Wireshark Beginner’s Guide

By Emmanuel Rodriguez • Published November 11, 2025

Wireshark is a free, open-source network protocol analyzer used to capture and inspect network traffic in real time. It helps you visualize how computers communicate over a network, an essential skill for learning, troubleshooting, and security testing.

1. Installation

# Linux
sudo apt update && sudo apt install wireshark -y

# macOS (via Homebrew)
brew install wireshark

# Windows
# Download from https://www.wireshark.org/download.html

During installation, allow Wireshark to capture packets without root/admin rights (optional but useful).

2. Key Terms

  • Packet: A unit of data sent across a network.
  • Protocol: A set of communication rules (e.g., HTTP, TCP, DNS).
  • Capture: Recording network traffic in real time.
  • Interface: The network device (Ethernet, Wi-Fi, etc.) you capture traffic from.
  • Filter: A search or rule used to view specific packets.

3. Basic Usage

# Start Wireshark
# 1. Open Wireshark.
# 2. Select your active network interface (Wi-Fi or Ethernet).
# 3. Click "Start Capturing Packets".
# 4. Use Stop button (red square) to stop capture.

4. Common Display Filters

Filters let you focus on specific protocols or traffic types. They can be typed in the top filter bar. 

# Common filters

# Show packets to/from this IP
ip.addr == 192.168.1.5

# Show HTTP (port 80) traffic
tcp.port == 80

# Show DNS traffic
udp.port == 53

# Show only HTTP packets
http

# Show only DNS queries/responses
dns

# Show only FTP traffic
ftp

# Show ARP broadcast messages
arp

# Show only TCP SYN packets
tcp.flags.syn == 1

# Search for text inside packets
frame contains "password"

5. Capture Filters

Applied before capturing, to limit what packets Wireshark records. 

# Capture only traffic from a specific IP
host 192.168.1.5

# Capture only HTTP traffic
port 80

# Capture traffic between two IPs
host 192.168.1.5 and host 192.168.1.10

# Capture traffic for a specific subnet
net 192.168.1.0/24

6. Understanding Wireshark Output

Wireshark’s window is split into three panes:

  • Packet List Pane: Shows each captured packet (one line per packet).
  • Packet Details Pane: Shows the protocols and fields within a packet.
  • Packet Bytes Pane: Displays raw hexadecimal and ASCII data.

Color Coding (Default)

  • Green: TCP traffic
  • Blue: DNS/UDP traffic
  • Black: Problematic TCP packets (e.g., retransmissions)

7. Saving and Exporting Captures

# Save capture to file
File → Save As → mycapture.pcapng

# Export specific packets
File → Export Specified Packets

8. Common Configurations

  • Go to Edit → Preferences → Columns to customize visible columns (e.g., add “Source Port” or “Protocol”).
  • Enable “Name Resolution” to display hostnames instead of IPs.
  • Use “Statistics → Protocol Hierarchy” to view protocol breakdowns.
  • Use “Follow → TCP Stream” to reconstruct conversations (useful for HTTP logins, messages, etc.).

TL;DR

Install Wireshark → Choose active interface → Start capture → Use filters to focus → Analyze packet details → Save capture. Common filters: http, dns, ip.addr == <ip>, frame contains "text".


Also read: How to use Git