Wireshark - Packet Capturing and Analyzing

Last Updated : 30 Apr, 2026

Wireshark is a powerful network protocol analyzer used to capture and inspect packets traveling across a network. It helps users understand traffic flow, detect issues, and analyze protocols in deep detail.

  • Captures real-time network traffic using promiscuous mode and stores it in pcap files for analysis.
  • Provides detailed views of packets with filtering options to isolate specific IPs, ports, or protocols.
  • Useful for troubleshooting, security monitoring, and learning how networks and applications communicate.
packet_capturing

1. Packet Capturing

Wireshark captures network traffic by placing your Network Interface Card (NIC) into promiscuous mode, allowing it to view all packets on the network segment, not just those addressed to your system.

How Capturing Works

  • Captures traffic in real time and stores it in .pcap or .pcapng file formats
  • Uses Npcap (Nmap’s packet capture library) on modern systems
  • Supports capture filters to limit what is collected (e.g., only HTTP packets or traffic from a specific IP)

2. Packet Analysis

After capturing, Wireshark offers powerful tools to analyze packets in depth. You can narrow the view using display filters, making it easier to inspect specific conversations or protocols.

Three Analysis Views

  • Packet List Pane: Summary of all packets
  • Packet Details Pane: Layer-by-layer protocol breakdown
  • Packet Bytes Pane: Raw hexadecimal + ASCII view

Examples of display filters:

  • tcp.port == 80
  • ip.addr == 192.168.1.5
  • http.request.uri contains "login"
  • ip.src == 192.168.0.0/16 and ip.dst == 192.168.0.0/16

Role of Packet Sniffing in Network Analysis

Packet sniffing is a crucial part of network reconnaissance, monitoring, and troubleshooting.

Wireshark helps you:

  • Detect network issues
  • Identify malicious or suspicious traffic
  • Debug and test network applications
  • Learn how protocols and packets really work

It acts like an “X-ray machine” for network communication.

wireshark
  • This window shows the interfaces on your device.
  • To start sniffing, select one interface and click on the blue shark fin icon in the top left corner.
  • The data capture screen has three panes.
  • The top pane shows real-time traffic, the middle one shows information about the chosen packet, and the bottom pane shows the raw packet data.
  • The top pane shows the source address (IPv4 or IPv6), destination address, source and destination ports, the protocol to which the packet belongs, and additional information about the packet.
wireshark
  • Since there are a lot of packets going in and out every second, looking at all of them or searching for one type of packet will be tedious.
  • This is why packet filters are provided.
  • Packets can be filtered based on many parameters like IP address, port number, or protocol at the capture level or at the display level. A display filter does not affect packet capture; it only controls which packets are visible during analysis.

Capture Filters

Capture filters in Wireshark allow you to restrict which packets are recorded before the capture begins. They help reduce noise by collecting only the traffic you're interested in.

Common Capture Filters

1. host: Captures traffic to or from a specific device
Example: host 192.168.1.10

2. net: Captures traffic within a network or subnet
Example: net 192.168.1.0/24

Can be prefixed with src or dst for direction control:

  • src net 10.0.0.0/8
  • dst net 172.16.0.0/16

3. port: Captures traffic on a specific port
Example: port 80
Can also use direction:

  • src port 53
  • dst port 443

4. Logical Operators: Used to combine multiple conditions

  • and
  • or
  • not

Example: host 10.0.0.5 and not port 22

Display Filter Examples

Display filters refine captured traffic and help focus on specific packets.

  • tcp.port == 80 or udp.port == 53: Shows traffic on specific TCP or UDP ports
  • http.request.uri matches "parameter=value$": Shows HTTP requests where the URI ends with a specific parameter
  • ip.src == 192.168.0.0/16 and ip.dst == 192.168.0.0/16: Shows traffic within a specific network range
  • Logical operators (and, or, not) can also be used here.

Wireshark Plugins

Wireshark supports plugins to extend functionality. These can:

  • Provide deeper insights and custom statistics
  • Add support for new or custom protocols
  • Improve collaboration with other tools or monitoring frameworks
  • Help manage capture file formats and troubleshooting

Plugins make Wireshark adaptable for advanced network forensics and custom workflow needs.

Applications of Wireshark

Wireshark can be used for a wide range of practical tasks, such as:

  • Diagnosing network or Wi-Fi connectivity problems
  • Monitoring devices for unusual or malicious traffic
  • Testing and debugging network-enabled applications
  • Learning and teaching how network protocols operate
  • Network forensics and security investigations
Comment
Article Tags:
Computer Networks
CCNA

Explore