Master Wireshark: A Step‑by‑Step Guide to Capturing and Analyzing Network Packets

What is Wireshark?

Wireshark is a network packet analysis tool that captures network traffic and displays detailed packet information.

It uses WinPcap as the capture engine to communicate directly with the network interface and is widely used by network engineers and analysts.

Article Overview

Introduction to Wireshark's main interface.

Simple packet‑capture example.

Using Wireshark filters.

Wireshark Main Interface

The main window shows the menu bar, toolbar, and three primary panes: the packet list, packet details, and packet bytes view.

To start a capture, select Capture → Options , choose the appropriate WLAN interface, and click Start .

After starting, Wireshark enters capture mode and begins listing packets.

Simple Capture Example

1. Perform an operation that generates traffic, e.g., ping www.baidu.com.

2. Stop the capture; the captured packets appear in the list. Use the filter bar to narrow results, for example: ip.addr == 119.75.217.26 and icmp – shows only ICMP packets with the specified IP address.

Wireshark Filters

Wireshark provides two types of filters:

Capture filters – set before capturing (menu: Capture → Capture Filters).

Display filters – applied after capture to refine the view (menu: Analyze → Display Filters).

Common capture filter syntax includes type, direction, protocol, and logical operators, e.g.:

host 192.168.1.104

src host 192.168.1.104

dst host 192.168.1.104

Display filter operators include comparison ( ==, !=, >, <, etc.), protocol names (lower‑case), and logical connectors ( and, or, not).

Examples: tcp – show only TCP packets. http – show only HTTP packets. icmp – show only ICMP packets. ip.addr == 192.168.1.104 – show packets where source or destination IP matches. tcp.port == 80 – show packets with TCP port 80. http.request.method == "GET" – show HTTP GET requests.

Complex expressions can combine conditions, e.g.:

ip.addr == 192.168.1.104 and icmp

Analyzing a TCP Three‑Way Handshake

The three steps are:

Client sends SYN (Seq=0, Ack=0).

Server replies with SYN,ACK (Seq=0, Ack=1).

Client sends final ACK (Seq=1, Ack=1).

To capture the handshake, start Wireshark, open a browser to a target site (e.g., www.huawei.com), and apply the filter ip.addr == 211.162.2.183. The first three packets correspond to the SYN, SYN‑ACK, and ACK of the handshake; subsequent packets show HTTP traffic.

Common Wireshark Operations

Adjust timestamp display format via View → Time Display Format → Date and Time of Day to see absolute times.

These are the essential steps for using Wireshark to capture, filter, and analyze network traffic.