Master Wireshark: From Basics to Advanced Packet Capture Techniques

Wireshark Introduction

Wireshark (also known as "Little Shark") is a popular open‑source network packet analysis tool that can capture and display detailed information of network packets on Windows and macOS.

Common Use Cases

Network administrators use it to troubleshoot network issues.

Software test engineers capture packets to analyze application behavior.

Socket programmers use it for debugging.

Operations staff use it for daily monitoring and emergency response.

Capture Principle

Wireshark uses WinPCAP to interface directly with the network card. In a single‑machine setup it captures traffic from the local NIC; in a switched network it can capture via port mirroring or ARP spoofing to obtain LAN traffic.

Interface Overview

The main window consists of six parts:

Menu bar – for configuration and debugging.

Toolbar – shortcuts to common functions.

Filter bar – set filter expressions to narrow packet lists.

Packet list pane – each row represents a captured packet.

Packet details pane – hierarchical view of protocol fields.

Packet bytes pane – raw byte stream of the packet.

Different protocols are color‑coded; the coloring rules can be edited via View → Coloring Rules.

Filters

Wireshark provides two types of filters:

Capture filters (set before capture) – e.g., ip host 183.232.231.172.

Display filters (applied after capture) – e.g., tcp.port == 80, http.request.method == "GET", or combined expressions using and, or, not.

Common filter examples include protocol filtering ( tcp, icmp), IP filtering ( ip.addr == 192.168.1.1), port filtering ( tcp.port == 80), and content filtering ( http.request.uri contains ".php").

TCP Three‑Way Handshake Example

A step‑by‑step capture of a TCP handshake shows:

Client sends SYN (Seq=0, Ack=0).

Server replies with SYN+ACK (Seq=0, Ack=1).

Client sends final ACK (Seq=1, Ack=1), establishing the connection.

Wireshark visualizes each packet with its flags, sequence, and acknowledgment numbers, confirming that even HTTPS connections start with a TCP handshake.

Analysis Operations

Typical post‑capture tasks include adjusting timestamp display format (View → Time Display Format), applying display filters to isolate relevant packets, and using the packet details pane to inspect protocol fields such as Ethernet, IP, TCP, and HTTP.