If Nmap tells you what ports are open and Burp Suite lets you attack web applications, Wireshark shows you everything happening on the network in real time — every packet, every protocol, every credential sent in cleartext, every sign of an ongoing attack. It is the most powerful free network analysis tool ever built, and it is indispensable for penetration testers, SOC analysts, forensic investigators, and network engineers alike.
This tutorial starts from zero — downloading and installing Wireshark — and takes you through capturing your first packets, mastering display filters (the skill that turns Wireshark from overwhelming to surgical), analysing every major protocol, finding credentials in captures, and detecting real attack patterns in network traffic. A complete filter cheatsheet is at the end. Jump to cheatsheet →
- What is Wireshark and what can it do?
- Installing Wireshark
- The Wireshark interface — understanding every panel
- Capturing your first packets
- Display filters — the most important Wireshark skill
- Analysing common protocols — HTTP, DNS, TCP, FTP
- Finding credentials in cleartext traffic
- Following TCP streams — reading full conversations
- Detecting attacks in packet captures
- TShark — command-line Wireshark for automation
- Complete Wireshark filter cheatsheet
- Practice PCAP files — where to download real captures
- Frequently asked questions
Wireshark is a free, open-source packet analyser that captures all network traffic passing through a network interface and lets you inspect every packet in deep detail. It decodes over 3,000 protocols — from basic TCP/IP to HTTP, DNS, TLS, SMB, FTP, and hundreds more — displaying the data in a readable, colour-coded interface.
Every time any device on a monitored network sends or receives data, Wireshark captures the raw bytes, decodes which protocol they belong to, and displays the fields — source IP, destination IP, port numbers, payload content, sequence numbers, timing — in a structured tree you can expand and explore.
- SOC analysts — investigate security alerts by examining the actual network traffic that triggered them; find lateral movement, C2 beaconing, data exfiltration, and anomalous traffic patterns
- Penetration testers — capture credentials from unencrypted protocols (FTP, Telnet, HTTP Basic Auth, SNMP), identify network topology, analyse post-exploitation traffic
- Incident responders — analyse PCAP files from IDS/IPS systems to reconstruct attack timelines and identify compromised hosts
- CTF players — PCAP analysis challenges are one of the most common categories in CTF competitions; Wireshark is always the primary tool
- Network engineers — troubleshoot connectivity issues, diagnose slow applications, verify firewall rules, analyse VoIP quality
- Security students — learn exactly how protocols work by watching them in action at the packet level — more educational than any textbook
Wireshark is pre-installed on Kali Linux. On other systems:
Before you can use Wireshark effectively you need to understand what each part of the interface shows you. Wireshark has three main panels plus a toolbar and filter bar.
- ① Packet List (top) — one row per captured packet, colour-coded by protocol. Shows number, timestamp, source/destination IPs, protocol, length, and a summary. Click any row to select it and see its details below. Colour coding: green = HTTP, blue/grey = TCP, light blue = DNS, yellow = ARP, dark red = errors.
- ② Packet Details (middle) — the selected packet decoded into a tree of protocol layers. Click the arrow next to each layer to expand it and see every field. This is where you find specific header values, flags, payload content, and protocol fields that filters target.
- ③ Packet Bytes (bottom) — the raw bytes of the selected packet in hexadecimal on the left and ASCII on the right. When you click a field in the Packet Details tree, Wireshark highlights the corresponding bytes here. Useful for CTF challenges where you need to extract raw data.
When Wireshark opens you see the welcome screen listing all available network interfaces with a live activity graph for each one. Select the interface that has traffic flowing — usually:
- eth0 or ens33 — wired Ethernet on Linux
- wlan0 or wlp2s0 — Wi-Fi on Linux
- Ethernet — wired on Windows
- Wi-Fi — wireless on Windows
- en0 — primary interface on macOS
Double-click the interface to start capturing immediately, or single-click and press the blue shark-fin button.
Once capturing starts, packets stream into the Packet List in real time. The counter in the status bar shows packets captured. Open a browser and visit any website — you'll see DNS queries, TCP handshakes, and HTTP requests appear immediately.
Click the red Stop button (■) in the toolbar, or press Ctrl + E. The capture freezes and you can analyse what was collected.
This is one of Wireshark's most important distinctions — beginners confuse them constantly:
- Capture filters — set before you start capturing. Only matching packets are recorded. Uses BPF (Berkeley Packet Filter) syntax. Example: port 80. Less flexible but reduces storage.
- Display filters — applied after capture to show/hide packets from an existing capture. Uses Wireshark's own filter syntax. Example: http. Far more powerful and the ones you will use 95% of the time.
A raw packet capture of any busy network produces thousands of packets in minutes. Without filters, Wireshark is a flood of data. Display filters are how you cut through the noise and find exactly what you are looking for. Mastering filters is the single skill that most improves your Wireshark effectiveness.
Each protocol reveals different information. Here is what to look for in the protocols you will encounter most frequently in security work.
HTTP traffic is unencrypted and reveals exactly what a user is browsing, what credentials they submit, and what data the server returns. In security testing this is critical for finding credentials, session tokens, and sensitive data.
Wireshark can reconstruct and export files transferred over HTTP — images, documents, executables. Go to File → Export Objects → HTTP and you will see every file that was transferred. This is used in CTF challenges and incident response to recover malware samples, stolen documents, and uploaded files.
DNS traffic reveals which domains a host is querying — effectively a log of every website visited and every service contacted. It is also one of the most abused protocols for data exfiltration and C2 communication (DNS tunnelling).
Understanding TCP flags in Wireshark is essential for recognising normal connections, detecting port scans, identifying failed connections, and spotting attacks like SYN floods.
FTP sends usernames, passwords, and file contents in completely unencrypted plaintext. Any attacker on the same network segment can capture FTP credentials trivially. This is why FTP is banned in most security policies and why demonstrating this in a pentest always gets attention.
One of the most impactful findings in any internal network penetration test is capturing credentials from unencrypted protocols. These filters and techniques are what professional pentesters use to find them quickly.
Individual packets are fragments of conversations. "Follow TCP Stream" reconstructs the full back-and-forth exchange between two hosts into a readable format — you see exactly what was sent and received, in order, as text.
- Find any packet from the conversation you want to read (e.g., an HTTP request)
- Right-click the packet → Follow → TCP Stream
- A new window opens showing the full conversation — client data in red, server data in blue
- Use the Stream dropdown at the bottom to switch between different conversations
- Follow → UDP Stream — for DNS, SNMP, DHCP conversations
- Follow → HTTP Stream — specifically for HTTP, shows the stream in a more readable format with request/response separation
- Follow → TLS Stream — for encrypted traffic (shows encrypted data — you need the server's private key to decrypt)
Wireshark is a primary tool for identifying attack traffic — whether you are analysing a PCAP from an IDS alert, investigating a suspected breach, or doing a CTF challenge. Here are the key signatures of the most common attacks.
An Nmap SYN scan sends SYN packets to many ports in rapid succession. In Wireshark this appears as one source IP sending SYN packets to the same destination IP on sequential or semi-random ports, with RST responses coming back for closed ports.
ARP poisoning works by flooding the network with fake ARP replies, associating the attacker's MAC address with a legitimate IP (typically the gateway). In Wireshark, ARP poisoning is visible as duplicate IP-to-MAC mappings and unusual ARP reply rates.
TShark is the terminal version of Wireshark. It shares all of Wireshark's protocol decoders and filters but runs entirely from the command line — making it perfect for headless servers, automated scripts, and processing large PCAP files efficiently.
- Wireshark Sample Captures — wiki.wireshark.org/SampleCaptures — the official collection. Hundreds of PCAP files covering every protocol Wireshark supports. A goldmine for learning how specific protocols look in a capture.
- malware-traffic-analysis.net — malware-traffic-analysis.net — real malware PCAP files with write-ups explaining what happened. This is how SOC analysts and incident responders learn to identify C2 traffic, malware download patterns, and post-infection behaviour. Password to extract archives: infected.
- CyberDefenders — cyberdefenders.org — free Blue Team CTF challenges where PCAP analysis is the primary task. Each challenge includes a PCAP file, questions to answer, and a full write-up once you solve it.
- PicoCTF — past competition archives contain dozens of PCAP analysis challenges at beginner to intermediate level. All legally downloadable from picoctf.org.
- PacketLife.net Captures — well-organised sample captures categorised by protocol. Good for targeted protocol study.
- Your own network — capture traffic on your home lab (Kali VM + Metasploitable 2) and analyse it. Running an Nmap scan against Metasploitable while capturing in Wireshark is the single most educational exercise for connecting tool usage to packet-level understanding.
⚡ Next steps — build on your Wireshark skills
- Download your first malware PCAP — go to malware-traffic-analysis.net, pick any exercise from 2024 or 2025, open in Wireshark and try to find the C2 domain before reading the answer. Training exercises →
- Pair Wireshark with Nmap — run a port scan against Metasploitable while capturing in Wireshark. Watch exactly what Nmap sends and receives at the packet level — every scan type looks different. Nmap tutorial →
- Add Burp Suite for web traffic — Wireshark sees all network traffic; Burp Suite focuses specifically on HTTP/HTTPS. Use them together: Wireshark for network-level visibility, Burp for deep HTTP manipulation. Burp Suite tutorial →
- Practise SOC analyst PCAP challenges — CyberDefenders has free browser-based labs where PCAP analysis is the core task. Completing 10 of these is better interview preparation than any certification alone. SOC Analyst career guide →
- Learn your Kali Linux toolkit — Wireshark, Nmap, and Burp Suite are three of the essential 20 Kali tools. Top 20 Kali Linux commands →
Wireshark is a packet analyser used for capturing and inspecting network traffic. Security professionals use it to investigate incidents, find credentials in cleartext protocols, detect attack patterns, analyse malware traffic, and troubleshoot network problems. It decodes over 3,000 protocols and is the industry-standard tool for network traffic analysis.
Wireshark is completely legal software. Using it on networks you own or have explicit written permission to monitor is legal. Capturing traffic on someone else's network without permission is illegal under wiretapping and computer fraud laws. All practice should be done on your own home network, a local lab environment, or pre-existing PCAP files from public repositories.
A capture filter is set before you start capturing and only records matching packets — uses BPF syntax (e.g., port 80). A display filter is applied after capture to show or hide packets from an existing capture — uses Wireshark's more powerful filter syntax (e.g., http.request.method == "GET"). For most learning and analysis work, capture everything without a capture filter and use display filters to find what you need.
Wireshark can decrypt TLS/HTTPS traffic if you have the server's private key or if you configure a pre-master secret log file. In modern TLS with Perfect Forward Secrecy, even the server's private key cannot decrypt captured sessions — but you can configure Firefox and Chrome to export session keys to a file that Wireshark can use to decrypt traffic in real time. This is useful for testing and debugging your own applications.
PCAP (Packet CAPture) is a file format for storing captured network packets. Wireshark saves captures as .pcap or .pcapng files. PCAP files can be shared and re-opened in Wireshark, TShark, or other tools like tcpdump and NetworkMiner. In incident response, IDS/IPS systems often produce PCAP files of suspicious traffic for analysts to examine. In CTF competitions, PCAP files are a standard challenge format.
The most useful single filter for beginners is http — it instantly reduces thousands of packets to just the web traffic. From there, http.request.method == "POST" narrows it down to form submissions and logins. For SOC work, dns combined with sorting by the query name column quickly reveals anomalous DNS activity. For credential hunting, frame contains "password" searches the entire capture in one go.
Nmap actively sends packets to probe a target and tells you what ports are open and what services are running — it is an active scanner. Wireshark passively captures and analyses all traffic passing through your network interface — it is a passive listener. They are complementary tools: Nmap discovers the attack surface, Wireshark shows you exactly what communication looks like at the packet level. Running Nmap while Wireshark is capturing is one of the best exercises for understanding how scanning actually works.
Yes — the Security+ SY0-701 exam includes performance-based questions that may involve reading and interpreting packet captures. Understanding TCP handshakes, reading HTTP and DNS traffic, identifying protocol anomalies, and knowing what port numbers correspond to which services are all tested. Time spent actually using Wireshark on real traffic prepares you better for these questions than reading about it in a textbook.




