Reading at a Glance
Wireshark colour-codes packets automatically by protocol and status. This allows you to spot anomalies and identify protocols at a glance, without reading each row in detail.
You can customise or create your own colour rules via View → Coloring Rules. Right-clicking a packet and selecting Conversation Filter creates a temporary highlight just for that conversation session.
Packet Dissection: Reading the OSI Layers
When you click a packet, the Packet Details pane breaks it down into its OSI layers. Each layer is collapsible. Here is what each one contains in a typical HTTP packet:
Frame
Physical layer metadata
Frame number, capture timestamp, frame length in bytes, interface used. This is Wireshark’s own metadata about the capture itself.
Ethernet
Source & Destination MAC addresses
Data Link layer. Shows the hardware addresses of the sender and receiver on the local network, plus the EtherType (IPv4, IPv6, ARP…).
IP
Source & Destination IP addresses
Network layer. Shows IPs, TTL (Time To Live), protocol number (6=TCP, 17=UDP), and fragmentation info.
TCP / UDP
Ports, flags, sequence numbers
Transport layer. Source/destination ports, TCP flags (SYN, ACK, FIN, RST), sequence and acknowledgment numbers, window size, and checksum.
Application
Protocol-specific data
HTTP request/response, DNS query/answer, FTP command, SMB message, etc. This is where the actual content of the communication lives.
The TTL (Time To Live) field in Layer 3 can reveal the operating system of the sender: Windows typically starts at 128, Linux/macOS at 64, and network equipment often at 255. Unusual TTL values (very low, or not matching known OS defaults) can signal a misconfigured device or a spoofed packet.
Display Filters: Finding What Matters
In a real capture file, you may have thousands of packets. Display filters let you narrow down exactly which packets are shown without deleting anything — the full capture is always preserved underneath.
Filters are typed directly in the Display Filter Bar at the top. The bar turns green when your syntax is valid and red when it is not.
Essential filter syntax
-- Filter by protocol
http
tcp
udp
dns
ftp
icmp
-- Filter by IP address
ip.addr == 192.168.1.1
ip.src == 10.0.0.5
ip.dst == 8.8.8.8
-- Filter by port
tcp.port == 443
udp.port == 53
-- Filter by HTTP method or status
http.request.method == "GET"
http.response.code == 200
http.response.code == 404
-- Filter by TCP flags
tcp.flags.syn == 1
tcp.flags.reset == 1
-- Combine filters with AND / OR / NOT
http and ip.src == 10.0.0.5
tcp.port == 80 or tcp.port == 443
not arp
-- Search for a string in packet content
frame contains "password"
http contains "login"
-- Filter by DNS query name
dns.qry.name contains "google"Quick filter cheat sheet
Capture filters (set before capture starts, in BPF syntax like port 80)
limit what Wireshark records — packets that don’t match are discarded forever.
Display filters (set after capture, in Wireshark syntax like tcp.port == 80)
only hide/show packets — the full capture is always preserved.
For beginners: always use display filters — they are non-destructive and reversible.
Packet Navigation & Investigation Tools
Find Packets (Edit → Find Packet)
Search the capture for a specific string, hex value, or display filter expression. Choose the search scope carefully: Packet List, Packet Details, or Packet Bytes — the same string can exist in one pane but not another.
Search scope: Packet Details | Type: String
password
Authorization
usernameGo to Packet (Ctrl+G)
Jump directly to a specific packet by its number. Essential when an error message or filter result references packet #4821 and you want to inspect it immediately.
Mark & Comment Packets
Mark a suspicious packet (right-click → Mark) — it turns black, making it easy to relocate during a long investigation. Add a comment (right-click → Packet Comment) to leave notes that are saved inside the PCAP file itself, visible to teammates.
When investigating an incident, mark every suspicious packet as you find it, then use File → Export Specified Packets → Marked Packets to create a trimmed PCAP containing only your evidence.
Follow Stream (right-click → Follow)
One of the most powerful features for beginners. Right-click any packet → Follow → TCP Stream (or HTTP Stream, TLS Stream…) to reconstruct the entire conversation between two hosts as human-readable text. This is how you read HTTP requests/responses, see FTP credentials, or inspect cleartext data exchanged in a session.
Export Objects (File → Export Objects)
Wireshark can extract files that were transferred over the network. Go to File → Export Objects → HTTP (or SMB, FTP, TFTP…) to see a list of all files exchanged and save them to disk. This is invaluable for malware analysis (extract the payload) or CTF challenges.
Expert Information (Analyse → Expert Information)
Wireshark automatically flags anomalies — retransmissions, duplicate ACKs, connection resets, malformed packets — with colour-coded severity levels.
| Colour | Severity | Meaning |
|---|---|---|
| 🔴 Red | Error | Serious problem — malformed packet, checksum failure |
| 🟠 Orange | Warning | TCP retransmission, duplicate ACK, out-of-order segment |
| 🟢 Green | Note | TCP connection reset, window full — worth investigating |
| 🔵 Blue | Chat | Normal protocol activity — connection established, closed |
Statistics: Getting the Big Picture
Before diving into individual packets, the Statistics menu gives you a high-level overview of the entire capture — extremely useful for spotting unusual patterns quickly.
- Statistics → Protocol Hierarchy — shows the breakdown of all protocols present in the capture as a percentage. A large amount of unknown or unusual protocols is immediately visible here.
- Statistics → Conversations — lists all communication pairs (IP:port ↔ IP:port). Sort by bytes to find who is sending the most data. A single host sending gigabytes is suspicious.
- Statistics → Endpoints — all unique IPs and MAC addresses seen in the capture. Useful for identifying every device involved.
- Statistics → I/O Graph — visualise traffic volume over time. Spikes can indicate a DDoS, a large file transfer, or a scanning event.
- Statistics → Capture File Properties — SHA256 hash, capture duration, total packets, interface name. Essential when working with evidence files.
Practical Example: Detecting Cleartext Credentials
Here is a complete hands-on workflow to find a cleartext username and password in an HTTP PCAP — one of the most common beginner exercises.
Step 1 — Filter to HTTP traffic only
http
Step 2 — Find POST requests (login forms send credentials via POST)
http.request.method == "POST"
Step 3 — Search for credential strings in packet details
Edit → Find Packet → String → "password" or "username"
Step 4 — Right-click the packet → Follow → HTTP Stream
You will see the full POST body including form fields in plaintext
POST /login HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded
username=admin&password=Passw0rd123!Any website still using plain HTTP (not HTTPS) exposes its users’ credentials to anyone on the same network. This exercise demonstrates exactly why HTTPS and TLS are non-negotiable for any login form. Always use HTTPS — and Wireshark proves why in about 30 seconds.
Time to Practice: TryHackMe Wireshark Rooms
The best way to learn Wireshark is hands-on. TryHackMe offers dedicated free rooms with real PCAP files and guided questions — no setup required.
| Room | Level | What you learn |
|---|---|---|
| Wireshark: The Basics | Beginner | Interface, PCAP navigation, packet dissection, filters |
| Wireshark: Packet Operations | Beginner | Statistics, advanced filtering, stream following |
| Wireshark: Traffic Analysis | Intermediate | Anomaly detection, malware traffic, protocol analysis |
| Network Miner | Intermediate | Complementary tool for extracting files and artefacts |
Go further in cybersecurity?
Access full free courses on network security, pentesting, OSINT and more.
Related Articles
Build your complete cybersecurity toolkit with these companion guides.