Master Wireshark: From Installation to Advanced Packet Filtering

Wireshark Tutorial – Detailed Guide

Wireshark is a widely used network packet analysis tool that can capture various network data packets and display detailed information, making it valuable for troubleshooting during development and testing.

Installation

Download the installer from the official Wireshark website, select the appropriate version for your operating system, and follow the prompts to complete the installation. For Windows 10, install the Win10Pcap compatibility package if the network interface is not displayed.

Basic Capture Example

Open Wireshark (e.g., version 2.6.5) and select the desired network interface. Right‑click and choose Start Capture to begin capturing packets. Perform an operation such as ping www.baidu.com. After the capture, apply a filter like ip.addr == 180.101.49.11 and icmp to isolate relevant packets.

Wireshark Interface Overview

The main panes are:

Display Filter : Set filter conditions to narrow the packet list (Analyze → Display Filters).

Packet List Pane : Shows captured packets with number, timestamp, source, destination, protocol, length, and summary. Different protocols are color‑coded.

Packet Details Pane : Displays detailed protocol hierarchy for the selected packet.

Dissector Pane : Shows raw packet bytes.

The packet details pane is crucial for inspecting each field of a protocol. Typical sections include:

Frame – physical‑layer overview.

Ethernet II – data‑link layer header.

Internet Protocol Version 4 – IP header.

Transmission Control Protocol – TCP segment header.

Hypertext Transfer Protocol – application‑layer data.

TCP Handshake Analysis

The three‑step TCP three‑way handshake is captured as follows:

Step 1: Client sends a SYN packet (SYN=1, ACK=0).

Step 2: Server replies with SYN‑ACK (SYN=1, ACK=1).

Step 3: Client sends ACK (SYN=0, ACK=1) confirming the connection.

Capture Filters vs. Display Filters

Capture filters are set before capturing (Capture → Capture Filters) to limit which packets are recorded. Example: ip host 60.207.246.216 and icmp.

Display filters are applied after capture (Analyze → Display Filters) to refine the packet list. Example: ip.addr == 192.168.1.104 and icmp.

Common filter syntax includes protocol, IP address, port, and logical operators ( and, or, not). Protocol names must be lowercase.

Common Filter Expressions

Protocol filter: tcp, http, icmp IP filter: host 192.168.1.104, src host 192.168.1.104, dst host 192.168.1.104 Port filter: port 80, src port 80, dst port 80 Logical operators: src host 192.168.1.104 && dst port 80 Content filter:

tcp contains "abcd"

Useful Display Settings

Adjust the timestamp format via View → Time Display Format → Date and Time of Day.

By mastering these features, you can efficiently capture, filter, and analyze network traffic with Wireshark.