Master Wireshark: Interface, Capture, and Advanced Filtering Techniques

Introduction

Wireshark is a powerful network packet analysis tool that captures network traffic and displays detailed packet information, widely used by network engineers and security analysts.

Wireshark Main Interface

The main window consists of several panes:

Display Filter (Display Filters) : Set filter expressions to refine the packet list. Access via Analyze → Display Filters.

Packet List Pane : Shows captured packets with columns for number, timestamp, source, destination, protocol, length, and info. Different protocols are color‑coded (configurable under View → Coloring Rules).

Packet Details Pane : Displays hierarchical protocol fields for the selected packet, including Frame, Ethernet II, IPv4, TCP, and HTTP layers.

Dissector Pane (Byte View) : Shows raw packet bytes.

Simple Capture Example

To start a capture, select Capture → Options, choose the appropriate WLAN interface, and click Start. Perform an operation such as ping www.baidu.com while capturing. After the operation completes, stop the capture and use the filter bar to isolate relevant packets, e.g., ip.addr == 119.75.217.26 && icmp.

Capture Filters (Pre‑Capture)

Capture filters are set before capturing via Capture → Capture Filters. They limit the traffic recorded by the network interface. Example syntax:

host 192.168.1.104

src host 192.168.1.104

dst host 192.168.1.104

port 80

src port 80

dst port 80

Logical operators && (and), || (or), and ! (not) can combine expressions, e.g., src host 192.168.1.104 && dst port 80.

Display Filters (Post‑Capture)

Display filters refine the captured packet list. Common operators include ==, !=, >, <, >=, <=. Example filter types:

Protocol filter : tcp, http, icmp IP filter : ip.src == 192.168.1.104, ip.dst == 192.168.1.104, ip.addr == 192.168.1.104 Port filter : tcp.port == 80, tcp.srcport == 80, tcp.dstport == 80 HTTP method filter : http.request.method == "GET" Content filter : Use contains to match payload data, e.g., data contains "abcd" Multiple conditions can be combined, for example ip.addr == 192.168.1.104 && icmp to show only ICMP packets involving that IP.

TCP Three‑Way Handshake Analysis

The tutorial demonstrates capturing the TCP three‑way handshake when accessing www.huawei.com:

First handshake : Client sends a SYN packet (SYN=1, ACK=0, Seq=0).

Second handshake : Server replies with SYN‑ACK (SYN=1, ACK=1, Seq=0, Ack=1).

Third handshake : Client sends ACK (SYN=0, ACK=1, Seq=1, Ack=1).

Key packet fields are highlighted: SYN, ACK, Seq, and Ack values, which indicate connection establishment progress.

Common Wireshark Operations

Adjust timestamp display format via View → Time Display Format → Date and Time of Day for easier analysis. The tool can also be integrated with various simulators for more accurate project configurations.

These steps provide a practical foundation for using Wireshark to capture, filter, and analyze network traffic.