Wireshark is the world’s most widely used network protocol analyzer. Whether you’re debugging a misconfigured service, investigating a breach, or simply learning how protocols work under the hood, Wireshark gives you a microscope into every packet traversing your network. This guide walks you through installation, capture fundamentals, powerful filtering techniques, and how to detect suspicious activity in real-world traffic.

Installation

Wireshark is available on all major platforms. On Linux, install it from your distribution’s package manager:

# Debian / Ubuntu
sudo apt install wireshark

# Fedora / RHEL
sudo dnf install wireshark

# Arch Linux
sudo pacman -S wireshark-qt

On macOS, use Homebrew:

brew install --cask wireshark

On Windows, download the installer directly from wireshark.org.

After installation on Linux, add your user to the wireshark group to capture packets without root privileges:

sudo usermod -aG wireshark $USER

Log out and back in for the group change to take effect.

Capture Basics

Launch Wireshark and you’ll see a list of available network interfaces. Select the one carrying the traffic you want to inspect — typically eth0 for wired connections or wlan0 for wireless — and click the shark fin icon to begin capturing.

Each captured packet is displayed in three panes: the packet list (summary of every frame), the packet details (protocol tree dissection), and the packet bytes (raw hex and ASCII). You can click any packet to inspect its full protocol stack from the Ethernet frame up through the application layer.

To stop a capture, press Ctrl+E. Save the resulting file as a .pcapng for later analysis or sharing with your team.

Promiscuous vs. Monitor Mode

By default, your NIC only captures traffic destined for your machine. Enabling promiscuous mode (checked by default in Wireshark) lets you see all traffic on the local segment. For wireless analysis, monitor mode captures all 802.11 frames, including management and control frames — essential for Wi-Fi security audits.

Display Filters vs. Capture Filters

Understanding the difference between these two filter types is critical for efficient analysis.

Capture Filters

Capture filters use BPF (Berkeley Packet Filter) syntax and are applied before packets are written to the buffer. They reduce the volume of data collected, which is important during long captures on busy networks.

host 192.168.1.50
port 443
net 10.0.0.0/8
tcp port 80 and host 10.0.0.5
not arp

Set capture filters in the input field above the interface list before starting a capture.

Display Filters

Display filters are applied after capture and use Wireshark’s own rich syntax. They’re more flexible and support protocol-specific fields:

ip.addr == 192.168.1.50
tcp.port == 443
http.request.method == "POST"
dns.qry.name contains "evil"
tcp.flags.syn == 1 && tcp.flags.ack == 0

Display filters don’t discard packets — they only hide non-matching ones, so you can refine your view without losing data.

Common Filters for Everyday Analysis

Here’s a quick reference of filters you’ll use constantly:

PurposeDisplay Filter
Traffic to/from a hostip.addr == 10.0.0.5
Only HTTP requestshttp.request
DNS queries onlydns.flags.response == 0
TCP SYN packets (new connections)tcp.flags.syn == 1 && tcp.flags.ack == 0
TLS handshakestls.handshake.type == 1
Packets with TCP errorstcp.analysis.flags
ICMP trafficicmp
Non-broadcast traffic!(eth.dst == ff:ff:ff:ff:ff:ff)

Protocol Analysis

Wireshark dissects hundreds of protocols automatically. Right-click any packet and select Follow → TCP Stream to reconstruct an entire TCP conversation in readable form — incredibly useful for inspecting HTTP exchanges, SMTP sessions, or any cleartext protocol.

For encrypted traffic like TLS, you can decrypt sessions if you have the server’s private key or a pre-master secret log. Set the key file under Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename and point it to your SSLKEYLOGFILE.

Useful Statistics

Navigate to Statistics → Conversations to see a breakdown of all communication pairs sorted by bytes transferred. Statistics → Protocol Hierarchy reveals the distribution of protocols in your capture — a sudden spike in DNS or ICMP traffic can be an immediate red flag.

Detecting Suspicious Traffic

ARP Spoofing

ARP spoofing is a classic Layer 2 attack. Look for duplicate IP-to-MAC mappings:

arp.duplicate-address-detected

You can also enable Edit → Preferences → Protocols → ARP → Detect ARP request storms to get automatic warnings. Multiple gratuitous ARP replies from different MAC addresses for the same IP are a clear indicator of poisoning.

DNS Exfiltration

Attackers often tunnel data through DNS queries using long, encoded subdomains. Filter for unusually large DNS packets or suspicious query names:

dns.qry.name.len > 50
dns && udp.length > 512

Look for high-frequency queries to a single domain with randomized subdomains — patterns like aGVsbG8gd29ybGQ.attacker.com suggest Base64-encoded exfiltration.

Port Scans

A SYN scan generates a flood of SYN packets without completing the three-way handshake. Detect this pattern:

tcp.flags.syn == 1 && tcp.flags.ack == 0

Then check Statistics → Conversations → TCP and sort by packet count. A single source IP sending SYN packets to dozens of destination ports is almost certainly scanning your network.

tshark: Wireshark on the Command Line

tshark is the terminal-based counterpart to Wireshark’s GUI. It’s indispensable for remote servers, automated analysis, and scripting.

Basic Capture

# Capture on interface eth0, write to file
tshark -i eth0 -w /tmp/capture.pcapng

# Capture only 500 packets
tshark -i eth0 -c 500

# Capture with a BPF filter
tshark -i eth0 -f "tcp port 80" -w /tmp/http.pcapng

Reading and Filtering

# Read a pcap and apply a display filter
tshark -r capture.pcapng -Y "http.request.method == POST"

# Extract specific fields
tshark -r capture.pcapng -Y "dns" -T fields -e dns.qry.name -e dns.a

# Show conversation statistics
tshark -r capture.pcapng -q -z conv,tcp

Automated Detection Examples

# List all unique DNS queries sorted by frequency
tshark -r capture.pcapng -Y "dns.flags.response == 0" \
  -T fields -e dns.qry.name | sort | uniq -c | sort -rn | head -20

# Detect potential SYN scan sources
tshark -r capture.pcapng -Y "tcp.flags.syn==1 && tcp.flags.ack==0" \
  -T fields -e ip.src -e tcp.dstport | sort | uniq -c | sort -rn

# Extract all HTTP URLs from a capture
tshark -r capture.pcapng -Y "http.request" \
  -T fields -e http.host -e http.request.uri

These one-liners integrate perfectly into shell scripts and SIEM ingestion pipelines.

Tips for Effective Analysis

  • Color rules matter. Wireshark’s default coloring highlights TCP errors in black and HTTP traffic in green. Customize them under View → Coloring Rules to match your workflow.
  • Use profiles. Create analysis profiles for different scenarios — malware triage, web debugging, VoIP — each with its own filters, columns, and color schemes.
  • Mark and comment packets. Press Ctrl+M to mark interesting packets and Ctrl+Alt+C to add comments. This is invaluable when building an incident timeline.
  • Export objects. Use File → Export Objects → HTTP to extract files transferred during a session — documents, images, executables — without manually reassembling streams.
  • Automate with tshark. Anything you do repeatedly in the GUI can be scripted with tshark. Build a library of one-liners for your most common queries.
  • Baseline your network. Capture normal traffic first. You can’t identify anomalies if you don’t know what “normal” looks like.

Wireshark is one of the most powerful tools in a security analyst’s arsenal. The more you practice reading packet captures, the faster you’ll spot the subtle signs of compromise that automated tools miss. Start capturing, start filtering, and let the packets tell their story.