🐟 Wireshark for Beginners: Capture, Filter, and Analyze Network Traffic

🔎 What is Wireshark?

Wireshark is the industry-standard network protocol analyzer for capturing and analyzing packet-level network traffic. Ethical hackers, incident responders, and network engineers use it to visualize traffic flows, troubleshoot protocols, and perform packet-level forensics.

Analogy: Wireshark is like an x-ray machine for networks — it reveals exactly what’s traveling inside packets so you can diagnose problems and detect malicious behavior.

🛡️ Why Learn Wireshark First?

• ✅ Deep packet visibility — see headers, payloads, and protocol flows.
• ✅ Essential for incident response & forensics.
• ✅ Used in CEH labs and real-world investigations.
• ✅ Free, cross-platform, and scriptable (tshark).

🔧 Capture vs Display Filters — The Single Most Important Distinction

• Capture filters (BPF syntax) limit which packets are written to disk. Apply before you start capturing. Use capture filters to reduce capture size and avoid capturing irrelevant traffic.
  • Example (capture only HTTP): tcp port 80
• Display filters (Wireshark syntax) are applied after capture to narrow what you see. They let you analyze specific conversations without re-capturing.
  • Example (show only HTTP requests): http.request

⚡ Essential Capture Filters (BPF) — Set these before capturing

Tip: BPF uses different syntax (libpcap); it’s used in tcpdump/tshark too.

🔎 Essential Display Filters (Wireshark syntax) — apply after capture

Infographic tip: show side-by-side examples so beginners immediately see the difference.

🧭 Quick GUI Workflow (Beginner step-by-step)

1. Open Wireshark → Select interface (Ethernet/Wi-Fi). 🖧
2. (Optional) Enter a capture filter to limit packets. 🔴
3. Click Start and reproduce the issue or traffic you need. ▶️
4. Click Stop when done. ⏹️
5. Apply display filters to focus on relevant packets. 🔍
6. Right-click a packet → Follow → TCP Stream to reassemble conversations. 🔁
7. Export objects (File → Export Objects → HTTP/SMB) to extract files. 💾

🛠 tshark (CLI) — capture & automate

tshark is Wireshark’s CLI — perfect for automation, servers, and limited GUIs.

Common tshark examples

# Capture 1000 packets on eth0 to file
sudo tshark -i eth0 -c 1000 -w capture.pcapng

# Capture only HTTP packets (BPF capture filter)
sudo tshark -i eth0 -f "tcp port 80" -w http_capture.pcapng

# Read a pcap and show top protocols
tshark -r capture.pcapng -q -z io,phs

# Print only DNS queries from a pcap
tshark -r capture.pcapng -Y "dns.qry.name" -T fields -e dns.qry.name

🔍 Practical Example — Find a Failed Login (step-by-step)

1. Capture traffic while an authentication attempt runs (or open existing pcap).
2. Use display filter for relevant service (e.g., SSH): tcp.port == 22 && ip.addr == 10.0.0.5.
3. Look for suspicious patterns: repeated connections, tcp.analysis.retransmission, or tcp.flags.reset==1.
4. Follow the TCP stream for payload clues.
5. Correlate with server logs (/var/log/auth.log) — always combine packet data with system logs.

CEH tip: packet captures often contain credentials or tokens in plaintext — treat captures as sensitive evidence.

🧾 Common Forensic Checks

• tcp.analysis.retransmission → packet loss / unstable link
• tcp.analysis.duplicate_ack → retrans issues
• http.authbasic → HTTP Basic Auth headers (credentials)
• frame contains "password" → rudimentary search for plaintext credentials
• tls.handshake.ciphersuite → check negotiated cipher suites
• dns.count.queries > X → DNS amplification or exfil patterns

⚖️ Legal & Privacy Best Practices

• Only capture traffic on networks you own or have written permission to test.
• Packet captures may contain PII and credentials — encrypt and store securely.
• Use mirrored (SPAN) ports or lab VLANs for non-intrusive capture.
• Redact or restrict access to sensitive fields when sharing captures.

🎯 CEH v13 Strategy Checklist

Knowledge (MCQ)

• Capture filter (BPF) vs display filter (Wireshark) distinction.
• Recognize common display filters and what they show (tcp.analysis.*, http.request, dns.qry.name).
• Understand when to use tshark vs GUI.

Practical (Hands-on)

• Capture with tshark -i eth0 -c 500 -w /tmp/cap.pcapng.
• Use display filter http.request.method == "POST" && ip.src == 10.0.0.5.
• Reassemble sessions: Follow → TCP Stream.
• Export objects (HTTP/SMB) for file recovery.
• Hunt anomalies: retransmissions, TLS alerts, oversized frames.

✅ Key Takeaways

• 🐟 Wireshark shows packet-level truth — invaluable for forensics and troubleshooting.
• 🔴 Capture filters reduce noise at capture time.
• 🔵 Display filters let you slice and dice captures post-facto.
• 🧰 tshark automates captures on servers and scripts.
• 🔐 Treat captures as sensitive — they often contain secrets.

🎓 Ready to Go Further in Cybersecurity?

If you enjoyed this guide, you’ll love the Back2Skills learning platform, built specifically for beginners who want to understand cybersecurity step by step.

✔ Beginner-friendly lessons

✔ Real ethical hacking concepts explained simply

✔ CEH-aligned cybersecurity training

✔ Clear roadmap from basics → ethical hacker

🔐 Start Your Cybersecurity Journey Today