Master Wireshark: From Basics to Advanced Packet Capture and Filtering

Wireshark Introduction

Wireshark, also known as "Little Shark," is a popular open‑source network packet analysis tool that can capture and display detailed information of network packets on Windows and macOS.

Common Application Scenarios

Network administrators use Wireshark to diagnose network issues.

Software test engineers capture packets to analyze the behavior of the software under test.

Engineers writing socket programs use Wireshark for debugging.

Operations staff use it for routine monitoring and emergency response.

Capture Principle

Wireshark uses WinPcap (or npcap) to interact directly with the network interface. In a single‑machine setup it captures traffic on the local NIC; in a switched network it can obtain traffic via port mirroring or ARP spoofing.

Single‑machine capture

Wireshark captures traffic directly from the host's network card.

Switched network capture

Wireshark obtains traffic by configuring the switch to mirror ports or by performing ARP poisoning to redirect traffic to the capture host.

Capture Example (Ping)

Open Wireshark – the main window appears.

Choose Capture → Options and select the WLAN interface.

Click Start to begin capturing.

Execute ping www.baidu.com in a command prompt.

After the operation, click Stop to end capture.

Apply a display filter such as ip.addr == 183.232.231.172 && icmp to isolate relevant packets.

Save the captured data for later analysis.

Wireshark Interface Overview

The main window consists of six parts:

Menu bar : provides configuration and debugging options.

Tool bar : shortcuts for common functions.

Filter bar : enter capture or display filter expressions.

Packet list pane : each row represents a captured packet.

Packet details pane : hierarchical view of protocol fields.

Packet bytes pane : raw binary data of the selected packet.

Filter Settings

Wireshark provides two types of filters: capture filters (set before capturing) and display filters (applied after capture).

Capture Filters

Example: ip host 183.232.231.172 captures only packets to or from the specified IP.

Display Filters

Example: ip.addr == 183.232.231.172 && icmp shows only ICMP packets involving the given IP.

Common filter syntax includes protocol filters (e.g., tcp, http, icmp), IP filters ( host 192.168.1.104, src host 192.168.1.104), port filters ( port 80, src port 80), and logical operators ( &&, ||, !). For example, src host 192.168.1.104 && dst port 80 captures traffic from a specific host to port 80.

TCP Three‑Way Handshake Analysis

The guide demonstrates capturing the three packets of a TCP handshake when accessing www.baidu.com:

First handshake : client sends SYN (Seq=0, Ack=0).

Second handshake : server replies with SYN‑ACK (Seq=0, Ack=1).

Third handshake : client sends ACK (Seq=1, Ack=1).

After the handshake, normal data exchange proceeds, as shown in subsequent packet captures.

Common Operations

Adjust timestamp format via View → Time Display Format → Date and Time. Wireshark can be combined with emulators for more accurate testing. Use the filter bar to quickly locate packets of interest, and save capture files for later review.

Original source: https://mp.weixin.qq.com/s/AJWiPjIpcvXuRUzPK2FyvA