Updated 8 hours ago
Wireshark shows you conversations that were never meant for human eyes. Every HTTP request your browser makes, every DNS lookup, every TCP handshake happening right now on your network—Wireshark captures it all and translates the raw bytes into readable protocol dissections. Where tcpdump gives you command-line power, Wireshark gives you X-ray vision.
Starting a Capture
Launch Wireshark and you'll see your network interfaces listed, each with a sparkline showing current traffic. Double-click an interface to start capturing, or select it and click the blue shark fin.
Packets appear immediately, scrolling as new traffic arrives. Each row is one packet. Your interface enters promiscuous mode—potentially seeing all traffic on the network segment, not just traffic destined for your machine.
Click the red square to stop. The packets stay for analysis.
The Three-Pane View
Wireshark's interface tells a story in three layers:
Top pane: The packet list. Each row shows packet number, timestamp, source, destination, protocol, and a summary. This is your timeline of network activity.
Middle pane: The dissection. Select a packet and see its structure as a tree—Ethernet frame, IP header, TCP details, application data. Expand any layer to see its fields. This is where complex protocols become readable.
Bottom pane: The raw bytes in hex and ASCII. Select a field in the middle pane and Wireshark highlights the corresponding bytes below. This connects abstract protocol concepts to actual data on the wire.
Display Filters
The filter bar lets you slice through captured traffic. Unlike capture filters that limit what gets recorded, display filters work on packets you've already captured—explore different views of the same data.
Filter by IP address:
Filter by protocol:
Filter by port:
Combine with logic:
Following Streams
This is where Wireshark becomes revelatory. Right-click any TCP packet, select "Follow > TCP Stream," and watch individual packets reassemble into a complete conversation.
The stream window color-codes by direction—requests in one color, responses in another. For HTTP traffic, you see the actual GET request, the headers, the response. For SMTP, you see email being sent. For unencrypted login forms, you see usernames and passwords in plain text.
When you follow a TCP stream and see a login form's password field in plain text, you understand viscerally why HTTPS matters.
For encrypted traffic, you see scrambled bytes. But if you have the server's private key or TLS session keys, Wireshark can decrypt it.
Protocol Dissection
Wireshark includes dissectors for hundreds of protocols. Click any packet and the middle pane breaks it down:
- Ethernet: Source and destination MAC addresses
- IP: Addresses, TTL, protocol number, checksums
- TCP: Sequence numbers, acknowledgments, flags, window size
- Application layer: HTTP methods and URLs, DNS queries and responses, whatever the protocol carries
Each field shows its value and meaning. No memorizing RFC specifications—Wireshark translates.
Statistics That Reveal Patterns
Conversations (Statistics menu): Shows every pair of endpoints that talked, with packet and byte counts. Instantly reveals who's communicating most.
Protocol Hierarchy: What percentage of your traffic is HTTP? DNS? Something unexpected? This answers bandwidth mysteries.
I/O Graph: Plots traffic over time. Add multiple filters to compare—HTTP vs DNS vs everything else.
Expert Information: Automated analysis that flags problems. TCP retransmissions, connection resets, malformed packets. It catches what you'd miss scrolling through thousands of packets.
Capture Filters vs Display Filters
Two different filter systems with different purposes:
Capture filters run before capture, using BPF syntax (same as tcpdump):
Use these on busy networks to avoid capturing everything.
Display filters run after capture, using Wireshark's more readable syntax. Change them anytime to explore different aspects of the same data.
Coloring Rules
Wireshark colors packets by type: TCP errors in black, HTTP in green, DNS in blue. These visual cues help patterns emerge from long captures.
A sudden cluster of black packets? Network trouble. Unexpected colors? Unusual traffic worth investigating.
Customize under View > Coloring Rules.
Saving Your Work
Save captures as .pcap or .pcapng files for later analysis or sharing. Save all packets or just the displayed ones (after filtering).
File > Export Objects extracts files from HTTP traffic—images, scripts, downloads. Useful for investigating what actually transferred.
Export dissections as text, CSV, JSON, or XML for processing elsewhere.
Time Display
View > Time Display Format offers options:
- Time of Day: When the packet was captured
- Seconds Since Beginning: Elapsed time from first packet
- Seconds Since Previous Packet: Inter-packet timing
Absolute times correlate with logs. Relative times reveal timing patterns.
Practical Scenarios
Slow page load: Capture while loading, filter for the domain, follow HTTP streams. Look for large files, many requests, or slow responses.
Connection failure: Capture the attempt, filter for the destination. A healthy connection shows SYN, SYN-ACK, ACK. Missing SYN-ACK means the server isn't responding. RST means active rejection.
Unexpected traffic: Capture without filters, check Protocol Hierarchy to see what's using bandwidth, then drill down with display filters.
Security investigation: Look for unexpected protocols, unknown destinations, unusual patterns. Expert Information flags anomalies.
Performance Notes
Busy networks can overwhelm Wireshark. Use capture filters to reduce volume. Large captures slow the interface—consider ring buffers that overwrite old data, or split into smaller files.
Disable name resolution and unnecessary dissectors when speed matters.
Handle With Care
Wireshark captures everything visible on the segment—passwords, session tokens, private communications. Treat capture files as sensitive.
When sharing for troubleshooting, filter and save only relevant packets. Wireshark can anonymize addresses on export.
Running Wireshark requires elevated privileges and puts interfaces into promiscuous mode. Security systems may notice.
Key Takeaways
Wireshark translates raw network traffic into readable protocol analysis. The three-pane interface connects packet summaries to detailed dissections to raw bytes.
Display filters let you explore captured traffic from any angle. Stream following reassembles conversations. Statistics reveal patterns invisible in individual packets.
The tool sees everything on the wire—which makes it powerful for troubleshooting and dangerous for privacy. Use capture filters on busy networks, treat captures as confidential, and remember: if it's not encrypted, Wireshark shows it in plain text.
Frequently Asked Questions About Wireshark
Was this page helpful?