Wireshark is the world’s most popular network protocol analyzer. Whether you’re a cybersecurity student, a system administrator, or a bug bounty hunter, Wireshark helps you see exactly what’s happening on your network at a microscopic level.
In this Wireshark tutorial for beginners, you’ll learn:
- How to install Wireshark on Windows, Linux, and macOS.
- The basics of capturing and analyzing packets.
- How to use display filters to find malicious traffic.
Let’s dive in.
What is Wireshark?
Wireshark captures packets traveling through a network interface (Ethernet, Wi-Fi, loopback). It decodes hundreds of protocols — from HTTP and DNS to TLS and TCP — allowing you to inspect payloads, headers, and timing.
⚠️ Legal Warning: Only capture traffic on networks you own or have explicit permission to monitor. Unauthorized packet sniffing is illegal in most jurisdictions.
Part 1: How to Install Wireshark
🪟 Windows Installation
- Download the latest stable installer from wireshark.org.
- Run the
.exefile as administrator. - Accept the license agreement.
- Select installation components (defaults are fine).
- Important: When prompted about Npcap, keep it checked — Npcap allows Wireshark to capture live packets.
- Complete installation and reboot if required.
🐧 Linux Installation
Ubuntu / Debian (APT)
sudo apt update
sudo apt install wireshark -yDuring installation, select “Yes” when asked if non-root users should capture packets. Then add your user to the wireshark group:
sudo usermod -aG wireshark $USERLog out and back in.
Fedora / RHEL (DNF)
sudo dnf install wireshark -yArch Linux (Pacman)
sudo pacman -S wireshark-qt🍎 macOS Installation
- Download the macOS .dmg from wireshark.org.
- Open the DMG and drag Wireshark to your Applications folder.
- Launch Wireshark. If you see “No interfaces available”:
- Install ChmodBPF from the DMG, or
- Run in terminal:
sudo chmod 644 /dev/bpf*
✅ First Launch Tip: Always run Wireshark with normal privileges, not as root. The installer sets up proper permissions on all platforms.
Part 2: Wireshark Tutorial for Beginners
Step 1: Choose a Network Interface
- Open Wireshark.
- You’ll see a list of active network interfaces (Wi-Fi, Ethernet, Bluetooth, etc.).
- Select the interface you want to capture traffic from (usually your active internet connection).
- Click the blue shark fin icon (top-left) to start capture.
Step 2: Stop a Capture & Save Data
- Click the red square to stop capture.
- Save your capture as a
.pcapngfile (File → Save As). This allows later analysis.
Step 3: The 3 Main Panels (Essential for Beginners)
| Panel | Description |
|---|---|
| Packet List | Summary of each packet (timestamp, source/destination IP, protocol, length, info) |
| Packet Details | Drill-down view of headers (Ethernet → IP → TCP → HTTP) |
| Packet Bytes | Raw hex and ASCII representation of the packet |
Step 4: Color Coding
Wireshark uses colors to help identify traffic:
- Light purple → TCP traffic
- Light blue → UDP traffic
- Green → HTTP traffic
- Dark yellow → Routing protocols
- Black/Red → Malformed packets (potential errors or attacks)
Step 5: Using Display Filters (The Most Important Skill)
Filters hide irrelevant traffic. Type directly into the filter bar (green when valid, red when wrong).
| Filter | What it shows |
|---|---|
http | Only HTTP packets |
tcp.port == 443 | Only TLS/SSL (HTTPS) |
ip.src == 192.168.1.1 | Packets from a specific source IP |
dns.qry.name contains \"example\" | DNS queries for domain names |
tcp.flags.syn == 1 | SYN packets (connection start) |
frame contains \"password\" | Search raw packets for a string |
💡 Beginner Pro Tip: Right-click any packet → “Apply as Filter” → “Selected” to auto-build filters.
Step 6: Follow a Stream
To reconstruct a conversation (e.g., an HTTP request/response or a chat message):
- Right-click any packet belonging to the stream.
- Choose Follow → TCP Stream (or UDP/HTTP).
- A new window shows the full conversation in both directions.
This is how analysts extract stolen credentials or view unencrypted web traffic.
Part 3: Practical Example — Capturing Your First HTTP Request
Let’s see a real-world example.
- Start capture on your Wi-Fi interface.
- Open a browser and visit
http://neverssl.com(this forces plain HTTP). - Stop capture in Wireshark.
- Apply filter:
http - Select the
GET /packet. - Expand the Packet Details → Hypertext Transfer Protocol.
- You’ll see the User-Agent, Host, and Accept headers.
Now try Follow → TCP Stream to see the full HTTP response HTML.
Part 4: 3 Beginner Mistakes to Avoid
- Capturing too much data → Use capture filters (not display filters) during recording.
Example capture filter:host 8.8.8.8(only traffic to/from Google DNS). - Ignoring promiscuous mode → Uncheck “Capture packets in promiscuous mode” unless you need to see traffic not destined for your MAC address.
- Not using display filters → Beginners scroll endlessly. Master filters to save hours.
Bonus: Useful Wireshark Shortcuts
| Shortcut | Action |
|---|---|
Ctrl + E | Start / Stop capture |
Ctrl + K | Select interfaces |
Ctrl + F | Find packet |
. (period) | Jump to packet number |
Ctrl + Alt + Shift + T | Mark packet for export |
Final Thoughts
This Wireshark tutorial for beginners gives you a solid foundation. With these installation steps and core skills, you can now:
- Install Wireshark on any major OS.
- Capture live traffic.
- Apply display filters.
- Follow streams to analyze conversations.
Next steps for your cybersecurity journey:
- Learn about TLS decryption (Wireshark can decrypt HTTPS with private keys).
- Practice with sample PCAPs from Malware Traffic Analysis or Wireshark’s sample captures.
- Audit captured network passwords offline using our John the Ripper Tutorial.
- Combine Wireshark with TShark (CLI version) for automation.
🔗 Share this post: If this guide helped you, share it with a fellow cybersecurity beginner. Have questions? Leave a comment below.
Discussion
Loading comments...