Wireshark Explained — The Standard Tool for Packet Capture and Analysis

Wireshark is the world's most widely used packet capture and analysis tool — it grabs packets straight off the wire and decodes them. Gerald Combs started it in 1998 as Ethereal, and a 2006 trademark dispute renamed it to Wireshark. Today it can dissect more than 3,000 protocols and is the de facto standard for troubleshooting, security investigation, protocol learning, and malware analysis. This article covers how capture works via libpcap/Npcap, display filters and statistics, walking through TCP and TLS flows, the tshark CLI, the limits (encrypted payloads), and how it fits alongside tcpdump, Zeek, and Suricata.

What Wireshark is — a tool that lets you "see" packets #

Normally a network goes "app → OS → NIC → wire" invisibly. Wireshark, via hooks in the OS, slurps every packet through the NIC (including packets neither sent nor addressed to you) and decodes them layer by layer.

▸ What Wireshark shows you

The full hierarchy: Ethernet → IP → TCP/UDP → application protocols (HTTP, DNS, TLS, SMB, Kerberos, even industrial protocols), every field laid out in a tree. Timing, size, ordering, retransmissions, RTTs — all in milliseconds. The only general-purpose tool that lets you directly observe what's actually happening on the network.

History #

1998 — Gerald Combs (25 at the time) starts personal development because "commercial tools cost too much." Releases under the name Ethereal
2006 — Trademark held by his former employer; on changing jobs, Combs renames and migrates to Wireshark
2008 — Wireshark Foundation established (today loosely affiliated with Sysdig)
2025 — Version 4.x, with support for the latest protocols including SCADA, IoT, QUIC, HTTP/3, WireGuard, WPA3

Position in the market #

Commercial competitors exist (OmniPeek, LiveAction), but Wireshark dwarfs them in the breadth of decoders as an OSS project. Industry curricula (Cisco, OWASP, SANS, the WCNA — Wireshark Certified Network Analyst — certification) treat it as essentially required prior knowledge.

How it works — libpcap and Npcap #

Wireshark itself is "the GUI for display and analysis." The actual packet capture is delegated to libpcap (Linux/macOS) or Npcap (Windows).

1. Put the NIC in promiscuous mode

Normally a NIC only forwards frames addressed to its own MAC up the stack. In promiscuous mode it accepts every frame on the wired segment.

2. BPF filter in the kernel

Apply a BPF (Berkeley Packet Filter) before frames cross into userland. Dropping unwanted packets in-kernel keeps CPU low even at full line rate.

3. Ring buffer into userland

PF_PACKET (Linux) or Npcap hand packets to the Wireshark process via an mmap'd ring buffer.

4. Dissectors decode each layer

Wireshark's dissectors decode in order: Ethernet → IP → TCP → app layer. Each layer's fields appear in the GUI tree.

On switched networks you only see your own traffic #

Modern Ethernet uses switches, not hubs, and switches forward each frame only to the port the destination MAC is on. Promiscuous mode still won't show you frames that don't physically reach your port. To get past that:

Port mirroring (SPAN port) — configure the switch to "copy all traffic on port 3 to port 5" and attach Wireshark to port 5
TAP devices — physical inline taps that split the line (ProfiTAP, Garland, etc.)
Capture on the host directly — capturing on the host's own NIC always shows the host's own traffic
ARP spoofing — redirect another host's traffic to your port (attacker-side; not standard ops)
Wi-Fi monitor mode — over Wi-Fi you can sniff all the wireless frames (though WPA2/3 encrypts them)

Filters — capture vs display #

The most important feature of Wireshark. There are two kinds of filter and they use different syntax — important to remember.

Capture filters (BPF syntax) #

Run inside the kernel; drop packets before they're captured. Syntax is the BPF language, same as tcpdump.

Capture filters — BPF

# Only port 443
tcp port 443
# Only traffic to or from a specific host
host 192.168.1.10
# That host's port 80 only
host 192.168.1.10 and tcp port 80

# Exclude ARP not arp

Essential under heavy traffic. Capturing a saturated GbE link with no filter blows past a gigabyte per minute and fills disks fast.

Display filters (Wireshark-specific syntax) #

Filter the view, after capture. Of the form protocol.fieldname = value — any field in any of the 3,000 supported protocols can be a condition.

Display filters — Wireshark syntax

# Only HTTP GET
http.request.method == "GET"
# Only 5xx error responses
http.response.code >= 500
# Only TCP retransmissions (classic troubleshoot move)
tcp.analysis.retransmission
# DNS queries that contain example.com
dns.qry.name contains "example.com"
# TLS Client Hello
tls.handshake.type == 1

# Composite condition ip.src == 10.0.0.5 and tcp.dstport == 443 and tls.handshake

▸ Pull field names from the GUI

Right-click a field in the packet detail pane → "Apply as Filter" inserts the correct syntax. You don't need to memorize 3,000 field names.

Useful display filters #

Use	Filter
Troubleshoot (TCP reset)	`tcp.flags.reset == 1`
Find heavy frames	`frame.len > 1400`
Detect ARP spoofing	`arp.duplicate-address-detected`
Only DNS responses	`dns.flags.response == 1`
TLS server certificates	`tls.handshake.type == 11`
HTTP Host header	`http.host contains "victim.example"`
SMB auth failure	`smb.nt_status == 0xc000006d`
Suspicious User-Agent (C2 candidate)	`http.user_agent contains "Mozilla/4.0"`

Typical uses #

Follow TCP stream #

Right-click → Follow → TCP Stream reassembles and shows one session as readable text. HTTP request/response, SMTP conversations — readable on screen. Usually the first thing that hooks new Wireshark users.

Statistics #

The Statistics menu has:

Conversations — which host pairs talk how much
Endpoints — per-host packet / byte counts
I/O Graphs — time-series throughput (Mbps)
Flow Graph — a Sequence Diagram between two hosts with time on the vertical axis
HTTP Object List — extract every HTTP object captured as files (images, JS, JSON)
TCP Stream Graphs — time-series of RTT, window size, sequence number

File extraction #

File → Export Objects → HTTP writes every HTTP object (HTML, JS, images, downloads) seen in the capture to disk. Heavily used in malware analysis to extract a payload binary, and in internal audits to capture exactly what file got downloaded.

Decrypting TLS #

TLS payloads are encrypted by default. But if you can obtain the session keys from the handshake, Wireshark will display the decrypted plaintext.

Method	Applies when
`SSLKEYLOGFILE` env var	Chrome / Firefox / curl / Node.js write TLS session keys to a file. Point Wireshark's Preferences at the file
Server RSA private key	Only if you have the server's private key AND the session uses RSA key exchange (TLS 1.2 only)
TLS 1.3 + PFS	RSA key alone can't decrypt. `SSLKEYLOGFILE` is mandatory

For decrypting your own browser traffic, SSLKEYLOGFILE is essentially the only practical option.

Decrypt Chrome's TLS

# 1. Set the env var and launch Chrome
$ export SSLKEYLOGFILE=/tmp/tls.keys
$ google-chrome
# 2. In Wireshark Preferences → Protocols → TLS,
#    set "(Pre)-Master-Secret log filename" to /tmp/tls.keys

# 3. That's it — TLS is decrypted and shown as plaintext HTTP

tshark — the command-line version #

A GUI-less companion tshark ships with Wireshark and is used for headless captures on servers and packet checks in CI.

tshark basics

# List interfaces
$ tshark -D
# Capture 60 seconds on eth0 to a file
$ tshark -i eth0 -a duration:60 -w capture.pcapng
# Extract HTTP Host headers as JSON
$ tshark -r capture.pcapng -Y 'http.request' -T json 

-e ip.src -e http.host -e http.request.uri

# Continuous rotating capture (10MB × 5 files) $ tshark -i eth0 -b filesize:10240 -b files:5 -w rotated.pcapng

Filter syntax is fully compatible with the GUI, so a practical workflow is "develop the filter in the GUI, ship it to tshark."

At scale, tcpdump + post-processing wins #

For long captures across many hosts, lightweight capture with tcpdump -w and later analysis in Wireshark / tshark is the realistic division. The GUI gets sluggish on captures in the tens of GB.

Security uses #

Analyzing malware C2 traffic #

Detonate the sample in a sandbox → capture everything with tcpdump → open in Wireshark → read User-Agents, DNS queries, destination IPs, and JSON payloads by eye. The classic workflow for building IOCs (Indicators of Compromise).

Sniffing credentials #

Plaintext protocols (HTTP Basic, FTP, Telnet, old POP3) carry credentials in the clear. Filter on tcp.port == 21, read "USER" and "PASS" — that's it. Watching it once in Wireshark is the fastest way to internalize "use TLS."

Inspecting Kerberos / NTLM handshakes #

While testing AD attacks, Wireshark lets you watch AS-REQ / TGS-REQ / NTLM Type 1-3 messages and tell whether Kerberoasting or Pass-the-Hash is succeeding. Useful filters: kerberos.msg_type, ntlmssp.

Detecting scans #

tcp.flags.syn == 1 and tcp.flags.ack == 0 extracts SYN-only packets. One source IP fanning out across many destination ports in a short window lights up SYN scans clearly. statistics → conversations shows the same shape.

Detecting ARP spoofing #

Wireshark auto-detects "the same IP answered by multiple MACs" via arp.duplicate-address-detected. Good for confirming LAN-internal MITM.

Limits — what Wireshark cannot do #

▸ It does not see everything

The more famous Wireshark gets, the more people assume it does. Spelling it out:

Limit	What it means
Encrypted payloads	TLS / SSH / WireGuard / IPsec content is opaque without keys. You only see timing, size, destination
Cross-traffic on switches	Promiscuous mode doesn't help — you need SPAN/TAP (see earlier)
High-speed links	Full line rate on 10/40/100 GbE is impossible. Specialized hardware (FPGA, DPDK probes) is required
Long-term retention	Saturated GbE produces multiple GB per hour. Not suited for continuous recording. NSM tools like Zeek / Suricata fill that role by keeping only metadata
Alerting	"Notify me when something looks wrong" is fundamentally not Wireshark's job. Pair with IDS like Suricata / Snort

Where related tools fit #

Tool	Role	Relation to Wireshark
tcpdump	Lightweight CLI capture	Partner for grabbing the raw data Wireshark then reads
Zeek (formerly Bro)	Convert packets into structured logs	Always-on logging + queryable logs. Produces `conn.log`, `http.log`, `dns.log`
Suricata	Signature-based IDS/IPS	Alert fires → drill down in Wireshark
NetFlow / IPFIX	Per-flow aggregation	Bird's-eye view of bandwidth and destinations; no payload
Brim (Zui)	Unified GUI over Zeek logs + pcap	Faster than Wireshark for analyzing very large pcaps

The modern standard stack: "Continuous monitoring with Zeek/Suricata, deep dives with Wireshark."

Legal and ethical notes #

▸ Intercepting other people's traffic can be a crime

In Japan it can fall under telecommunications law / the Unauthorized Computer Access Act / criminal-law protections of communications privacy. Limit yourself to your home LAN, servers you administer, your company's test environments, and pentests with explicit authorization. Capturing other people's traffic at a café Wi-Fi, or sniffing a coworker's traffic at work, is criminal territory.

CTFs, your own lab, your own host's outbound traffic, virtual networks you own — fine. "Don't listen to traffic you're not authorized to listen to" is the rule.

Wrap-up — what learners should grasp first #

Wireshark is one of the most important tools for anyone learning networks, working in network engineering, or working in security. The pedagogical claim is famous and often correct: thirty minutes watching your own traffic in Wireshark teaches more TCP/IP than reading a chapter of a textbook.

▸ Five things to learn first

The difference between capture and display filters (BPF vs Wireshark-specific syntax)
Follow TCP Stream to read a single session end-to-end
Statistics → I/O Graphs / Conversations for the macro view
The SSLKEYLOGFILE workflow for decrypting TLS
For always-on monitoring use Zeek / Suricata; reserve Wireshark for deep dives

For someone "not getting" networks, watching a single live request in Wireshark is a structural breakthrough. The cost of the first try is zero, and the payoff lasts a career.