Master Network Packet Analysis with Wireshark: From Basics to TCP Handshake

Introduction

This article introduces Wireshark, a popular open‑source network packet analysis tool that can capture HTTP, TCP, UDP and other protocol packets, helping users visualize each field and deepen their understanding of network protocols.

Wireshark Overview

Official website: http://www.wireshark.org/

Wireshark runs on Windows and macOS, is free to use, and requires users to understand network protocols to interpret captured data.

What Wireshark Cannot Do

For security reasons, Wireshark can only view packets; it cannot modify or send packets.

Wireshark vs. Fiddler

Fiddler is a Windows program that captures HTTP/HTTPS traffic. Wireshark can capture HTTP and HTTPS but cannot decrypt HTTPS content. Use Fiddler for HTTP/HTTPS analysis and Wireshark for other protocols such as TCP and UDP.

Similar Tools

Microsoft Network Monitor

Sniffer

Typical Users

Network administrators for troubleshooting

Software test engineers for analyzing test traffic

Socket programmers for debugging

Engineers at companies like Huawei and ZTE

Starting a Capture

Wireshark captures traffic on a selected network interface. Open Capture → Interfaces… , choose the appropriate NIC, and click Start .

Wireshark Window Overview

The main panes are:

Display Filter – filters captured packets.

Packet List Pane – shows captured packets with source, destination, protocol, length, etc.

Packet Details Pane – displays fields of the selected packet.

Dissector Pane – shows raw hexadecimal data.

Miscellaneous – address bar and other controls.

Display Filtering

Filters are essential to reduce noise. There are two types:

Display filters – applied to the captured view to locate specific packets.

Capture filters – set in Capture → Capture Filters to limit what is recorded.

Saving Filters

Enter a filter expression, click Save , give it a name (e.g., "Filter 102"), and it appears as a button for quick reuse.

Filter Expression Rules

Protocol filter: tcp – shows only TCP packets.

IP filter: ip.src == 192.168.1.102 or ip.dst == 192.168.1.102.

Port filter: tcp.port == 80 or tcp.srcport == 80.

HTTP method filter: http.request.method == "GET".

Logical operators: and, or.

Packet List Pane Details

Shows packet number, timestamp, source, destination, protocol, length, and brief info. Colors can be customized via View → Coloring Rules .

Packet Details Pane

This pane reveals each protocol layer’s fields, such as:

Frame – physical layer overview.

Ethernet II – data link layer header.

Internet Protocol Version 4 – IP header.

Transmission Control Protocol – TCP segment header.

Hypertext Transfer Protocol – HTTP information.

Wireshark and the OSI Model

TCP Packet Details

Example: TCP Three‑Way Handshake

The following images illustrate the three packets of the handshake captured by Wireshark.

First packet: client sends SYN with sequence number 0.

Second packet: server replies with SYN‑ACK, acknowledging the client’s ISN + 1.

Third packet: client sends ACK with ACK flag set, completing the handshake.

After the three packets, the HTTP request follows, confirming that HTTP operates over a TCP‑established connection.