NETWORK ALERT 2026: Every packet you send can be intercepted and read in plain text. Wireshark shows you exactly how — and how to stop it. Lets learn it in this Wireshark Tutorial from very scratch.

Here’s something that will make you uncomfortable.

Right now, on the same WiFi network as you — in a coffee shop, office, hotel, or airport — someone could be running a free tool called Wireshark and watching every unencrypted packet of data leaving your device. Your usernames. Your session cookies. Your browsing activity. All of it — captured in real time.

Wireshark is not a hacker tool. It’s a legitimate, free, open-source network packet analyzer used by security professionals, ethical hackers, and network engineers worldwide. But understanding it is the difference between knowing what’s happening on your network — and being completely blind to threats.

This is the complete Wireshark tutorial for 2026. No fluff. No textbook jargon. Whether you’ve never heard of it or you’ve opened it once and closed it because it looked terrifying — by the end of this guide, you’ll know exactly how to use it and what to look for.

4B+
Wireshark downloads globally — the world’s most used packet analyzer
FREE
100% free and open-source — used by Fortune 500 security teams daily
2000+
Network protocols Wireshark can decode and analyze
93%
Of network breaches could be detected early using packet analysis

What Is Wireshark?

Imagine every piece of information traveling across a network is like a letter being passed from person to person. Now imagine you have a magic glass that lets you intercept, open, and read every single one of those letters — without disturbing them or alerting anyone.

That magic glass is Wireshark.

Wireshark is a free, open-source network packet analyzer. It captures all the data packets traveling through your network interface in real time and lets you inspect them in extraordinary detail. You can see exactly what websites are being visited, what data is being sent, what protocols are in use, and whether anything suspicious is happening.

Security professionals use it to troubleshoot network problems, investigate breaches, and analyze suspicious traffic. Packet analysis is one of the most in-demand skills in cybersecurity today — and Wireshark is the tool that makes it accessible to everyone.

📌 Important: Using Wireshark on a network you own or have explicit written permission to test is completely legal and ethical. Capturing traffic on a network without authorization is illegal in most countries. This tutorial is for defensive security and educational purposes only.

How to Download and Install Wireshark (Step by Step)

Installing Wireshark takes about 3 minutes. Here’s exactly how to do it on any operating system.

1
Go to the official website

Visit wireshark.org/download.html — always download from the official source only. Third-party sites may bundle malware. This is non-negotiable.

2
Choose your operating system

Windows: Download the 64-bit installer (.exe). Run it and install WinPcap or Npcap when prompted — required for packet capture.
macOS: Download the .dmg file. Drag to Applications. Allow it in System Preferences > Security if prompted.
Linux / Kali Linux: Run sudo apt install wireshark in terminal. Select Yes when asked if non-superusers should capture packets.

3
Launch and verify

Open Wireshark. You should see a list of network interfaces (WiFi, Ethernet, Loopback) with live wave graphs on the home screen. If you see them — installation is successful and you’re ready to capture.

⚡ Kali Linux users: Wireshark comes pre-installed on Kali. Browse the full list of Kali Linux tools to see everything available in your security arsenal right out of the box.

Understanding the Wireshark Interface

Most beginners open Wireshark, see a wall of colorful data scrolling past at terrifying speed, and immediately close it. Don’t be that person. The interface is simple once you know what each part does.

① Packet List Pane (Top)

Every row is one captured packet. Columns show: time, source IP, destination IP, protocol, length, and a brief info summary. This is your live feed of network activity.

② Packet Details Pane (Middle)

Click any packet and this pane expands its full contents — every protocol layer from Ethernet at the bottom to HTTP at the top. This is where real analysis happens.

③ Packet Bytes Pane (Bottom)

The raw hexadecimal and ASCII representation of the selected packet. Advanced analysts read credentials, form data, and file contents directly from this pane.

④ Display Filter Bar (Top)

The most powerful feature in Wireshark. Type filter expressions here to show only the traffic you care about. The bar turns green when your filter is valid. This separates beginners from experts.

What the colors mean

  • Green — TCP traffic (normal web browsing, most general internet communication)
  • Light Blue — UDP traffic (DNS queries, video streaming, VoIP calls)
  • Dark Blue — DNS traffic specifically
  • Yellow / Light — Windows network traffic (SMB, NetBIOS)
  • Red / Dark — TCP errors, bad checksums, connection resets — always investigate these
  • Gray — TCP retransmissions, duplicate ACKs — signs of network instability or interference

Your First Packet Capture — Step by Step

Let’s do a live capture right now. You’ll see your own traffic in real time — and it will surprise you what’s visible to anyone else on the same network.

1
Select your network interface

On the Wireshark home screen, look for the interface with a moving wave graph — that’s the active one. Usually it’s Wi-Fi or eth0. Double-click it to start capturing immediately.

2
Watch the packets flood in

Packets appear immediately — even with no active browsing. Background apps, system updates, DNS lookups, and keepalive connections constantly generate traffic. This is completely normal.

3
Generate traffic to capture

Open a browser and visit http://example.com (HTTP, not HTTPS — we want unencrypted traffic for this exercise). Return to Wireshark and you’ll see the HTTP request packets appear in real time.

4
Stop the capture

Click the red stop button (or press Ctrl+E). You now have a static capture to analyze at your own pace. Save it as a .pcap file — a standard format used across forensics, incident response, and CTF competitions.

5
Filter for HTTP traffic

In the display filter bar, type http and press Enter. Click a packet and expand the HTTP layer in the middle pane — request headers, URL, and browser type all appear in plain text. This is exactly what an attacker on the same unprotected network would see.

“That unencrypted HTTP request you just captured? On a public WiFi network, every device on that segment can see the exact same thing. That’s why HTTPS and network security aren’t optional anymore.”

Wireshark Display Filters — The Complete Cheat Sheet

Filters are what make Wireshark usable. Without them, you’re drowning in thousands of packets. With them, you can zero in on exactly what matters in seconds. Master these and you’ll be ahead of 90% of Wireshark users.

Filter by protocol

http           # Show only HTTP traffic
https          # Show only HTTPS / TLS traffic
dns            # Show only DNS queries and responses
tcp            # Show all TCP packets
udp            # Show all UDP packets
icmp           # Show ping packets (ICMP)
arp            # Show ARP requests — detect ARP spoofing attacks
ftp            # Show FTP traffic (credentials often in plain text!)
ssh            # Show SSH encrypted sessions

Filter by IP address

ip.addr == 192.168.1.1       # All traffic to or from this IP
ip.src == 192.168.1.1        # Traffic FROM this IP only
ip.dst == 192.168.1.1        # Traffic TO this IP only
ip.addr != 192.168.1.1      # Exclude this IP — show everything else

Filter by port

tcp.port == 80      # HTTP port
tcp.port == 443     # HTTPS port
tcp.port == 22      # SSH port
tcp.port == 21      # FTP port
udp.port == 53      # DNS port

Power combos (AND / OR / NOT)

http and ip.src == 192.168.1.5                    # HTTP from one specific device
tcp.port == 80 or tcp.port == 443                # All web traffic
not arp and not dns                                 # Hide noisy background traffic
http.request.method == “POST”                     # Form submissions — credential exposure risk
tcp.flags.syn == 1 and tcp.flags.ack == 0      # SYN-only — detect active port scans

Real Hacker Scenarios — What Attackers Actually Look For

This is what an attacker sees when they run Wireshark on an unprotected network. Understanding this is the foundation of defense.

⚠ Real Scenario #1 — Capturing Credentials on HTTP

An attacker connects to public WiFi at a conference. They filter for http.request.method == "POST". Within minutes, a login form submission appears — username and password in plain text from another user’s HTTP admin panel. Total time: under 3 minutes.

Defense: Never use HTTP for anything sensitive. Always verify a site uses HTTPS before entering credentials.

⚠ Real Scenario #2 — Session Cookie Hijacking

The attacker doesn’t need your password at all. They capture session cookie values from HTTP request headers, paste that cookie into their own browser using developer tools, and they’re now logged into your session. The server sees them as you — no password required.

Defense: Use HTTPS-only sites, enable HSTS, and avoid public WiFi for sensitive sessions entirely.

⚠ Real Scenario #3 — DNS Poisoning Detection

A security engineer notices DNS responses arriving from an unexpected IP. She filters dns and compares response IPs against known-good values. She spots responses pointing to a rogue server. A DNS poisoning attack caught before any users were redirected. Wireshark made it visible in seconds.

This attack type is closely related to man-in-the-middle attacks — understanding how MITM works will make your Wireshark analysis far more effective.

Advanced Wireshark Features You Must Know

Follow TCP Stream

One of the most powerful features available. Right-click any TCP packet → Follow → TCP Stream. This reconstructs the entire conversation between two hosts as readable text — the full back-and-forth of a session. Essential for investigating suspicious connections and malware command-and-control traffic.

Statistics → Endpoints

Go to Statistics → Endpoints. This shows every unique IP address in your capture — how many packets, how many bytes. Sort by bytes to instantly spot data exfiltration or abnormal bandwidth usage. This is a core technique in network forensics and incident response.

Statistics → Conversations

Shows all two-way IP conversations in the capture. Useful for mapping network relationships and spotting unexpected communications — like an internal device talking to an external IP it has no reason to contact.

Export Objects

Go to File → Export Objects → HTTP. Wireshark shows every file transferred over HTTP during the capture — images, HTML, JavaScript, documents. This is how forensic analysts recover files transferred during a security incident.

Capture Filters vs Display Filters

Capture filters (BPF syntax, set before starting) limit what Wireshark records — e.g. port 80. Display filters (Wireshark syntax, applied post-capture) filter the view without discarding data — e.g. tcp.port == 80. Mixing up these two syntaxes is the most common mistake in every certification lab and interview.

Pro Tips From 20+ Years of Network Analysis

★ PRO TIP

Always capture to file, not memory. Go to Capture > Options and set a save path before starting. Long captures will crash Wireshark if stored in RAM only. Always capture directly to a .pcap file during live tests and lab exercises.

★ PRO TIP

Use ring buffer captures for long sessions. In Capture > Options, enable “Use a ring buffer.” Wireshark automatically rotates through files, keeping disk usage controlled during multi-hour monitoring sessions.

★ PRO TIP

Learn tshark for headless analysis. Tshark is Wireshark’s command-line version — same engine, no GUI. It runs on servers, works over SSH, and is essential for automated analysis pipelines. Once you know Wireshark filters, tshark becomes immediately usable.

★ PRO TIP

Practice on real pcap files first. The Wireshark Sample Captures wiki hosts real-world .pcap files — malware traffic, VoIP calls, network attacks. Analyzing these builds faster instincts than any course.

★ PRO TIP

Color rules are fully customizable. Go to View > Coloring Rules to flag specific traffic patterns — like connections to known-bad IP ranges or unusual protocol combinations — in any color you choose. Professional analysts build custom rule sets tailored to their environment.

Common Beginner Mistakes That Waste Hours

Capturing on the wrong interface

If you’re on WiFi but capture on Ethernet, you’ll see almost nothing. Always verify which interface shows the live wave graph before starting a capture.

Analyzing without any filters applied

Scrolling raw packets is hopeless. Even a simple http or ip.addr == X.X.X.X filter cuts noise by 95%. Apply a filter before you do anything else.

Expecting to see all traffic on a switched network

On a switched network, Wireshark only captures your own machine’s traffic plus broadcasts. Capturing all segment traffic requires promiscuous mode and a mirrored switch port — this surprises almost every beginner.

Mixing up BPF capture filters with Wireshark display filters

port 80 is valid BPF syntax (capture filter). tcp.port == 80 is the correct Wireshark display filter equivalent. These are completely different syntaxes — confusing them is the single most common beginner error in labs and cert exams.

Capturing on networks you don’t own

Unauthorized packet capture is a criminal offense in most jurisdictions. Always practice on your own network, or in legal lab environments like TryHackMe and HackTheBox — both have dedicated network analysis rooms.

Frequently Asked Questions About Wireshark

❓ Is Wireshark legal to use?
Yes — on networks you own or have explicit written permission to test. It is the industry standard tool used by network engineers and security professionals worldwide. Capturing on unauthorized networks is illegal in most countries. Always get written permission before any testing engagement.
❓ Can Wireshark capture HTTPS traffic?
Wireshark captures HTTPS packets but the content appears encrypted — you’ll see TLS/SSL headers, not the actual payload. To decrypt HTTPS in a controlled lab, load your browser’s SSL session key log file into Wireshark. In real-world monitoring, properly implemented HTTPS content remains protected.
❓ What is a .pcap file and how do I open one?
A .pcap file is a saved recording of network traffic. Open it via File → Open in Wireshark and analyze it exactly like a live capture. Pcap files are used extensively in CTF competitions, forensic investigations, and malware analysis. The Wireshark Sample Captures page hosts a large public library for practice.
❓ What’s the difference between Wireshark and tcpdump?
Tcpdump is command-line only — faster, ideal for remote servers and automated scripts. Wireshark has a full GUI that makes analysis visual and accessible. Many professionals use tcpdump to capture on a remote server, save the .pcap file, then analyze it locally in Wireshark. Both tools appear in CEH, CompTIA, and OSCP exam objectives.
❓ Can Wireshark detect hackers on my network?
Yes — with the right filters. Common attacker signatures include: excessive ARP traffic (ARP spoofing), SYN floods without completions (port scanning), DNS queries to unusual domains (malware C2 communication), and large outbound data transfers to unknown IPs (exfiltration). Wireshark won’t alert you automatically — you need to know the patterns to look for.
❓ How do I use Wireshark on a WiFi network?
Select your WiFi interface on the home screen and start capturing — you’ll see your own traffic plus broadcasts by default. To capture all WiFi segment traffic (for authorized testing), you need a WiFi adapter that supports Monitor Mode. This is an advanced technique covered in wireless security training.
❓ Is Wireshark good for CEH and OSCP exam prep?
Absolutely. Wireshark is a core tool tested in CEH, CompTIA Security+, CompTIA Network+, and OSCP. Packet capture analysis appears in practical lab components across all of these certifications. Hands-on practice with real captures gives you a major edge over candidates who only studied theory.

Your Network Has No Secrets From Wireshark

Wireshark is one of the most powerful tools in cybersecurity. Every professional in the field knows it. Now you do too — the interface, the filters, the real-world attack scenarios it exposes, and exactly how to use it to defend your network.

Do one thing before you close this page: open Wireshark and do your first live capture. That 10 minutes of hands-on experience will teach you more than any course.

Download at wireshark.org and start capturing. Every expert was a beginner who just started.

✔ Wireshark Tutorial Quick-Start Checklist

1. Download from wireshark.org (official site only)

2. Select the correct network interface (look for the live wave graph)

3. Start a capture and browse to http://example.com to generate traffic

4. Apply the http display filter and observe what’s visible in plain text

5. Right-click a packet → Follow → TCP Stream to read a full session conversation

6. Check Statistics → Endpoints to see every communicating device

7. Practice on real captures at wiki.wireshark.org/SampleCaptures

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here