Reading about Wireshark teaches you nothing. Doing it teaches you everything.
This is a structured, hands-on Wireshark lab — seven real exercises, each with step-by-step instructions and annotated screenshots showing exactly what you should see on screen at every critical moment. No guessing. No confusion.
By the time you finish Lab 7, you will have captured live HTTP credentials, reconstructed a full TCP session, detected a port scan, analyzed DNS traffic, and extracted a file from a packet capture. These are skills used in real penetration tests and forensic investigations every day.
Before diving in, make sure you’re comfortable with how TCP, DNS, and ARP work. If not, read our Networking Basics for Hackers guide first — it will make every lab below significantly clearer.
Lab 1 — Your First Live Capture
⏱ 10 minutes | Difficulty: Beginner
Objective: Start Wireshark, capture live traffic, save it as a .pcap file, and identify at least three protocols.
Step 1 — Open Wireshark and select your active interface
Launch Wireshark. The Welcome Screen shows all available network interfaces. Look for the one with a moving sparkline graph — that’s the interface actively receiving traffic.
Steps 2–4 — Capture, generate traffic, and stop
Double-click the active interface. Packets begin flooding in immediately. Open your browser and visit 3 websites. Press Ctrl+E to stop, then File → Save As → name it lab1_capture.pcap.
Step 5 — Identify protocols in the Protocol column
Look at the Protocol column in the Packet List. Find at least 3 different protocols. Here’s what a typical capture looks like:
Lab 2 — Capture HTTP Credentials in Plain Text
⏱ 15 minutes | Difficulty: Beginner | ⚠ Your own machine only
Objective: Capture an HTTP POST login submission and read the username and password directly from the packet — in plain, readable text.
Steps 1–2 — Start capture and submit login form
Start a new capture. Browse to http://testphp.vulnweb.com/login.php. Enter username testuser and password testpass123. Click Login. Return to Wireshark and press Ctrl+E to stop.
Step 3 — Apply the POST filter
In the display filter bar, type http.request.method == "POST" and press Enter. You’ll see the login submission packet appear:
Step 4 — Expand the HTML Form URL Encoded layer
In the Packet Details pane below the packet list, click the arrow next to “HTML Form URL Encoded” to expand it. Your credentials appear in plain text:
Lab 3 — Follow a TCP Stream
⏱ 10 minutes | Difficulty: Beginner
Objective: Reconstruct and read a complete HTTP conversation between your browser and a web server using Follow TCP Stream.
Steps 1–2 — Capture HTTP and filter for GET requests
Start a capture, visit http://example.com or http://testphp.vulnweb.com, then stop. Apply the filter http. Find a packet labelled GET / HTTP/1.1 in the Info column.
Step 3 — Right-click → Follow → TCP Stream
Step 4 — Read the reconstructed conversation
Server (93.184.216.34:80)
Stream: 0 ◀ ▶
Host: example.com\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Connection: keep-alive\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: text/html; charset=UTF-8\r\n
Server: ECS (dcb/7EEA)\r\n
Content-Length: 1256\r\n
\r\n
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset=”utf-8″ />
<style type=”text/css”> … </style>
</head>
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples …</p>
</div>
</body>
</html>
Lab 4 — DNS Traffic Analysis
⏱ 15 minutes | Difficulty: Beginner–Intermediate
Objective: Capture and analyze DNS queries and responses. Understand what DNS traffic reveals — and learn to spot C2 beaconing patterns. This pairs directly with DNS Reconnaissance with dnsrecon, where you use these same insights offensively.
Steps 1–3 — Capture DNS and identify queries vs responses
Start a capture. Apply the dns filter. Visit 5 different websites. Look at the Info column — Standard query = outbound, Standard query response = answer.
Lab 5 — Detect a Port Scan in Wireshark
⏱ 15 minutes | Difficulty: Intermediate | ⚠ Localhost only
Objective: Generate a port scan against your own localhost using Nmap, capture it in Wireshark, and identify the SYN packet signature. Keep our Nmap Cheat Sheet open in a second tab — you’ll use several commands from it here.
Steps 1–2 — Capture on Loopback, run the Nmap scan
Start Wireshark on the Loopback (lo) interface. Apply the filter tcp. Open a terminal and run:
Step 3 — Apply the SYN scan filter
Stop the capture. Apply this filter:
tcp.flags.syn==1 and tcp.flags.ack==0 shows only SYN probes. Notice the Destination port changes with every packet (21, 22, 80, 443, 3306, 8080…) while the source stays the same — this is the unmistakable fingerprint of a port scan. The packet Win=1024 is also characteristic of Nmap’s default SYN scan.Step 4 — Find open ports with the SYN-ACK filter
Now change the filter to see which ports responded with SYN-ACK (open port confirmation):
Each SYN-ACK = one open port. Compare the destination ports shown here with Nmap’s terminal output — they should match exactly.
Lab 6 — Export a File from a Packet Capture
⏱ 10 minutes | Difficulty: Intermediate
Objective: Extract a file transmitted over HTTP directly from a .pcap using Wireshark’s Export Objects feature — the same technique used in forensic investigations.
Steps 1–2 — Download a practice pcap and open it
Download http.cap from wiki.wireshark.org/SampleCaptures. Open via File → Open. Apply the http filter to confirm it contains HTTP traffic.
Step 3 — Go to File → Export Objects → HTTP
Close
Save
Save All
Lab 7 — Analyze a Real Malware pcap
⏱ 20 minutes | Difficulty: Intermediate–Advanced
Objective: Identify infected host, C2 server, beaconing behavior, and suspicious DNS. Before starting, read What Is Malware and how it infects computers — understanding malware behavior makes these traffic patterns immediately recognizable.
infected. The file contains recorded traffic only — no executable code.Step 2 — Check Protocol Hierarchy (Statistics menu)
Open the pcap. Go to Statistics → Protocol Hierarchy. This reveals the full breakdown of every protocol in the capture instantly:
Steps 3–6 — Find infected host, C2 DNS, and beaconing
Find infected host: Statistics → Endpoints → IPv4 → sort by Bytes. The internal IP (192.168.x.x) with most outbound traffic = infected host.
Find C2 via DNS filter: Apply dns and ip.src == [infected IP]. Look for random domain names (e.g. xkf93nd.top) — DGA malware domains.
Detect beaconing: Apply ip.src == [infected IP] and tcp. Look at the Time column for outbound connections to the same external IP repeating at fixed intervals (e.g. every 60 seconds) — that is your C2 beacon.
Follow the C2 stream: Right-click a beacon packet → Follow → TCP Stream. If the C2 traffic is unencrypted you may read commands or exfiltrated data in the stream window (same red/blue format as Lab 3).
Lab-Ready Filter Reference Card
http # HTTP only (Labs 2, 3, 6)
dns # DNS queries & responses (Lab 4)
tcp # All TCP (Labs 3, 5)
# ── LAB 2 — Credential Capture ──────────────────
http.request.method == “POST” # Form submissions only
# ── LAB 4 — DNS Analysis ────────────────────────
dns and dns.flags.response == 0 # Outbound queries only
dns and dns.flags.response == 1 # Inbound responses only
# ── LAB 5 — Port Scan Detection ─────────────────
tcp.flags.syn==1 and tcp.flags.ack==0 # SYN scan probes
tcp.flags.syn==1 and tcp.flags.ack==1 # Open port SYN-ACK responses
# ── LAB 7 — Malware Analysis ────────────────────
ip.src == X.X.X.X # Isolate infected host
dns and ip.src == X.X.X.X # DNS from infected host
ip.src == X.X.X.X and tcp # TCP from infected host (beaconing)
# ── NOISE REDUCTION (all labs) ──────────────────
not arp and not dns # Hide broadcast noise
Common Lab Mistakes — And How to Fix Them
Modern browsers auto-redirect to HTTPS. Use curl instead: curl -d "uname=test&pass=test" http://testphp.vulnweb.com/userinfo.php while capturing.
On Windows, reinstall Npcap with “Support loopback traffic” checked. On Linux/macOS, the loopback lo interface appears by default.
Export Objects only works with HTTP (not HTTPS). Apply filter http first to confirm the pcap contains HTTP traffic.
Statistics → Conversations → IPv4 → sort by Bytes B→A. The internal RFC 1918 IP (192.168.x.x / 10.x.x.x) receiving the most inbound data from external IPs = infected machine.
Frequently Asked Questions
You Just Did What Most People Only Read About
Seven labs. Live credentials captured. TCP sessions reconstructed. A port scan detected. Malware traffic analyzed. These are the exact workflows used by security engineers and ethical hackers in real jobs every day.
Save your pcap files. Repeat any lab that felt unclear. The next level is waiting.
Lab 1 ✓ Saved lab1_capture.pcap, identified 3+ protocols
Lab 2 ✓ Captured HTTP POST credentials in plain text
Lab 3 ✓ Reconstructed full conversation via Follow TCP Stream
Lab 4 ✓ Analyzed DNS queries and identified beaconing patterns
Lab 5 ✓ Detected SYN scan, matched open ports to Nmap output
Lab 6 ✓ Extracted a file from pcap using Export Objects
Lab 7 ✓ Identified infected host, C2 DNS, and beacon pattern
