Wireshark for Beginners: Capture and Analyse Your First Packet

What is Wireshark?

Wireshark is a free, open-source network protocol analyser — commonly called a packet sniffer. It captures every packet flowing through a network interface and lets you inspect each one in human-readable detail. Network engineers use it to troubleshoot slowness, diagnose protocol errors, verify firewall rules, and understand exactly how applications communicate.

Learning Wireshark is one of the most practical skills you can add as a network or security professional. It removes the guesswork from troubleshooting because you can see exactly what is on the wire.

Installing Wireshark

Wireshark is available for Windows, macOS, and Linux. Download it from wireshark.org — always use the official site. During Windows installation, also install Npcap (the packet capture driver) when prompted.

On Ubuntu/Debian: sudo apt install wireshark

On macOS: brew install wireshark

Capturing Your First Packets

1. Open Wireshark — you will see a list of network interfaces
2. Select your active interface (usually Wi-Fi or Ethernet — it shows a live graph of traffic)
3. Click the blue shark-fin button to start capture
4. Open a browser and visit any website
5. Click the red square to stop capture after 10–15 seconds

You now have hundreds of packets to analyse. Do not be overwhelmed — filters are how you make sense of the noise.

Essential Display Filters

Wireshark filters are your most powerful tool. Type them in the filter bar at the top:

• http — show only HTTP traffic
• dns — show only DNS queries and responses
• tcp — show only TCP packets
• ip.addr == 192.168.1.1 — traffic to/from a specific IP
• tcp.port == 443 — HTTPS traffic only
• icmp — show ping packets
• !(arp or dns) — hide noisy background protocols
• tcp.flags.syn == 1 and tcp.flags.ack == 0 — show only TCP SYN (connection initiation) packets

Reading a Packet

Click any packet in the list. The middle pane shows the protocol stack — click each layer to expand it:

• Frame — physical capture info: timestamp, packet size
• Ethernet II — Layer 2: source and destination MAC addresses
• Internet Protocol (IP) — Layer 3: source and destination IP addresses, TTL
• TCP/UDP — Layer 4: source and destination ports, flags, sequence numbers
• Application layer — Layer 7: actual data (HTTP headers, DNS query name, etc.)

The TCP Three-Way Handshake in Wireshark

One of the most educational exercises is watching a TCP connection establish. Filter for tcp and look for three sequential packets:

1. SYN — client sends connection request (Flags: SYN)
2. SYN-ACK — server acknowledges and agrees (Flags: SYN, ACK)
3. ACK — client confirms (Flags: ACK)

Right-click the SYN packet → Follow → TCP Stream to see the entire conversation in plain text.

Practical Troubleshooting Scenarios

• Slow website: Filter for http, look at response times. Large delays between request and response indicate server-side issues.
• DNS failures: Filter dns, look for queries with no matching response — your DNS server may be dropping packets.
• Connection refused: Filter tcp.flags.reset == 1 — RST packets indicate a port is closed or a firewall is blocking.
• Packet loss: Use Statistics → TCP Stream Graph → Time-Sequence Graph to visualise retransmissions.

Wireshark in Your Career

Wireshark proficiency is expected of any serious network or security engineer. It appears in job descriptions for network analyst, NOC engineer, security analyst, and penetration tester roles. More importantly, it makes you dramatically better at debugging — you stop guessing and start seeing.

Start by capturing traffic on your home network for 10 minutes a day. You will quickly learn to recognise normal traffic patterns, which makes spotting anomalies intuitive rather than academic.