Press enter or click to view image in full size
Have you ever seen live-moving data packets in your network? Well, Today we are going to see that.
Understanding computer networking & analysing network traffic are essential skills for network security. Whether you are a network administrator, a network engineer, a troubleshooter, a network security expert, or a DFIR Investigator, you must have network traffic analysis skills.
Wireshark is a network traffic inspection tool which is going to help to analyse your network traffic.
In this blog, we have covered,
- Why Analysing Network Traffic Is An Essential Skill?
- What Is Wireshark?
- Why Use Wireshark?
- Key Uses of Wireshark
- Key Features of Wireshark
- Installing Wireshark
- Launching & Capturing Network Traffic
- Introduction to Wireshark Capture Screen
- Live Packet Inspection
Why Analysing Network Traffic Is An Essential Skill?
In our digital world, every communication happens over a network we call the Internet.
Every communication generates Network Traffic. Understand this through regular road traffic, when multiple vehicles are running on the road, creates vehicle traffic. Here, we have packets instead of vehicles and a communication medium instead of roads.
When we connect to a network and start communication, whether searching websites, pinging a network device, or resolving DNS, everything creates traffic.
This traffic can be seen through multiple tools, such as Wireshark, Tcpdump, etc.
Analysing the network traffic helps understand the flow of data & requests inside the network. If anything suspicious is found in the traffic, we can immediately take action on it accordingly.
What Is Wireshark?
Wireshark is a powerful, open-source network protocol analyser that allows users to capture and interactively browse the traffic running on a computer network.
Why Use Wireshark?
Wireshark is a free, open-source network packet analyser used to capture, inspect, and troubleshoot network traffic in real-time.
Key Uses of Wireshark:
- Network Troubleshooting: Diagnosing dropped packets, latency issues, and network performance problems.
- Security Analysis: Identifying malicious activity, unauthorised data exfiltration, and analysing security vulnerabilities.
- Protocol Development & Debugging: Inspecting traffic for hundreds of protocols to debug network application behaviour.
- Learning & Education: Examining internal network traffic to understand packet structure and flow.
- Forensics: Analysing captured traffic to investigate network-based attacks like Man-in-the-Middle (MITM).
Key Features:
- Live Capture & Offline Analysis: Captures live data from network interfaces (Ethernet, Wi-Fi, Bluetooth) or imports data from files.
- Deep Inspection: Parses packet contents from hundreds of protocols.
- Powerful Filtering: Allows users to apply capture or display filters to isolate specific network streams or traffic types.
- Cross-Platform: Available on Windows, macOS, and Linux.
Installing Wireshark
Follow-up steps for installing Wireshark.
Step 1: Go to the download link: https://www.wireshark.org/download.html
Press enter or click to view image in full size
Step 2: Click on the download link for your respective Operating system. I’m gonna use Windows. So, I’m downloading “Windows x64 Installer”.
Press enter or click to view image in full size
Step 3: Run the Wireshark installer and start the installation process.
Congratulations, we have installed Wireshark successfully. Now let’s launch Wireshark.
Launching Wireshark and Capturing Network Traffic
Press enter or click to view image in full size
Here in the above image, you can see the capture filters bar and below that, you can see the available network interfaces in your machine.
Network Interfaces
A network interface is the connection point between a computer and a private or public network, enabling data transmission and reception
Generally, you will see “Ethernet0”, “eth0”, “WiFi”, etc. And below that the remaining available interfaces.
Capture Filters
Capture filters helps you only capture the network traffic according to our given filter.
Assume, we only want to capture traffic from the source ip: 192.168.80.138. So, you can add below filter to only capture traffic from mentioned source ip.
Press enter or click to view image in full size
Press enter or click to view image in full size
Why using capture filter?
When you have multiple devices inside the network, you will see literally a flood of network traffic. So, here you can apply capture filters, allowing you to only capture and focus on analysing packets according to you need.
Get PriOFF’s stories in your inbox
Join Medium for free to get updates from this writer.
This becomes very handy and helpful when you are working in organizations. This little feature literally reduces half of your work, reduces overload traffic and eventually reduces your headache.
Introduction to Wireshark Capture Screen
Now, clear the filter and click on the first interface on your wireshark home screen.
Press enter or click to view image in full size
Usually the first interface gonna be your machine’s main network interface. Here I have seen ‘Ethernet0’, You may have ‘WiFi’ or if you are using debian based systems you will see ‘eth0’ interaface.
Here, You can view a cheatsheet for wirkshark
https://cdn.comparitech.com/wp-content/uploads/2019/06/Wireshark-Cheat-Sheet.pdf
Once you click the Wireshark Dashboard will open and capturing process will start.
Press enter or click to view image in full size
- Menubar: This is a typical traditional menubar, where you can find multiple options such as File, Edit, View, Go, Capture, Analyze, Statistics, Telephony, Wireless, Tools and Help
2. Capture bar: This can be found below the menubar. Allows you to start, stop, recapture, settings for capture, open pcap files, zoom-in, zoom-out for live capturing.
3. Display Filter bar: Below that we have filter bar. Don’t get mixed up this with capture filters. Display filters and capture filters both are different. Capture filters only captures traffic according to given filters. Whereas Display filters allows to you filter out traffic from captured traffic.
Press enter or click to view image in full size
4. Capture screen: In capture screen, we can see No., Time, Source, Destination, Protocol, Length, Info columns.
Press enter or click to view image in full size
5. Packet screen: Here you can see the selected Packet fields and headers in packet screen. You will gonna analysis your selected packets here.
Press enter or click to view image in full size
6. Data screen: At last we have Data Screen where you can see Hax format of the selected packet.
Press enter or click to view image in full size
Live Packet Inspection using wireshark
Now, once you understand the capture screen of wireshark, you won’t be confused with the panels and it will be easy for you to analyse the network traffic.
Now, Restart the Capturing by clicking on the restart capture button on the capture bar
Press enter or click to view image in full size
Now, once your capture restarts, visit youtube.com in your browser.
Press enter or click to view image in full size
Now you can use below display filter to filter-out the packet which contains “youtube” inside their frames.
Press enter or click to view image in full size
Now, let’s try to login on a website and see if we get the credentials from the packets?
For testing purpose I’m using acunetix’s testasp website.
Press enter or click to view image in full size
Let’s login here. Again this site is running on HTTP, not HTTPS.
Login failed, Now let’s back to the wireshark and analysis if we get any packet contains login credentials.
Press enter or click to view image in full size
Now, Let’s apply filters to filter out the packets we are looking for.
Press enter or click to view image in full size
Here, you can clearly see that all the traffic is listed here including visiting testasp website’s login page.
Now let’s look for login credentials.
Press enter or click to view image in full size
If you look closely, the last request is POST Request. Generally means it can be the POST request when we hit login with the credentials.
For Inspecting and analysing the packet, click on it and you can see changes in the frame screen on your bottom left area, revealing details of packets.
Press enter or click to view image in full size
Let’s analyse this frame.
Wireshark organizes captured network data into a hierarchical structure, showing how high-level protocols (HTTP) are encapsulated within lower-level protocols (TCP, IPv4, Ethernet). Each packet is displayed as a frame, breaking down the headers and payloads of each layer to visualize how data moves across a network.
Here you can see total 5 layers’s data. Let’s go for each one by one.
- Packet Frame (Layer 1 — Physical):
- The “pseudo-protocol” created by Wireshark to show details of the physical packet capture.
- Shows the frame number, arrival time, time delta (time since previous packet), frame length (total size), and interface ID.
Tells you when and how the packet was captured by your NIC
Press enter or click to view image in full size
2. Ethernet II (Layer 2 — Data Link):
- The local network connection, handling communication between local devices (e.g., computer and router).
Wireshark Details:
- Destination/Source MAC Address: Physical addresses of the network interfaces.
- Type: Identifies the network layer protocol (e.g., IPv4 is
0x0800).
If your traffic is going to the internet, the destination MAC is your default gateway (router), not the final destination.
Press enter or click to view image in full size
3. IPv4 (Layer 3 — Network):
- Handles addressing and routing across networks (internet).
Wireshark Details:
- Source/Destination IP Address: The logical, logical address of the client and server.
- Protocol: Identifies the transport layer (e.g., 6 for TCP).
Shows the path and logical origin/destination of the data
4. TCP — Transmission Control Protocol (Layer 4 — Transport):
- Ensures reliable communication between the source and destination through segmentation and acknowledgement.
Wireshark Details:
- Source/Destination Port: Identifies the specific applications (e.g., 80 for HTTP).
- Sequence/Acknowledgment Number: Tracks packet ordering and ensures all data is received.
- Flags: Syn, Ack, Fin, Psh, Rst (indicates connection state).
If you see many packets with only flags (SYN, ACK, FIN), it is the “handshake” or “teardown” of the connection
Press enter or click to view image in full size
5. HTTP — Hypertext Transfer Protocol (Layer 7 — Application):
- The application layer protocol used to transmit web data.
- Wireshark Details:
- Method: GET, POST, etc..
- URI/URL: The resource being requested.
- Response Code: E.g.,
200 OK,404 Not Found.
In Wireshark, this is the readable part, showing the actual request or content requested from the server.
Press enter or click to view image in full size
6. Form Data:
And lasly we have form data passed by the request.
Here we can find userame and password passed inside the login request.
This is how you can deeply inspect packets Live in wireshark. But this is only a single use of wireshark (Live Packet Inspection).
But you can also collect & analyze Network Artifacts which will discuss in our upcoming article. In upcoming article, we will see how we can use wireshark to Collect, analyze, and build documantiation on Network Artifacts helping in Network Forensics. Which is gonna be very valuable for Investigators, Threat Hunters, and Network Forensics Experts !
Let me know, if you want me to cover any specific topic or article in my upcoming blogs.
Also, Don’t forget to subscribe! So, you don’t miss my upcoming wireshark blog. Hit claps if you like my blog, this helps infer me that you like my content.
Comment on this if you want me to cover specific topic, tool, etc. and let me know, if you find this informative and share with your friends, colleagues, seniors and juniors & help them to reduce their headache.
See you in next blog. Till then keep learning & keep going.