How to Use Wireshark to Analyze Network Traffic (Beginner Guide)

Wireshark is the world’s leading network protocol analyzer. It captures data traveling across your network and displays it in human-readable format. For security professionals, Wireshark is invaluable for understanding network behavior, detecting malicious activity, and troubleshooting connectivity issues.

This guide covers the fundamentals: capturing packets, applying filters, analyzing protocols, and spotting security issues.

What Is Wireshark?

Wireshark captures data-link layer packets (Ethernet frames) and reassembles them into meaningful information. It shows:

• Packets: Individual units of data on the network
• Protocols: HTTP, DNS, FTP, SSH, HTTPS, etc.
• Conversations: Communication between two or more hosts
• Application data: Unencrypted traffic content

Wireshark is free, open-source, and runs on Windows, macOS, and Linux.

Installation

Linux (Debian/Ubuntu):

sudo apt install wireshark
sudo usermod -aG wireshark $USER
# Log out and back in

macOS (Homebrew):

brew install wireshark

Windows:

Download from https://www.wireshark.org/download/

Run the installer, accept default options.

Starting Wireshark

wireshark &

Or through application menu on Windows/macOS.

The Wireshark window shows:

• Top: Menu bar and toolbar
• Upper middle: Network interfaces to capture from
• Lower middle: Captured packets list
• Bottom: Packet details (hex and ASCII)

Capturing Packets

Step 1: Select interface

The interface list shows available network adapters:

eth0           192.168.1.100 (Wired Ethernet)
wlan0          192.168.1.101 (WiFi)
lo             127.0.0.1 (Loopback)

Double-click the interface you want to monitor (usually eth0 or en0).

Step 2: Start capture

Wireshark immediately starts capturing packets. You’ll see packets appearing in the list in real-time.

Step 3: Generate traffic

While capturing, interact with the network:

ping google.com
curl http://example.com

Watch packets appear.

Step 4: Stop capture

Click Capture → Stop or press Ctrl+E.

Understanding the Packet List

The main window shows columns:

Column	Meaning
No.	Packet number (sequence)
Time	Seconds since capture started
Source	Sending IP address
Destination	Receiving IP address
Protocol	Protocol used (TCP, UDP, DNS, HTTP, etc.)
Length	Packet size in bytes
Info	Summary of packet content

Example packet:

No.  Time        Source           Destination      Protocol  Length  Info
42   5.234567    192.168.1.100    8.8.8.8         DNS       65      Standard query 0xabcd A google.com

This shows: host 192.168.1.100 queried DNS server 8.8.8.8 for the IP address of google.com.

Packet Details

Click any packet to expand the Packet Details panel (bottom):

Frame 42: 65 bytes on wire (520 bits), 65 bytes captured (520 bits)
  Arrival Time: Apr  3, 2026 14:23:45.234567000 PDT
  [Time delta from previous captured frame: 0.125000000 seconds]
  [Time delta from first frame: 5.234567000 seconds]

Ethernet II, Src: 08:00:27:6f:f3:e5, Dst: 08:00:27:00:00:01
  Destination MAC: 08:00:27:00:00:01
  Source MAC: 08:00:27:6f:f3:e5

Internet Protocol Version 4, Src: 192.168.1.100, Dst: 8.8.8.8
  Version: 4
  Header Length: 20 bytes
  Total Length: 51 bytes

User Datagram Protocol, Src Port: 54321, Dst Port: 53
  Source Port: 54321
  Destination Port: 53 (DNS)
  Length: 31 bytes
  Checksum: 0xabcd

Domain Name System (query)
  Transaction ID: 0xabcd
  Questions: 1
  google.com: type A, class IN

This shows the complete packet journey from Layer 2 (Ethernet) through Layer 7 (DNS).

Applying Filters

Raw captures are overwhelming. Filters focus on relevant traffic.

Display filters (Wireshark syntax):

ip.addr == 192.168.1.100          # Traffic to/from specific IP
ip.src == 192.168.1.100           # From specific source
tcp.port == 80                    # HTTP traffic
dns                               # All DNS queries/responses
http                              # All HTTP traffic
tcp.flags.syn == 1                # TCP SYN packets (connection starts)
tcp.flags.rst == 1                # TCP RST packets (connection reset)
icmp                              # Ping requests/replies
arp                               # ARP requests/replies

Complex filters:

(ip.src == 192.168.1.100) && (tcp.port == 443)
# HTTP traffic from 192.168.1.100

ip.addr != 192.168.1.1
# Everything except router traffic

tcp.port == 22 && (ip.src == 192.168.1.50)
# SSH from specific workstation

dns.qry.name contains "example.com"
# DNS queries containing "example.com"

Using filters:

1. Type in the Filter bar at the top
2. Press Enter to apply
3. Packet list updates to show only matching packets

Useful saved filters:

Create reusable filters:

1. Analyze → Display Filters
2. Click + to add new
3. Name: HTTP Traffic
4. Filter: http
5. Click OK

Analyzing Specific Protocols

DNS Analysis

Filter: dns

Displays all DNS queries and responses.

What to look for:

• Suspicious domains: Typosquatting, malware C2
• External DNS: Should go to ISP/cloud DNS, not random servers
• Query rate: High DNS volume might indicate exfiltration

Example suspicious activity:

192.168.1.50 → 1.2.3.4 DNS query: malware-command-and-control.com

This indicates a host querying for a known malware domain.

HTTP Analysis

Filter: http

Shows all unencrypted HTTP traffic. Modern web uses HTTPS, so HTTP indicates:

• Legacy systems
• Intentional unencrypted communication
• Proxy/middleman setup

Reconstructing HTTP requests:

1. Find an HTTP request packet
2. Right-click → Follow → HTTP Stream
3. View the complete request and response

Example:

GET /api/users HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Authorization: Bearer eyJhbGc...

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 142

{"id": 1, "name": "Admin", "email": "admin@example.com", "password": "SecurePass123!"}

This reveals user data transmitted unencrypted. Major security issue.

TCP Analysis

Filter: tcp.flags.syn == 1

Shows TCP connection initiation (SYN packets).

TCP three-way handshake:

1. Client → Server: SYN (connection request)
2. Server → Client: SYN-ACK (request received)
3. Client → Server: ACK (acknowledged)

Detecting port scanning:

Multiple SYN packets to different ports from one source indicates scanning.

192.168.1.50 → 10.0.2.5 TCP SYN port 22
192.168.1.50 → 10.0.2.5 TCP SYN port 80
192.168.1.50 → 10.0.2.5 TCP SYN port 443
192.168.1.50 → 10.0.2.5 TCP SYN port 3306

Clear port scanning pattern.

Statistics and Conversation Analysis

Analyze → Conversations:

Shows all communication between IP pairs:

Address A          Address B          Packets  Bytes   Duration
192.168.1.100      8.8.8.8           142      45,230  00:05:23
192.168.1.100      208.67.222.222    67       18,900  00:02:15
192.168.1.105      192.168.1.1       1,245    2.3MB   00:15:00

This reveals which systems communicate, how much, and for how long.

Protocol statistics:

Analyze → Protocol Hierarchy:

Frame (100%)
  Ethernet (100%)
    IPv4 (95%)
      TCP (60%)
        HTTP (30%)
        SSH (20%)
        HTTPS (10%)
      UDP (35%)
        DNS (25%)
        DHCP (10%)
    ARP (5%)

Shows protocol distribution. Unusual patterns (high DNS, unusual ports) indicate issues.

Detecting Security Issues

Data Exfiltration

Look for large outbound data transfers to unknown IPs:

Filter: (ip.src == 192.168.1.100) && (ip.dst != 192.168.1.0/24)

Identify traffic leaving the network.

Malware Communication

DNS queries to known malware domains:

Filter: dns.qry.name contains "bit" OR dns.qry.name contains "malware"

Cross-reference against blocklists.

Unencrypted Credentials

Look for login traffic in plaintext:

Filter: ftp OR telnet OR http

FTP and Telnet transmit passwords unencrypted. HTTP may contain credentials.

Follow HTTP stream to see plaintext data:

Right-click packet → Follow → TCP Stream

Suspicious Port Activity

Uncommon ports with high traffic:

Filter: tcp.port > 10000 && tcp.port != 3389

Identifies unusual port usage (typically ephemeral ports or legitimate services).

Exporting and Reporting

Export packets:

File → Export Packet Dissections → As CSV

Useful for:

• Automated analysis
• Integration with SIEM systems
• Forensic archiving
• Team reports

Save capture file:

File → Save As

Saves as .pcap (Packet Capture format). Can be reopened later or analyzed with other tools.

# Analyze offline capture
wireshark saved_capture.pcap

# Extract specific protocol with tshark (CLI tool)
tshark -r saved_capture.pcap -Y dns

Practical Lab Exercise

Setup:

1. Start Wireshark capture on your lab VM
2. Open a browser and visit http://example.com
3. Make several DNS queries
4. Run a ping to a remote host
5. Stop capture

Analysis:

1. Filter for DNS traffic: dns
2. Find the DNS query for example.com
3. Filter for HTTP: http
4. Follow the HTTP stream to see the page content
5. Filter for ICMP: icmp
6. Examine ping packets and responses

Best Practices

1. Capture strategically: Know what traffic you’re looking for
2. Use filters: Don’t drown in noise
3. Save captures: Archive for later review or escalation
4. Document findings: Note what you observed and what it means
5. Follow ethics: Only capture traffic you’re authorized to analyze
6. Understand protocols: Learn TCP/IP stack to interpret results

Conclusion

Wireshark transforms network traffic into actionable intelligence. Whether you’re investigating a security incident, troubleshooting connectivity, or learning how protocols work, Wireshark is indispensable.

Master packet analysis and you’ll have insights into your network that few others possess. You’ll see what’s really happening beneath the GUI layer.

Wireshark is your window into network reality. Look through it often.