Wireshark Tutorial
Beginner · ⏱ 20 min read · Network Security & Monitoring
See every packet. Master network analysis with Wireshark.
Wireshark is the world's foremost network protocol analyzer for capturing and inspecting traffic at the packet level.
Prerequisites
- Wireshark installed
- Basic TCP/IP knowledge
- A network interface with traffic
Installation & First Capture
Install Wireshark, start capturing on your primary interface. Learn the three panes: packet list, details, bytes.
Capture vs Display Filters
Capture filters (BPF) limit what is captured. Display filters filter what is shown.
Essential Display Filters
tcp.flags.syn, http.request, tls.handshake.type, dns, ip.addr for rapid analysis.
Following Streams
Right-click then Follow TCP/UDP/HTTP Stream to reconstruct full conversations.
Protocol Analysis
Analyze HTTP, DNS tunneling, TLS cert anomalies, SMB lateral movement.
DNS Tunneling Detection
Long queries, high volume to single domain, encoded TXT responses.
Statistics
Conversations, Endpoints, Protocol Hierarchy, I/O Graphs for traffic patterns.
Forensic Workflow
1) Import PCAP. 2) Protocol Hierarchy. 3) Filter C2. 4) Follow streams. 5) Export objects. 6) Document.
Frequently Asked Questions
Is Wireshark free?
Yes, completely free and open-source (GPL).
Can it decrypt traffic?
Only with session keys. Import TLS pre-master secrets in lab environments.
Wireshark vs tcpdump?
tcpdump is CLI for scripted captures. Wireshark has GUI with visualization. Many use both together.