How to Use Wireshark: A Complete Tutorial

Capture and view the data traveling on your network

Wireshark is a free application you use to capture and view the data traveling back and forth on your network. It provides the ability to drill down and read the contents of each packet and is filtered to meet your specific needs. It is commonly used to troubleshoot network problems and to develop and test software. This open-source protocol analyzer is widely accepted as the industry standard, winning its fair share of awards over the years.

Originally known as Ethereal, Wireshark has a user-friendly interface that can display data from hundreds of different protocols on all major network types. Data packets can be viewed in real time or analyzed offline. Wireshark supports dozens of capture/trace file formats supported including CAP and ERF. Integrated decryption tools allow you to view encrypted packets for several popular protocols including WEP and WPA/WPA2.

01
of 07

Downloading and Installing Wireshark

Wireshark download web page

Wireshark can be downloaded at no cost from the Wireshark Foundation website for both macOS and Windows operating systems. Unless you are an advanced user, it is recommended that you only download the latest stable release. During the Windows setup process, you should choose to install WinPcap if prompted, as it includes a library required for live data capture.

The application is also available for Linux and most other UNIX-like platforms including Red Hat, Solaris, and FreeBSD. The binaries required for these operating systems can be found toward the bottom of the download page in the Third-Party Packages section. You can also download Wireshark's source code from this page.

02
of 07

How to Capture Data Packets

Wireshark welcome screen on Windows

When you first launch Wireshark, a welcome screen appears containing a list of available network connections on your current device. In this example, you'll notice that the following connection types are shown: Bluetooth Network Connection, Ethernet, VirtualBox Host-Only Network, and Wi-Fi. Displayed to the right of each is an EKG-style line graph that represents live traffic on that respective network.

To begin capturing packets, select one or more of the networks by clicking on your choice and using the Shift or Ctrl keys if you want to record data from multiple networks simultaneously. After a connection type is selected for capturing purposes, its background is shaded in either blue or gray. Click on Capture in the main menu located toward the top of the Wireshark interface. When the drop-down menu appears, select the Start option.

You can also initiate packet capturing via one of the following shortcuts.

  • Keyboard: Press ​Ctrl + E.
  • Mouse: To begin capturing packets from one particular network, double-click on its name.
  • Toolbar: Click on the blue shark fin button located on the far left side of the Wireshark toolbar.

The live capture process begins, and Wireshark displays the packet details as they are recorded. To Stop capturing:

  • Keyboard: Press Ctrl + E
  • Toolbar: Click on the red Stop button located next to the shark fin on the Wireshark toolbar.
03
of 07

Viewing and Analyzing Packet Contents

Wireshark captured data on Windows

After you record some network data, it's time to take a look at the captured packets. The captured data interface contains three main sections: the packet list pane, the packet details pane, and the packet bytes pane.

Packet List

The packet list pane, located at the top of the window, shows all packets found in the active capture file. Each packet has its own row and corresponding number assigned to it, along with each of these data points.

  • Time: The timestamp of when the packet was captured is displayed in this column. The default format is the number of seconds or partial seconds since this specific capture file was first created. To modify this format to something that may be a bit more useful, such as the actual time of day, select the Time Display Format option from Wireshark's View menu located at the top of the main interface.
  • Source: This column contains the address (IP or other) where the packet originated.
  • Destination: This column contains the address that the packet is being sent to.
  • Protocol: The packet's protocol name, such as TCP, can be found in this column.
  • Length: The packet length, in bytes, is displayed in this column.
  • Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.

When a packet is selected in the top pane, you may notice one or more symbols appear in the first column. Open or closed brackets and a straight horizontal line indicate whether a packet or group of packets are all part of the same back-and-forth conversation on the network. A broken horizontal line signifies that a packet is not part of said conversation.

Packet Details

The details pane, found in the middle, presents the protocols and protocol fields of the selected packet in a collapsible format. In addition to expanding each selection, you can apply individual Wireshark filters based on specific details and follow streams of data based on protocol type via the details context menu, which is accessible by right-clicking your mouse on the desired item in this pane.

Packet Bytes

At the bottom is the packet bytes pane, which displays the raw data of the selected packet in a hexadecimal view. This hex dump contains 16 hexadecimal bytes and 16 ASCII bytes alongside the data offset.

Selecting a specific portion of this data automatically highlights its corresponding section in the packet details pane and vice versa. Any bytes that cannot be printed are instead represented by a period.

You can choose to show this data in bit format as opposed to hexadecimal by right-clicking anywhere within the pane and selecting the appropriate option from the context menu.

04
of 07

Using Wireshark Filters

Wireshark filters opened in front of main Wireshark window

One of the most important feature sets in Wireshark is its filter capability, especially when you're dealing with files that are significant in size. Capture filters can be set before the fact, instructing Wireshark to only record those packets that meet your specified criteria.

Filters can also be applied to a capture file that has already been created so that only certain packets are shown. These are referred to as display filters.

Wireshark provides a large number of predefined filters by default, letting you narrow down the number of visible packets with just a few keystrokes or mouse clicks. To use one of these existing filters, place its name in the Apply a display filter entry field located directly below the Wireshark toolbar or in the Enter a capture filter entry field located in the center of the welcome screen.

There are multiple ways to achieve this. If you already know the name of your filter, type it into the appropriate field. For example, if you only want to display TCP packets, you type tcp. Wireshark's autocompleting feature shows suggested names as you begin typing, making it easier to find the correct moniker for the filter you're seeking.

Another way to choose a filter is to click on the bookmark-like icon positioned on the left side of the entry field. This presents a menu containing some of the most commonly used filters as well as an option to Manage Capture Filters or Manage Display Filters. If you choose to manage either type, an interface appears allowing you to add, remove, or edit filters.

You can also access previously used filters by selecting the down arrow on the right side of the entry field to display a history drop-down list.

Once set, capture filters are applied as soon as you begin recording network traffic. To apply a display filter, you click on the right arrow button found on the far right side of the entry field.

05
of 07

Color Rules

Wireshark coloring rules dialog opened in front of main Wireshark window

While Wireshark's capture and display filters allow you to limit which packets are recorded or shown on the screen, its colorization functionality takes things a step further by making it easy to distinguish between different packet types based on their individual hue. This handy feature lets you quickly locate certain packets within a saved set by their row color in the packet list pane.

Wireshark comes with about 20 default coloring rules built in, each of which can be edited, disabled, or deleted if you wish. You can also add new shade-based filters through the coloring-rules interface, accessible from the View menu. In addition to defining a name and filter criteria for each rule, you are also asked to associate both a background color and a text color.

Packet colorization can be toggled off and on via the Colorize Packet List option, also found in the View menu.

06
of 07

Statistics

Statistics menu on macOS version of Wireshark

In addition to the detailed information about your network's data shown in Wireshark's main window, several other useful metrics are available via the Statistics drop-down menu found toward the top of the screen. These include size and timing information about the capture file itself, along with dozens of charts and graphs ranging in topic from packet conversation breakdowns to load distribution of HTTP requests.

Display filters can be applied to many of these statistics via their interfaces, and the results can be exported to several common file formats including CSV, XML, and TXT.

07
of 07

Advanced Features

Lua windows open on macOS version of Wireshark

In addition to Wireshark's main functionality, there is also a collection of additional features available in this powerful tool typically reserved for advanced users. This includes the ability to write your own protocol dissectors in the Lua programming language.