Master Wireshark: From Interface Setup to TCP Handshake Analysis

Wireshark is a powerful network packet analysis tool that captures traffic via WinPCAP and presents detailed packet information, making it popular among network engineers and analysts.

Article Overview

Wireshark main‑window introduction.

Simple capture example showing how to start a capture and view basic packet data.

Use of Wireshark filters (capture and display) to isolate specific traffic such as protocols, IP addresses, ports, and payload content.

Interface and Capture Procedure

The main window contains menu Capture → Options where you select the appropriate network interface (e.g., WLAN) and click Start to begin capturing. After starting, Wireshark enters a live capture state.

Example capture steps:

Run an operation that generates traffic, e.g., ping www.baidu.com.

After the operation finishes, the captured packets appear in the list.

Apply a display filter such as ip.addr == 119.75.217.26 && icmp to show only ICMP packets from or to that IP.

Wireshark Panes

Display Filter Pane : Set post‑capture filter expressions (menu Analyze → Display Filters).

Packet List Pane : Shows each captured packet with number, timestamp, source, destination, protocol, length, and a brief info line. Different protocols are color‑coded via View → Coloring Rules.

Packet Details Pane : Expands the selected packet to reveal all protocol layers. Typical layers include:

Frame – physical‑layer overview.

Ethernet II – data‑link header.

Internet Protocol Version 4 – IP header.

Transmission Control Protocol – TCP header.

Hypertext Transfer Protocol – HTTP data.

Dissector Pane : Shows raw packet bytes.

Filter Types and Syntax

Wireshark provides two filter categories:

Capture Filters (pre‑capture)

Set via Capture → Capture Filters and applied before packets are collected. Examples:

Protocol filter: tcp, udp, icmp.

IP filter: host 192.168.1.104, src host 192.168.1.104, dst host 192.168.1.104.

Port filter: port 80, src port 80, dst port 80.

Logical operators: src host 192.168.1.104 && dst port 80, host 192.168.1.104 || host 192.168.1.102, !broadcast.

Display Filters (post‑capture)

Set after capture to narrow the view. Common operators and examples:

Comparison: ==, !=, >, <, >=, <=.

Protocol filter (lower‑case): tcp, http, icmp.

IP filter: ip.addr == 192.168.1.104, ip.src == 192.168.1.104, ip.dst == 192.168.1.104.

Port filter: tcp.port == 80, tcp.srcport == 80, tcp.dstport == 80.

HTTP method filter: http.request.method == "GET".

Content filter: data contains "abcd".

Complex expressions can combine multiple conditions with and, or, and not, e.g., ip.addr == 192.168.1.104 and icmp.

TCP Three‑Way Handshake Analysis

The handshake consists of three packets:

First packet (SYN) : Client sends SYN=1, ACK=0 to request a connection.

Second packet (SYN‑ACK) : Server replies with SYN=1, ACK=1, acknowledging the client’s sequence number plus one.

Third packet (ACK) : Client sends SYN=0, ACK=1, confirming the server’s sequence number plus one.

Wireshark can capture these packets when accessing a website (e.g., www.huawei.com) and applying a filter like ip.addr == 211.162.2.183. The captured handshake packets show the expected flag values and sequence/acknowledgment numbers.

Common Operations

Adjust the timestamp format in the packet list via View → Time Display Format → Date and Time of Day to show human‑readable dates.

These steps constitute the essential workflow for using Wireshark to capture, filter, and analyze network traffic.