BestHub
search
Sign in
Information Security 12 min read

Master Wireshark: From Interface Basics to Advanced Packet Filtering

This comprehensive guide introduces Wireshark's main interface, demonstrates step‑by‑step packet capture, explains how to use capture and display filters—including protocol, IP, and port filters—and walks through analyzing TCP three‑way handshake packets, providing essential techniques for network troubleshooting and security analysis.

Open Source Linux
Open Source Linux
Open Source Linux
Master Wireshark: From Interface Basics to Advanced Packet Filtering

Wireshark is a network packet analysis tool that captures packets via WinPCAP and displays detailed information, widely used by network engineers and analysts.

Interface Overview

The main window consists of a Display Filter pane, a Packet List pane showing packet number, timestamp, source, destination, protocol, length, and a Packet Details pane that reveals protocol fields such as Frame, Ethernet II, IPv4, TCP, and HTTP.

Basic Capture Procedure

Select Capture → Options , choose the appropriate WLAN interface, and click Start to begin capturing. Perform an operation such as

ping www.baidu.com

; the resulting packets appear in the list.

Use the filter bar to narrow results, e.g.,

ip.addr == 119.75.217.26 and icmp

, which shows only ICMP packets from or to the specified IP.

Capture Filters

Capture filters are set before capturing via Capture → Capture Filters . Examples:

tcp

– show only TCP packets

host 192.168.1.104

– capture traffic to or from a specific host

port 80

– capture traffic using port 80

src host 192.168.1.104 && dst port 80

– combine criteria with logical operators

Display Filters

After capture, use display filters to refine the view. Common syntax includes:

tcp

– display only TCP packets

ip.src == 192.168.1.104

– source IP filter

tcp.port == 80

– packets with TCP port 80

http.request.method == "GET"

– HTTP GET requests

Logical operators

and

,

or

,

not

to combine conditions, e.g.,

ip.addr == 192.168.1.104 and icmp

Analyzing TCP Three‑Way Handshake

The handshake consists of three packets:

Client sends SYN (Seq=0, Ack=0) to request a connection.

Server replies with SYN+ACK (Seq=0, Ack=1).

Client sends final ACK (Seq=1, Ack=1) confirming the connection.

Wireshark can capture these packets when accessing a website (e.g.,

www.huawei.com

) and applying a filter such as

ip.addr == 211.162.2.183

. The captured handshake packets illustrate the sequence numbers and acknowledgment numbers for each step.

Common Operations

Adjust timestamp display via View → Time Display Format → Date and Time of Day to view precise capture times.

These steps cover the essential Wireshark functionalities for packet capture, filtering, and protocol analysis.

network analysispacket captureWiresharkfilteringTCP Handshakeprotocol inspection
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment