How to Use Wireshark: A Beginner's Tutorial (2026)

Penetration Testing
12 min read
How to Use Wireshark: A Beginner's Tutorial (2026)
On this page
  1. What Is Wireshark?
  2. Installing Wireshark
    1. Windows and macOS
    2. Linux (Debian and Kali)
    3. Confirm It Works
  3. How to Use Wireshark to Capture Your First Packets
    1. Step 1: Pick the Right Interface
    2. Step 2: Generate Some Traffic
    3. Step 3: Stop and Save
  4. Reading the Wireshark Interface
  5. Wireshark Filters: The Skill That Matters Most
    1. Capture Filters vs Display Filters
    2. Display Filters Worth Memorizing
  6. Following the TCP Stream
  7. Using Wireshark for Security Analysis
  8. Legal and Ethical Considerations
    1. Where Packet Capture Is Fair Game
  9. Frequently Asked Questions
  10. Your Next Steps

A packet capture is the closest thing security work has to a lie detector. Firewalls, application logs, and dashboards all tell you their version of events. The wire shows you what actually happened. Learning how to use Wireshark, the tool that reads that wire, is one of the highest-return skills you can pick up early, whether you lean toward network defense, incident response, or offensive penetration testing.

Wireshark is a free, open-source packet analyzer that captures traffic off a network interface and decodes it protocol by protocol, from Ethernet frames up to HTTP requests. This guide walks through installing it, capturing your first packets, and using the display filters that separate a useful investigation from an unreadable wall of data. You can practice the exact workflow on our Packet Pursuit lab, a browser-based capture file with a flag hidden in the traffic.

TL;DR: Wireshark is a free network protocol analyzer that captures and decodes packets in real time. Pick your interface, hit the shark-fin icon to start a capture, then narrow the noise with display filters like http, ip.addr == 10.0.0.5, or tcp.port == 443. Right-click any packet and choose Follow > TCP Stream to reassemble a whole conversation. Master filters first; everything else follows.

What Is Wireshark?

Wireshark is a free, open-source network protocol analyzer that captures packets traveling across a network interface and decodes them into a human-readable breakdown. It shows every layer of each packet, from the raw bytes on the wire to the application data inside, which lets you see exactly what two machines said to each other.

The tool has been the industry standard for over two decades, originally released as Ethereal in 1998 and renamed Wireshark in 2006. It runs on Windows, macOS, and Linux, understands more than 3,000 protocols, and reads capture files from dozens of other tools. When a job posting lists "packet analysis," it almost always means Wireshark.

People reach for it to answer questions that logs cannot:

  • Why is this connection slow, and where does the delay actually happen?
  • Is this host talking to a server it has no business contacting?
  • What credentials or data crossed the wire in cleartext?
  • Did that Nmap scan reach the target, and how did the target reply?
  • What does this suspicious .pcap from a forensics case contain?

One point worth clearing up early: Wireshark captures traffic, it does not attack anything. It is a passive listener. On a switched network you only see traffic destined for your own machine unless you set up a port mirror or an intentional man-in-the-middle position. That limitation trips up beginners who expect to open Wireshark on a corporate LAN and watch everyone's traffic scroll by.

Installing Wireshark

Wireshark ships pre-installed on Kali Linux and Parrot OS. On everything else, installation takes a couple of minutes. The current stable branch is 4.4, and the interface described here matches 4.x.

Windows and macOS

Download the installer from the official Wireshark download page. The Windows installer bundles Npcap, the packet capture driver Wireshark needs to see live traffic. Accept it during setup, because without a capture driver you can open saved files but not sniff live packets. On macOS the installer handles the equivalent ChmodBPF helper for you.

Linux (Debian and Kali)

sudo apt update && sudo apt install wireshark

During installation a prompt asks whether non-superusers should be allowed to capture packets. Answer yes if you want to run Wireshark without sudo, then add your user to the wireshark group and log out and back in:

sudo usermod -aG wireshark $USER

This step matters. Running the GUI as root is a bad habit and some builds refuse to do it at all. If your interface list comes up empty, a missing group membership is the usual cause.

Confirm It Works

wireshark --version

You should see 4.x. Launch the app and you will land on the welcome screen showing a list of network interfaces, each with a small line graph indicating live activity. If those graphs are moving, your capture driver is working.

How to Use Wireshark to Capture Your First Packets

Capturing traffic is deliberately simple. The skill is in what you do with the packets afterward, but you need a capture first.

Step 1: Pick the Right Interface

On the welcome screen, each interface (Wi-Fi, Ethernet, loopback) shows a live sparkline. Choose the one carrying the traffic you care about. If you are analyzing your own web request, that is usually your active Wi-Fi or Ethernet adapter. Double-click it, or select it and click the blue shark-fin icon at the top left, to start capturing.

Step 2: Generate Some Traffic

With the capture running, do something on the network. Load a website, ping a host, or run a scan. Packets start streaming into the packet list in real time. Watch the count climb in the status bar at the bottom. On a busy interface this fills up fast, which is exactly why filtering is the next thing you learn.

Step 3: Stop and Save

Click the red square to stop the capture once you have what you need. Save it with File > Save As in .pcapng format, the modern default that preserves capture metadata. The older .pcap format still works when you need compatibility with legacy tools.

💻
Practice this now: Packet Pursuit - work through a real capture file, apply filters to isolate the interesting traffic, and follow a stream to recover a hidden flag, all in the browser with no install.

Reading the Wireshark Interface

Once packets are on screen, the window splits into three panes stacked top to bottom. Understanding what each one does is the difference between staring at noise and reading a conversation.

  • Packet List (top) - One row per packet, with columns for time, source, destination, protocol, length, and a summary. This is your table of contents.
  • Packet Details (middle) - The selected packet expanded into collapsible protocol layers, from Frame and Ethernet up through IP, TCP, and the application protocol. This is where you drill in.
  • Packet Bytes (bottom) - The raw hex and ASCII of the packet. Click a field in the details pane and the matching bytes highlight below.

The row colors are not decoration. Wireshark ships with coloring rules that flag traffic by type: light purple for TCP, pale blue for UDP, black for packets with errors like TCP retransmissions or checksum failures. When you see a run of black rows, something is going wrong on that connection, and that is often where an investigation starts. You can edit these rules under View > Coloring Rules, but the defaults are well chosen and worth learning before you change them.

Wireshark Filters: The Skill That Matters Most

A single minute of capture on a normal machine can produce tens of thousands of packets. Nobody reads that by scrolling. Filters are how you cut it down to the handful that answer your question, and Wireshark has two distinct kinds that beginners constantly confuse.

Capture Filters vs Display Filters

Capture filters decide which packets get recorded in the first place. You set them before you start, they use BPF syntax (the same as tcpdump), and anything they drop is gone for good. Use them when you already know you only want, say, traffic to one host: host 192.168.1.50 or port 80.

Display filters hide packets from view without deleting them, and they are the ones you will use constantly. You type them into the green bar under the toolbar and change them as often as you like, since the full capture stays intact underneath. The two use completely different syntax, which is the single most common source of beginner frustration. When in doubt, capture broadly and filter the display.

Display Filters Worth Memorizing

These are the filters that cover most day-to-day work. Type one into the display filter bar and press Enter; the bar turns green when the syntax is valid and red when it is not.

FilterWhat it shows
httpOnly HTTP traffic
dnsOnly DNS queries and responses
ip.addr == 10.0.0.5Any packet to or from that IP
ip.src == 10.0.0.5Packets from that source only
tcp.port == 443Traffic on port 443 (HTTPS)
tcp.flags.syn == 1SYN packets (connection attempts, port scans)
http.request.method == "POST"Form submissions and API posts
frame contains "password"Any packet whose bytes contain that string
tcp.analysis.retransmissionRetransmitted packets (signs of a slow or lossy link)

Chain them with and, or, and not to get specific. To watch one host's web traffic while ignoring everything else, use ip.addr == 10.0.0.5 and http. The official display filter reference lists every field for every protocol, but you will use the same dozen filters ninety percent of the time. My advice is to stop reaching for the mouse: learn to type filters and your speed jumps immediately.

Following the TCP Stream

Individual packets are fragments of a larger exchange. A single web page load is scattered across dozens of packets interleaved with other traffic. Wireshark's most useful feature reassembles them for you.

Right-click any TCP packet and choose Follow > TCP Stream. Wireshark stitches every packet in that conversation back into the original back-and-forth and shows it in a single window, with the client request in one color and the server response in another. For an unencrypted HTTP session you see the full request headers and the returned page. For a plain-text protocol like FTP or Telnet you see the login exchange in the clear, credentials included.

This is the moment Wireshark stops feeling like a firehose and starts feeling like a transcript. In practice, following the stream is how you confirm what a connection actually did: what was requested, what came back, and whether anything sensitive traveled without encryption. For HTTPS traffic the stream is encrypted and shows ciphertext, which is the point of TLS. You can decrypt it only if you supply the session keys, usually by setting the SSLKEYLOGFILE environment variable before capturing your own browser's traffic.

Using Wireshark for Security Analysis

Filters and streams are mechanics. The reason security people live in Wireshark is what those mechanics let you find. A few patterns come up again and again.

  • Cleartext credentials. Filter for http or ftp and follow the stream. Any password sent over an unencrypted protocol sits there in plain text. Seeing it once makes a stronger case for HTTPS than any slide deck.
  • Port scans. A burst of tcp.flags.syn == 1 packets from one source to many ports is the fingerprint of an Nmap SYN scan. Comparing the capture against your Nmap scan output teaches you what each scan type looks like on the wire.
  • Suspicious DNS. Filter dns and look for long, random-looking subdomains or queries to domains no legitimate app would use. Data exfiltration and command-and-control channels often hide inside DNS.
  • Unexpected destinations. Use Statistics > Conversations to list every host pair in the capture, sorted by bytes. A workstation quietly shipping megabytes to an unfamiliar IP is worth a closer look.

The Statistics menu deserves a mention on its own. Protocol Hierarchy gives you a one-screen breakdown of what protocols make up the capture, and Conversations and Endpoints turn thousands of packets into a ranked table of who talked to whom. When a .pcap lands on your desk with no context, those three views are where you start before you ever touch a display filter.

Packet analysis sits at the center of both blue-team and red-team work, which is why it shows up across our network penetration testing guide and forensics material alike.

Critical reminder: Capturing traffic on a network you do not own or have written permission to monitor can violate wiretapping and computer misuse laws, even though Wireshark itself only listens. Passive does not mean legal.

Sniffing a network records other people's communications, and in many jurisdictions that is treated the same as intercepting a phone call. The fact that the tool is passive offers no legal cover. Intent does not either.

Where Packet Capture Is Fair Game

  • Your own home or lab network, where you own every device on it
  • Penetration tests covered by a signed engagement letter that authorizes network monitoring
  • Corporate networks where you are the administrator and monitoring is disclosed in policy
  • Capture files provided for training, CTFs, and deliberately built practice labs

Public Wi-Fi is the classic trap. Opening Wireshark in a coffee shop to see what floats by is a criminal offense in a lot of places, regardless of how little you do with the data. Keep your captures to systems you own or are contracted to test.

Frequently Asked Questions

What is Wireshark used for?

Wireshark is used to capture and analyze network traffic packet by packet. Network engineers use it to troubleshoot slow or broken connections, security analysts use it to spot malicious traffic and cleartext credentials, and forensics teams use it to reconstruct what happened during an incident from a capture file.

Is Wireshark free to use?

Yes. Wireshark is free and open source under the GNU GPL, on Windows, macOS, and Linux. There is no paid tier or license fee. The only cost is the time it takes to learn its filters and features.

Can Wireshark capture passwords?

It can capture credentials sent over unencrypted protocols like HTTP, FTP, and Telnet, because those send data in plain text. Traffic protected by HTTPS, SSH, or a VPN is encrypted, so Wireshark sees only ciphertext unless you separately supply the session keys.

What is the difference between a capture filter and a display filter?

A capture filter decides which packets get recorded and uses BPF syntax set before capture; dropped packets are lost. A display filter only hides packets from view and can be changed at any time, since the full capture stays intact. Display filters use Wireshark's own syntax and are the ones you use most.

Is it legal to use Wireshark?

The software is legal to install and run. Capturing traffic is only legal on networks you own or have explicit written permission to monitor. Sniffing a network you do not control, such as public Wi-Fi, can break wiretapping and computer misuse laws even if you never act on the data.

Why does Wireshark show no interfaces or no packets?

The usual cause is a permissions or driver issue. On Linux, add your user to the wireshark group and log back in. On Windows, confirm Npcap installed correctly. Also check that you selected an interface with live traffic, since an idle adapter shows nothing.

Your Next Steps

You now know how to use Wireshark end to end: install it with a working capture driver, pick the right interface and record packets, read the three-pane layout, and cut the noise with display filters like http and ip.addr. The two skills that carry the most weight are typing display filters fluently and following the TCP stream to read a full conversation. Get comfortable with those and a capture file stops being intimidating and starts being a story you can read.

The fastest way to make it stick is to open a real capture and hunt for something specific. Try our Packet Pursuit lab to filter live traffic and recover a hidden flag in the browser, then build the surrounding skills with the network penetration testing course. Start with HackerDNA's free tier, no credit card required, and analyze packets instead of just reading about them.

HackerDNA Team

HackerDNA Team

Written by the HackerDNA team - cybersecurity professionals building hands-on hacking labs and educational content to help you develop real-world security skills.

Meet the Team

Ready to put this into practice?

Stop reading, start hacking. Get hands-on experience with 170+ real-world cybersecurity labs.

Start Hacking Free
15,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free