See The Invisible.
Learn Wireshark.
Wireshark is a tool that watches all the data moving in and out of your computer. Think of it as a security camera for your internet cord.
1. What is a "Packet"?
When you send a picture to a friend, your computer does not send the whole picture at once. It chops the picture into thousands of tiny pieces. These tiny pieces are called packets.
Every packet acts exactly like a letter in the real-world mail system. It has a "To" address, a "From" address, and a tiny piece of the actual picture inside.
Wireshark's only job is to catch these digital letters as they fly through your cables, open them up, and let you read what is inside.
2. How Wireshark Works
Listen
Wireshark connects to your network card (like your Wi-Fi card). It turns on a special mode that allows it to hear every single packet flying by, even packets not meant for you.
Catch
It makes a copy of the packets in real time. It stores these copies in your computer's memory so you can look at them later without breaking your internet connection.
Translate
Computers speak in ones and zeros. Wireshark translates this raw computer math into human-readable text, showing you exactly what the packet was trying to do.
3. The Three Windows
When you open Wireshark, the screen is always split into three distinct boxes stacked on top of each other. This layout is structured to help you zoom in on the data.
This is a fast-moving list. Every single row is one packet. It shows a quick summary: Time, Source, Destination, and Protocol. If you click a row here, the bottom two windows update.
This looks like a folder tree. It takes the single packet you clicked on top and breaks it down layer by layer. You can click the tiny arrows to expand details, like opening the envelope to see the letter format.
This shows the raw, naked computer code (hexadecimal numbers). Unless you are a deep security expert, you will rarely need to read this box. Wireshark has already translated it for you in the middle box.
4. The Four Rules (Protocols) You Will See
A "Protocol" is simply a rule for how computers should talk to each other. Different tasks use different rules. Here are the four you will see the most in Wireshark.
TCP (The Careful Delivery Guy)
Used for sending files or loading web pages. TCP guarantees that every single packet arrives in the correct order. If a packet gets lost, TCP asks the sender to send it again. It is slow but very reliable.
UDP (The Fast Thrower)
Used for live video calls or online gaming. UDP throws packets at you as fast as possible. It does not care if some get lost. That is why sometimes your video call glitches for a second.
DNS (The Phonebook)
Computers do not understand website names like "google.com". They only understand number addresses. DNS is the rule that asks, "What is the number address for google.com?"
HTTP / HTTPS (The Web Browser)
This is the rule used specifically to transfer website code to your screen. HTTPS is the locked, secret version of this rule so hackers cannot read your passwords.
5. Finding the Needle in the Haystack
Wireshark captures thousands of packets every single second. Trying to find one specific problem is like trying to find one specific drop of water in a river. You must use Filters.
Type these exact commands into the long search bar at the top of Wireshark:
ip.addr == 192.168.1.5
Only show me packets going to or coming from this exact computer.
tcp.port == 443
Only show me secure web browsing traffic (HTTPS).
dns
Only show me times when my computer asked for a website address.
6. Why is the Internet Slow?
Network Administrators use Wireshark to figure out exactly why a network is broken. Here is what they look for:
Retransmissions
If a cable is bad or a router is failing, packets get dropped on the floor. Wireshark will show a lot of "TCP Retransmission" messages. This means the computer keeps having to resend the same file over and over, slowing everything down.
DNS Failures
If you type in "facebook.com" and it just spins and spins, your computer might not be able to find the phonebook (DNS). Wireshark will show DNS questions going out, but no answers coming back.
7. Spotting Bad Guys (Security)
Security Analysts use Wireshark differently. They are not looking for broken cables; they are looking for thieves.
-
Reading Plain Text: If an employee logs into an old website that does not use a padlock (HTTPS), Wireshark can catch the packet and show the password perfectly clearly to anyone listening on the network.
-
Port Scanning: Hackers will automatically knock on every "door" (port) of a computer to see if any are unlocked. In Wireshark, this looks like hundreds of connection requests happening in one single second.
-
Data Exfiltration: If a virus infects a computer, it will try to send stolen files back to the hacker. Wireshark can spot a massive, unusual chunk of data leaving the network at 3:00 AM.
8. Understanding the Colors
When you look at the top window in Wireshark, you will notice the rows are brightly colored. Wireshark colors lines automatically to help your eyes scan faster. While we are using our own tutorial colors here, the concept is what matters:
| Visual Concept | What it usually means | Status |
|---|---|---|
| Normal Rules | Standard web traffic, sending normal requests. | All Good |
| Routing Rules | Computers asking questions like "Who is at this address?" | Normal Setup |
| Danger Lines | Dropped packets, major errors, broken connections. | Investigate Now |
9. Your First Capture
Step 1: Pick the Network
When you open the program, you will see a list of network connections. Double-click the one that has lines moving next to it (usually called "Wi-Fi" or "Ethernet").
Step 2: Watch the Flood
The screen will immediately start filling up with colored lines. This is normal. You are now recording.
Step 3: Make Some Noise
Open your web browser and go to a new website. Wireshark will capture all the invisible packets required to load that page.
Step 4: Stop Recording
Click the red square button at the top left of the screen. If you leave it running forever, your computer's memory will fill up entirely.
10. MAC Address vs. IP Address
Every packet has two sets of addresses. To understand Wireshark, you must know the difference between the physical address and the temporary address.
MAC Address
- Burned into the hardware at the factory.
- Never changes for the life of the device.
- Format:
00:1A:2B:3C:4D:5E - Like a car's VIN number.
IP Address
- Assigned by the network you connect to.
- Changes when you move to a new Wi-Fi.
- Format:
192.168.1.5 - Like a parking space number.
11. How Computers Say Hello
Before a computer sends a webpage, it must make sure the other computer is ready to listen. This is called the 3-Way Handshake. You will see these exact three packets at the start of almost every connection in Wireshark.
12. Hearing Everyone's Secrets
Normal Mode
Usually, your network card ignores any packet that does not have your computer's exact name on it. It throws them in the trash immediately to save battery and brain power. It only listens to mail addressed directly to you.
Promiscuous Mode
When you start Wireshark, it forces your network card into Promiscuous Mode. This tells your computer: "Do not throw anything away! Read every single piece of mail flying through the air, even if it belongs to someone else."
13. Putting the Picture Back Together
Reading one packet at a time is like trying to read a book by looking at one letter per page. To see the whole conversation, you use a feature called Follow TCP Stream.
- Right-click any packet.
- Hover over "Follow".
- Click "TCP Stream".
Wireshark will automatically gather all the thousands of chopped pieces and glue them back together into readable text.
<html>
<body>
<h1>Welcome to the site!</h1>
</body>
</html>
14. Saving the Evidence (.pcap)
You do not have to analyze data live. Network engineers usually record the problem, save the file, and email it to an expert to look at later.
The PCAP File
network_crash_monday.pcapng
PCAP stands for "Packet Capture." When you save your work in Wireshark, it creates a PCAP file. Anyone with Wireshark can open this file and see exactly what you saw, as if they were sitting at your computer.
15. The Submarine Sonar (Ping)
If you want to know if a website or server is alive, your computer sends out a "Ping". In Wireshark, this shows up under a protocol called ICMP.
16. Shouting in a Crowded Room (ARP)
When your computer wants to talk to the router, it only knows the router's IP address. But it needs the physical MAC address to send the data. It uses a rule called ARP to find out.
"Imagine standing in a crowded office and shouting: 'Hey, whoever owns the blue Honda Civic (IP Address), please tell me your employee name (MAC Address)!'"
ARP Reply: 192.168.1.1 is at 00:1A:2B:3C:4D:5E
17. Getting a Visitor Badge (DHCP)
When you connect to Wi-Fi at a coffee shop, you don't magically get an internet connection. Your phone has to beg the coffee shop's router for an IP address. This protocol is called DHCP.
18. Finding the Loudest Talker
If the network is slow, it might be because one person is downloading massive files. In Wireshark, you can click Statistics > Endpoints to see exactly who is using the most data.
19. Why it Looks Like Gibberish (TLS)
When you capture packets from modern websites (like your bank), you won't be able to read the passwords. Modern web traffic uses TLS (Transport Layer Security) to scramble the data into a secret spy code.
x&9a$kL2!pQz5*mN8^vB3#cJ1@yH7(rF4)tW0_gD6+eS9~uX
kL2!pQz5*mN8^vB3#cJ1@yH7(rF4)tW0_gD6+eS9~uX
vB3#cJ1@yH7(rF4)tW0_gD6+eS9~uXkL2!pQz5*mN8
POST /login HTTP/1.1
Username: admin
Password: super_secret_password_123
AccountBalance: $4,500.00
20. The Golden Rule of Wireshark
Wireshark is a powerful tool. It allows you to see things you normally cannot see. Never use Wireshark on a network you do not own, like a coffee shop or an airport. Only use it on your home network or if your boss specifically tells you to test the company network.