Learning Wireshark: My First Dive into Packet Analysis

Introduction

One of the first tools I wanted to learn on my journey was Wireshark. It’s basically a way to see everything happening on a network—like watching data move in real time. I figured the best way to learn it was by diving in myself, capturing traffic, playing around with filters, and seeing what I could find. In this post, I’ll share what I learned, some tips that helped, and how this tool is helping me get a better feel for network security.

What is Wireshark?

Wireshark is a free, open-source network protocol analyzer used to capture and inspect data packets in real time. It lets you see exactly what’s happening on a network at a detailed level, making it a go-to tool for troubleshooting, network forensics, and cybersecurity analysis.

Setting Up & Capturing Traffic

Starting interface of wireshark

https://www.wireshark.org/download.html

A live capture with packet details displayed

When analyzing packets in Wireshark, the interface is broken into three main panes:

• Packet List Pane: Shows a high-level summary of each captured packet including time, source and destination IPs, protocol, and basic info. This is where you choose a packet to inspect further.

• Packet Details Pane: Breaks down the selected packet by protocol layers (e.g., Ethernet, IP, TCP, HTTP). You can expand each layer to see field-level data like flags or sequence numbers.

• Packet Bytes Pane: Displays the raw hexadecimal and ASCII representation of the selected packet. Useful for low-level inspection or spotting embedded data.

Photo of the shark fin button being used in order to capture traffic on my Wi-Fi network (traffic sniffing)

In this example, Wireshark displays a single UDP packet. You can see the source and destination IP addresses, the protocol used (UDP), and additional info showing that data was sent from port 443 (typically HTTPS) to port 49664, with a payload length of 24 bytes. UDP is a connectionless protocol, meaning it doesn't establish a handshake like TCP does—making it faster but less reliable.

Key Techniques I Practiced

Technique 1: Validating a Packet Capture

Statistics > Capture File Properties

This summary helps validate that the capture was successful, no packets were missed, and the data is clean for analysis. It's especially useful when troubleshooting or documenting a capture session.

In the image above, we can see This capture lasted about 5 seconds and recorded 57 packets on the Wi-Fi 2 interface with no dropped packets. The average packet size was 123 bytes, and the traffic rate was around 11.8 packets/sec. No capture filter was used, so all traffic was recorded. This section confirms that the capture ran cleanly and is ready for analysis.

Key Technique 2: Inspecting Packet Structure by Protocol Layers

When analyzing traffic, one of the most important skills is breaking down a packet into its individual protocol layers. Wireshark makes this easy by visually separating each layer in the Packet Details Pane, letting you inspect everything from the physical frame to the application-level data.

Layer 1: The Frame - Shows capture-specific metadata like timestamp, frame length, and encapsulation.

Layer 2: Ethernet 2 - Displays MAC addresses and frame type.

Layer 3: IP (Internet Protocol) - Contains the source and destination IP address

Layer 4: TCP/UDP - Shows port numbers, sequence/ACK numbers, and flags like SYN, ACK, FIN.

Layer 5 - 7: Application Protocol - Displays protocols like HTTP, DNS, or SSL, and even contents like HTML or form data if unencrypted.

OSI Layers

The OSI layers are fundamental when it comes to understanding how networks and packets work, and how we interact with computers.

Popular Mnemonic:

"All People Seem To Need Data Processing"

Each word stands for a layer:

• All → Application

• People → Presentation

• Seem → Session

• To → Transport

• Need → Network

• Data → Data Link

• Processing → Physical

My Wireshark Cheat Sheet

“Hot IPs Try DNS First”
(HTTP, IP, TCP, DNS, FTP – common protocols you'll filter for)

Observations & Troubleshooting

While capturing and analyzing packets with Wireshark, a few key things stood out:

• Volume builds fast – Even a short 5-second capture resulted in dozens of packets. Without filters, it’s easy to get overwhelmed. Using basic filters like http, tcp.port == 443, or ip.addr helped narrow things down quickly.

• Understanding the protocol stack was essential – At first, I focused too much on the raw packet list. Once I started reading the protocol layers (Ethernet → IP → TCP/UDP → App-level), it clicked how everything fits together.

• TLS traffic is encrypted – I expected to “see everything” at first, but realized HTTPS and TLSv1.2 packets won’t show readable content. This helped reinforce the importance of encryption from a security perspective.

• Wrong interface = no packets – Early on, I started a capture on the wrong network interface and couldn’t see any traffic. After switching to my active Wi-Fi interface, packets immediately appeared.

• TCP Streams revealed full conversations – Using the “Follow TCP Stream” option made it much easier to piece together how applications and servers were interacting. It’s especially useful for spotting login forms or plain-text data in unencrypted sessions.

Conclusion

Learning Wireshark gave me a much clearer understanding of how data actually moves across a network. It’s one thing to know protocols in theory — but capturing, filtering, and dissecting real traffic made it all click. From spotting how devices communicate at different layers to recognizing the value of encrypted traffic, this experience has been a foundational step in building my skills as a future cybersecurity analyst. I’m excited to keep building on this by exploring tools like Nmap and diving deeper into threat detection and response.