Getting Started with Wireshark : A Beginner's Guide to Packet Analysis

Anagh EshaanAnagh Eshaan
7 min read

What is Wireshark?

  • Wireshark a free, open-source tool that lets you see the actual data moving across your network.

  • It helps you :

    • Peek inside packets

    • Understand communication between devices

    • Troubleshoot issues

    • Spot weird or malicious activity

  • It’s powerful, eye-opening, and a skill worth learning early on in your cybersecurity journey.

What can you do with Wireshark?

  1. Analyse network traffic

    • Wireshark shows you what’s coming in and going out of your system (every packet, every request).

    • You can see the source, destination, protocol, data size, and even the actual content (if it’s not encrypted).

  2. Troubleshoot network issues

    • With Wireshark, you can identify where things go wrong.

    • Maybe a DNS request isn’t resolving, or a service isn’t responding.

  3. Spot malicious activity

    • Wireshark helps detect things like :

      • Suspicious IP addresses

      • Port scans

      • Weird payloads

      • Unauthorized connections

    • It's a great way to understand what a compromised system might look like , which is gold when you're learning security.

  4. Learn how protocols work

    • It also helped me in understanding how concepts like TCP handshakes, HTTP requests, or DNS look under the hood.

    • Wireshark is a visual, hands-on way to see how protocols work instead of just reading about them.

How to Install Wireshark

  • Getting started with Wireshark is simple.

  • Windows

    • Head to the official website: https://www.wireshark.org .

    • Download the Windows Installer.

    • Run the setup file. ( Keep clicking on Next ).

    • During the installation, it’ll ask you to install Npcap, say yes. It’s the driver that lets Wireshark capture live traffic.

  • macOS

    • Use Homebrew (if you don’t have it, install it from https://brew.sh).

    • Run the following in terminal :

      •           brew install wireshark

    • You’ll be asked if non-root users should be allowed to capture packets, type yes if you want to avoid using sudo every time.

  • Linux

    • In terminal , type the following :

    •           sudo apt update

          sudo apt install wireshark

          sudo usermod -aG wireshark $USER

    • Third line gives permission to your user.

    • Log out and log back in to begin using Wireshark.

Exploring Wireshark

  • When you launch Wireshark, you'll see :

    • A list of network interfaces (like your Wi-Fi, Ethernet, etc.)

    • A search bar to find an interface.

    • A toolbar with capture/start buttons.

  • Look for the interface that's actively receiving data (you’ll see the live packet graph moving). That’s usually your internet connection.

  • Now, we can begin capturing.

    • Double-click your active interface.

    • You’ll see the below screen

      The results from the Wireshark packets capture. | Download Scientific Diagram

    • You can see information like :

      • Time : When the packet arrived.

      • Source and Destination IPs.

      • Protocol.

      • Length and Information of the packet.

  • To stop capturing packets, click on the red stop button visible at the top.

  • You can then save this file .

    • Go to File > Save As and save the .pcapng file.

    • You can open this later to review your traffic.

Understanding the Layout

  • Opening Wireshark for the first time can feel overwhelming.

  • Lots of packets, tons of colours, and multiple panes.

  • But once you understand the layout, things start making a lot more sense. Let’s break it down.

  • Packet List Pane (Top Section)

    • This is where you’ll see a live list of captured packets. Each row represents a single network packet.

    • No. – The order in which packets were captured.

    • Time – Timestamp of the packet capture.

    • Source and Destination – The IP addresses or hostnames sending/receiving the packet.

    • Protocol – Whether it’s TCP, UDP, DNS, HTTP, etc.

    • Length – Size of the packet.

    • Info – A summary that often gives quick insights like port numbers, request types, or flags (e.g., SYN, ACK).

  • Packet Details Pane (Middle Section)

  • When you click on a packet from the list, this pane breaks it down layer by layer.

    • You’ll usually see things like:

      • Frame – Basic metadata about the packet.

      • Ethernet II – Link-layer info (MAC addresses).

      • Internet Protocol (IP) – Network-layer info (IP addresses).

      • Transmission Control Protocol (TCP) – Transport-layer info (ports, flags).

      • Application Protocol – HTTP, DNS, TLS, etc.

    • Each layer is expandable. Click the small triangles to dive into fields like sequence numbers, flags, queries, responses, and much more.

    • This is where the real analysis happens — you can inspect headers, payloads, and even reconstruct conversations.

  • Packet Bytes Pane (Bottom Section)

    • This is the raw view — all the 1s and 0s (hex and ASCII values) that make up the packet.

    • Left: Offset value.

    • Middle: Hex representation.

    • Right: ASCII characters (when printable).

    • This section is where I struggle but after little more research, I figured that you probably don’t need to use this often as a beginner.

    • It’s useful for deep dives, especially if you're looking for file signatures, payloads, or patterns in the raw data.

  • Colours

    • Wireshark uses color rules to help you quickly recognize traffic types.

      • Light purple – TCP traffic

      • Light blue – UDP traffic

      • Black – Packets with errors

      • Green – HTTP requests/responses

    • You can view or customise these under : View > Coloring Rules

Beginner Tips

  1. Use Display Filters to Cut the Noise

    • When you first capture packets, it can feel overwhelming. That’s where filters come in handy.

    • Here are a few :

      • http – Shows only HTTP packets

      • tcp.port == 443 – Filters traffic going through port 443 (HTTPS)

      • ip.addr == 192.168.1.100 – Shows all traffic to or from a specific IP address

      • dns – Shows only DNS-related packets

  2. Follow a Stream to Read Conversations

    • Right-click on a TCP packet

    • Click “Follow” > “TCP Stream”

    • This opens up the entire conversation, like reading chat logs. Great for understanding how requests and responses work, especially with protocols like HTTP, FTP, or Telnet.

    • You can also follow UDP streams, if you’re looking at protocols like DNS or VoIP.

  3. Take It Slow, One Packet at a Time

    • Instead of trying to understand everything at once:

      • Focus on one protocol at a time (e.g., just look at HTTP traffic for a session)

      • Open a packet and read the layer by layer breakdown

      • Use color coding as cues — red for issues, green for successful TCP handshakes, etc.

  4. Use Capture Filters to Avoid Recording Unwanted Traffic

    • Unlike display filters (which hide things after capture), capture filters prevent unwanted packets from being recorded in the first place.

    • Set them before starting a capture (at the interface selection screen). Some examples:

      • port 80 – Capture only HTTP traffic

      • host 8.8.8.8 – Capture only traffic to/from Google DNS

      • tcp – Capture only TCP packets

    • Helpful when you’re trying to isolate a specific type of activity.

  5. Mark and Comment on Important Packets

    • When analyzing large captures:

      • Right-click on a packet and Mark Packet (shortcut: Ctrl+M)

      • You can also Add Comments to individual packets to note what they represent.

  6. Export Specific Packets

    • Want to share only a part of a big capture?

      • Select packets > right-click > Export Specified Packets

      • Choose to export only marked, displayed, or a range of packets

Final Thoughts

  • If you're just starting out in cybersecurity or networking, Wireshark is one of the best hands-on tools you can learn. It gives you a transparent view of what’s happening on your network, packet by packet.

  • Here’s why you should keep exploring Wireshark:

    • It’s free, open-source, and incredibly powerful.

    • You’ll develop a deep understanding of protocols that many skip over.

    • It’s used by real-world professionals — from SOC analysts to network engineers.

    • Mastering it now will pay off in future CTFs, interviews, and incident investigations.

What’s Next ?

  • My next blog will cover the “The 6 Stages of the Cybersecurity Incident Response Lifecycle" .

  • From detection to recovery, I will cover what happens when a security incident strikes, and how organisations respond, contain, and learn from it.

  • This is the 3rd blog of the series where I document my path from beginner to cybersecurity professional — one certification, one tool, and one lab at a time.

0
Subscribe to my newsletter

Read articles from Anagh Eshaan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Wireshark#cybersecuritytools

Written by

Anagh Eshaan
Anagh Eshaan

An aspiring cybersecurity engineer.