Wireshark Packet Capture and Filtering Guide

Wireshark is a popular, free network packet analysis tool that can capture and dissect protocols such as HTTP, TCP, UDP, SMTP, and more. Before using Wireshark, users should understand basic network protocols.

The interface shows a menu bar, toolbar, interface list, and start button. Users select the appropriate network interface (e.g., local Ethernet or Wi‑Fi) and can set a capture filter to limit which packets are recorded.

During capture, packets appear in real time. The main UI components include the Display Filter (post‑capture filtering), Packet List Pane (summary of each packet), Packet Details Pane (field‑by‑field breakdown), and Dissector Pane (hex view). Columns show packet number, timestamp, source, destination, protocol, and info.

Detailed protocol layers are displayed hierarchically: Frame, Ethernet II, IPv4, TCP, and application‑layer protocols such as HTTP. Users can expand each layer to see header fields.

Wireshark provides powerful filter expressions. Examples include IP address filters (ip.src == 10.x.x.x, ip.dst == 10.x.x.x), port filters (tcp.port==80, udp.dstport==53), protocol filters (tcp, udp, icmp, http), MAC address filters (eth.src == aa:bb:cc:dd:ee:ff), length filters (frame.len == 60), HTTP content filters (http.request.method==GET), TCP flag filters (tcp.flags.syn == 0x02), and raw content filters (tcp[20:3]==50:4f:53).

A complete TCP flow example demonstrates the three‑way handshake, data transfer, and four‑step termination, with screenshots illustrating each packet.

The article concludes that mastering Wireshark is essential for traffic inspection, troubleshooting, and detecting malicious activity.