Wireshark – GUI Packet Analyzer

What is Wireshark?

Definition: Wireshark is a free, open-source graphical network protocol analyzer that enables users to capture, display, and analyze network packets in real time. It is widely used for troubleshooting, security auditing, and educational purposes.

Primary Uses

  • Network troubleshooting and diagnostics
  • Protocol analysis and learning
  • Security auditing and incident response
  • Teaching networking fundamentals

Role in Network Protocol Analysis and Troubleshooting

  • Offers a detailed, packet-level view of traffic for deep inspection
  • Identifies latency, retransmissions, protocol errors, and abnormal activity
  • Supports advanced filtering, statistics, and graphical analysis

Installing and Launching Wireshark

  • Supported Platforms: Windows, Linux, macOS
  • Install: Download from wireshark.org and follow the instructions.
  • Launch: Open the Wireshark application from your OS menu or start menu.

Capturing Packets

  1. Select Network Interface: Wireshark will list all available interfaces (Ethernet, Wi-Fi, etc.). Pick the one carrying your target traffic.
  2. Start/Stop Capture: Click the blue shark fin button to start; click the red square to stop.
  3. Set Capture Filter (BPF syntax): Limit what is captured to save resources (e.g., tcp port 80 for HTTP).

Wireshark Interface Components

PaneDescription
Packet ListChronological list of all captured packets
Packet DetailsLayer-by-layer breakdown of selected packet
Packet BytesRaw hex/ASCII representation of the packet

Using Filters

  • Capture Filters: Set before capturing, use BPF syntax (e.g., host 192.168.1.10 or port 443).
  • Display Filters: Apply after capturing, use Wireshark's own syntax (e.g., ip.addr == 10.1.1.1 or tcp.flags.syn == 1).
Filter TypeSyntax ExamplePurpose
Capturetcp port 22Only SSH traffic
Displaytcp.analysis.retransmissionShow TCP retransmissions
DisplayicmpShow all ICMP (ping) packets

Analyzing Packets

  • Protocol Hierarchy: Statistics > Protocol Hierarchy for traffic breakdown by protocol
  • Follow Streams: Right-click a packet > Follow TCP/UDP Stream to reconstruct a session
  • Inspect Details: Expand fields in the Details pane to drill into protocol headers and payloads

Color Coding and Highlighting

  • Different protocols and events are color-coded by default for easy analysis (e.g., TCP SYN, ARP, DNS)
  • Custom color rules: View > Coloring Rules for custom highlights

Saving and Exporting Captures

  • Save all packets: File > Save As to .pcapng/.pcap for later review
  • Export packets or summaries: File > Export Specified Packets
  • Export in plain text, CSV, or XML for reporting

Using Wireshark for Troubleshooting

  • Latency or retransmission: Statistics > Conversations and tcp.analysis.* display filters
  • Malformed packets or errors: Use the Expert Information pane
  • Connectivity issues: Analyze handshakes, missing responses, or DNS failures

Advanced Features

  • Expert Analysis: Statistics > Expert Information for protocol warnings and errors
  • I/O Graphs and Flow Diagrams: Visualize traffic volume and flows over time (Statistics > I/O Graphs)
  • Plugins and Dissectors: Add support for new or custom protocols

Security and Privacy Considerations

  • Captured traffic may include credentials and sensitive data—handle all files with care
  • Ethical Use: Only capture on networks you are authorized to analyze
  • Be aware of privacy laws and regulations in your region

Integrations and Extensions

  • Use with tcpdump: Capture with tcpdump, analyze in Wireshark
  • Export to NetFlow/security tools for further analysis

Example: Analyzing HTTP Traffic

  1. Start Wireshark, select your interface, start capture
  2. Visit a website (e.g., http://example.com) in your browser
  3. Apply display filter: http
  4. Right-click any HTTP packet, select Follow TCP Stream to see the entire conversation
  5. Analyze for delays, retransmissions, or server errors

Wireshark Lab Exercises

ObjectiveSteps
Capture and Analyze HTTP Traffic 1. Select interface, start capture.
2. Browse to a website.
3. Filter: http
4. Follow TCP Stream.
5. Analyze GET and response packets.
Filter & Analyze DNS Requests 1. Start capture.
2. Run nslookup www.google.com in terminal.
3. Filter: dns
4. Inspect queries/answers.
Find All ICMP Traffic 1. Start capture.
2. Run ping 8.8.8.8.
3. Filter: icmp
4. Analyze round-trip times.
Detect ARP Requests and Issues 1. Filter: arp.
2. Check for multiple replies or repeated requests.
Save & Export Captures 1. Capture some traffic.
2. Save as .pcapng.
3. Export specific packets as CSV/XML.

Essential Wireshark Display Filters to Memorize

FilterPurpose
ip.addr == 192.168.1.10All traffic to/from specific IP
tcp.port == 80All HTTP (port 80) traffic
tcp.flags.syn == 1TCP SYN (connection starts)
httpAll HTTP packets
dnsAll DNS traffic
icmpAll ICMP (ping) packets
arpAll ARP traffic
tcp.analysis.retransmissionTCP retransmissions
frame contains "password"Packets containing the word "password"
eth.addr == aa:bb:cc:dd:ee:ffTraffic for a specific MAC address

Common Troubleshooting Scenarios

  • Slow Web Access: Use filter http, check for retransmissions, latency, or handshake delays.
  • DNS Resolution Failures: Use filter dns, inspect for missing answers or error codes.
  • Intermittent Connectivity: Use filter icmp, check for missing or slow replies.
  • ARP Issues: Use filter arp, watch for duplicate replies or repeated requests.
  • Security/Unauthorized Access: Use filters like tcp.port == 4444 or frame contains "cmd.exe", look for suspicious traffic or sensitive data leaks.

Exam Tips and Key Points

  • Understand the difference between capture and display filters
  • Know how to select the correct interface and start/stop captures
  • Be able to save/export packet captures for later analysis
  • Clearly describe each pane (list, details, bytes)
  • Always address legal and ethical responsibilities
  • For troubleshooting, always explain which filter and analysis method you’d use
  • Be familiar with following streams and using statistical tools

Wireshark – GUI Packet Analyzer Quiz

1. What is the primary use of Wireshark?

Correct answer is C. Wireshark is used for capturing and analyzing network packets in real time.

2. Which icon do you click in Wireshark to start a live capture?

Correct answer is A. The blue shark fin icon starts packet capturing.

3. What is the function of capture filters in Wireshark?

Correct answer is D. Capture filters limit the traffic recorded, using Berkeley Packet Filter syntax, before capture starts.

4. Which pane in Wireshark shows the hierarchical breakdown of protocols in a selected packet?

Correct answer is B. Packet Details Pane shows the layered protocol breakdown of the selected packet.

5. What display filter would you use to show only HTTP traffic in Wireshark?

Correct answer is A. The filter "http" shows all HTTP protocol packets.

6. How do you save a capture file in Wireshark?

Correct answer is C. Use File > Save As to save the capture in .pcap or .pcapng format.

7. What is the purpose of the “Follow TCP Stream” feature?

Correct answer is B. Follow TCP Stream shows all packets involved in one TCP session for easier analysis.

8. Which display filter shows all ARP traffic?

Correct answer is D. The filter “arp” shows all ARP packets.

9. What should you always consider when capturing packets with Wireshark?

Correct answer is A. Always ensure you have authorization and follow privacy laws when capturing network data.

10. Which feature in Wireshark helps visualize traffic trends over time?

Correct answer is C. I/O Graphs display traffic volume and trends over time.

← Back to Home