Wireshark is the most powerful free network tool ever made — and arguably the most underused. Most users live in the first 20% of its features. This tutorial pushes you into the productive middle 60%.
Capture Setup
Choose the Right Interface
On Linux/macOS: tcpdump -D lists interfaces. On Windows: the Npcap install adds them to Wireshark’s UI.
For full visibility:
- SPAN/mirror port on a switch — best for production analysis
- TAP — passive splitter; gold standard for forensics
- Promiscuous mode + monitor mode on Wi-Fi — captures other clients on the same channel
Capture Filters vs Display Filters
This is the #1 confusion. They use different syntaxes:
# Capture filter (BPF — applied before storage)
host 10.0.0.5 and port 443
# Display filter (Wireshark syntax — applied to loaded pcap)
ip.addr == 10.0.0.5 && tcp.port == 443
Rule: use capture filters to keep file sizes manageable. Use display filters for analysis.
The Display Filters That Matter
# HTTP requests only
http.request
# All DNS queries
dns.flags.response == 0
# TCP retransmissions (network health)
tcp.analysis.retransmission
# Suspicious user-agent
http.user_agent contains "sqlmap"
# Failed TLS handshakes
tls.alert_message
# Specific HTTP response codes
http.response.code == 500
# Beaconing patterns — exact-interval traffic
tcp.flags.syn == 1 && tcp.flags.ack == 0
# Exfiltration candidates — large uploads
tcp.len > 1400 && ip.src == 10.0.0.5
# Cleartext credentials
http.authorization || ftp.request.command == "USER" || telnet
Memorize the first ten. The rest are one Google search away.
TLS Decryption
You cannot break TLS, but you can decrypt your own sessions if you control either endpoint:
Option A: Pre-Master Secret Log
Set SSLKEYLOGFILE=/path/to/keys.log before launching Chrome or Firefox. Both browsers write per-session keys to that file. In Wireshark: Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename.
Now your captures show plaintext HTTP inside the TLS streams.
Option B: Server Private Key (TLS 1.2 only)
For RSA-key-exchange ciphers, supply the server private key in the same preference pane. Useless against modern TLS 1.3, which mandates forward secrecy.
Following Conversations
Right-click a packet → Follow → TCP Stream (or HTTP, HTTP/2, QUIC). This reassembles the bidirectional conversation into a readable view. The most useful single right-click in the tool.
Statistics Panels
Statistics → Conversations and Statistics → Endpoints show talkers ranked by bytes. Useful for:
- Finding noisy clients on a slow network
- Spotting data exfiltration (one host with disproportionate upload bytes)
- Confirming the actual top destinations on a busy server
Statistics → I/O Graphs plots bandwidth over time. Spike at 03:00 every night? Likely a scheduled task — or a beacon.
Hunt Patterns for Defenders
DNS Tunneling
dns.qry.name.len > 50 || (dns and frame.len > 200)
Long DNS labels in TXT or AAAA queries are a classic tunnel signature.
Plaintext Protocols
ftp || telnet || http.authorization
Any HTTP-Basic, FTP USER, or telnet on a corporate network deserves a ticket.
Reverse Shells
Reverse shells often look like normal outbound TCP to a high port. The fingerprint:
- Outbound to an unusual ASN
- Long-lived idle TCP
- Small periodic packets (heartbeats)
Use tcp.stream eq X to follow specific suspect flows.
Performance Triage
When the network “feels slow”:
tcp.analysis.flags— surfaces every TCP anomalytcp.analysis.retransmissioncount > 1% of all packets indicates losstcp.analysis.duplicate_ackclusters mean asymmetric routing or reorderingExpert Information(Analyze menu) — Wireshark’s built-in heuristics
Useful Extensions
- Zeek (formerly Bro) — parses pcaps into structured logs at scale
- Suricata — ruleset-driven IDS reading the same pcaps
- Brim — UI on top of Zeek logs; great for large captures Wireshark struggles with
Practice Pcaps
- Malware-Traffic-Analysis.net — captures from real infections with explainers
- PacketTotal — public pcap analysis service
