Wireshark – Network Protocol Analyzer

Complete Guide to Wireshark: Network Analysis and Troubleshooting

Wireshark stands as the world’s most widely-used network protocol analyzer, providing deep inspection of hundreds of protocols with live capture and offline analysis capabilities. Security professionals, network administrators, and developers rely on Wireshark to troubleshoot network issues, examine security problems, debug protocol implementations, and learn network protocol internals.

The application captures network traffic in real-time and displays packet contents in human-readable format. Its powerful filtering capabilities enable focusing on specific traffic types, while the graphical interface makes complex analysis accessible without memorizing command-line syntax.

Installing Wireshark

# Ubuntu/Debian
sudo apt update
sudo apt install wireshark

# Allow non-root capture
sudo usermod -aG wireshark $USER
# Log out and back in

# Fedora
sudo dnf install wireshark

# Arch Linux
sudo pacman -S wireshark-qt

# macOS
brew install --cask wireshark

# Windows
winget install WiresharkFoundation.Wireshark

# Verify installation
wireshark --version

# Command-line capture tool
tshark --version

Capture Basics

# Start capture
# 1. Select interface
# 2. Click Start (blue shark fin)
# 3. Stop when done (red square)

# Capture filters (applied before capture)
# Capture only specific traffic

# Host filter
host 192.168.1.100

# Port filter
port 80
port 443

# Protocol filter
tcp
udp
icmp

# Network filter
net 192.168.1.0/24

# Combined filters
host 192.168.1.100 and port 80
tcp port 443 and host google.com
not port 22

# Command-line capture (tshark)
tshark -i eth0
tshark -i eth0 -w capture.pcap
tshark -i eth0 -c 100  # Capture 100 packets
tshark -i eth0 -f "port 80"  # Capture filter

Display Filters

# Display filters (applied after capture)
# More powerful than capture filters

# IP filters
ip.addr == 192.168.1.100
ip.src == 192.168.1.100
ip.dst == 192.168.1.100
ip.addr == 192.168.1.0/24

# TCP filters
tcp.port == 80
tcp.srcport == 443
tcp.dstport == 8080
tcp.flags.syn == 1
tcp.flags.rst == 1

# UDP filters
udp.port == 53

# HTTP filters
http
http.request
http.response
http.request.method == "GET"
http.request.method == "POST"
http.response.code == 200
http.response.code >= 400
http.host contains "example.com"
http.request.uri contains "api"

# DNS filters
dns
dns.qry.name contains "google"
dns.flags.response == 1

# TLS/SSL filters
tls
tls.handshake.type == 1  # Client Hello
ssl.handshake.extensions_server_name contains "example"

# Logical operators
ip.addr == 192.168.1.100 and tcp.port == 80
http or dns
not arp
(ip.src == 192.168.1.100) || (ip.dst == 192.168.1.100)

# Comparison operators
frame.len > 1000
frame.len >= 100 and frame.len <= 500
tcp.window_size < 1000

Analyzing Traffic

# Packet details pane sections:
# - Frame: Physical layer info
# - Ethernet: Data link layer
# - IP: Network layer
# - TCP/UDP: Transport layer
# - Application: HTTP, DNS, etc.

# Follow streams
# Right-click packet > Follow > TCP Stream
# Shows complete conversation

# Statistics menu:
# Statistics > Capture File Properties
# Statistics > Protocol Hierarchy
# Statistics > Conversations
# Statistics > Endpoints
# Statistics > IO Graphs
# Statistics > Flow Graph

# Expert Info
# Analyze > Expert Information
# Shows warnings, errors, notes

# Coloring rules
# View > Coloring Rules
# Customize packet colors

# Time display formats
# View > Time Display Format
# Seconds since beginning
# UTC date and time
# Relative to previous packet

Common Analysis Tasks

# Find slow connections
tcp.analysis.ack_rtt > 0.5

# Find retransmissions
tcp.analysis.retransmission

# Find duplicate ACKs
tcp.analysis.duplicate_ack

# Find reset connections
tcp.flags.rst == 1

# Find failed connections
tcp.flags.syn == 1 and tcp.flags.ack == 0

# HTTP errors
http.response.code >= 400

# Large packets
frame.len > 1500

# Find specific content
frame contains "password"
http.request.uri contains "login"

# DNS queries
dns.flags.response == 0

# Failed DNS
dns.flags.rcode != 0

Command-Line Analysis (tshark)

# Read capture file
tshark -r capture.pcap

# Apply display filter
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "ip.addr == 192.168.1.100"

# Show specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port

# Statistics
tshark -r capture.pcap -q -z io,stat,1
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z http,tree

# Export objects
tshark -r capture.pcap --export-objects http,./exported/

# Follow stream
tshark -r capture.pcap -q -z follow,tcp,ascii,0

# Convert formats
tshark -r capture.pcap -w output.pcapng

# Live capture with filter
tshark -i eth0 -Y "http" -w http_traffic.pcap

# JSON output
tshark -r capture.pcap -T json > output.json

# Packet count
tshark -r capture.pcap | wc -l

Decrypting TLS Traffic

# Using pre-master secret log
# Set environment variable before browser session:
# Windows:
set SSLKEYLOGFILE=C:\keys\sslkeys.log

# Linux/macOS:
export SSLKEYLOGFILE=~/sslkeys.log

# In Wireshark:
# Edit > Preferences > Protocols > TLS
# (Pre)-Master-Secret log filename: /path/to/sslkeys.log

# Using server private key (RSA only)
# Edit > Preferences > Protocols > TLS
# RSA keys list > Edit
# Add IP, port, protocol, key file

# After configuration, TLS traffic shows decrypted

Profiles

# Create profile for specific analysis
# Edit > Configuration Profiles

# Profile includes:
# - Column layout
# - Display filters
# - Coloring rules
# - Preferences

# Create profiles for:
# - Web analysis
# - VoIP analysis
# - Security analysis
# - Wireless analysis

# Switch profiles from status bar

Exporting Data

# Export packet dissections
# File > Export Packet Dissections
# As Plain Text, CSV, JSON, XML

# Export specific packets
# File > Export Specified Packets
# Select range or marked packets

# Export objects (files transferred)
# File > Export Objects > HTTP
# File > Export Objects > SMB
# File > Export Objects > TFTP

# Export TLS session keys
# File > Export TLS Session Keys

Security Analysis

# Detect port scans
tcp.flags.syn == 1 and tcp.flags.ack == 0

# Find ARP spoofing
arp.duplicate-address-detected

# Detect unusual traffic
# Large ICMP packets
icmp and frame.len > 100

# Suspicious DNS
dns.qry.name contains "base64"

# Cleartext credentials
http.authbasic
ftp.request.command == "PASS"

# Malware indicators
http.request.uri contains ".exe"
http.content_type contains "application/x-msdownload"

VoIP Analysis

# RTP streams
# Telephony > RTP > RTP Streams

# SIP analysis
sip

# VoIP calls
# Telephony > VoIP Calls

# Play audio
# Select RTP stream > Analyze > Play Streams

# Jitter and packet loss
# Telephony > RTP > Stream Analysis

Wireless Analysis

# Enable monitor mode (Linux)
sudo airmon-ng start wlan0

# Capture in Wireshark
# Select wlan0mon interface

# 802.11 filters
wlan
wlan.fc.type == 0  # Management frames
wlan.fc.type == 1  # Control frames
wlan.fc.type == 2  # Data frames

# Beacon frames
wlan.fc.type_subtype == 0x08

# Probe requests
wlan.fc.type_subtype == 0x04

# Filter by BSSID
wlan.bssid == aa:bb:cc:dd:ee:ff

Performance Tips

# For large captures:
# - Use capture filters to limit data
# - Disable name resolution
# - Use ring buffer for continuous capture

# Ring buffer
# Capture > Options > Output
# Use ring buffer with X files of Y MB

# Disable name resolution
# Edit > Preferences > Name Resolution
# Uncheck all resolve options

# Command-line for large files
tshark -r large.pcap -Y "filter" -w filtered.pcap

Conclusion

Wireshark provides unmatched visibility into network traffic, essential for troubleshooting, security analysis, and protocol development. Its comprehensive protocol support, powerful filtering, and intuitive interface make complex network analysis accessible. Whether debugging application issues, investigating security incidents, or learning networking, Wireshark remains the indispensable tool for understanding what's happening on the wire.