Introduction
Wireshark is the most widely used packet analyser in the world. It captures live network traffic and presents it in a structured, readable way, breaking down every layer of every packet so you can see exactly what is on the wire. If you are studying networking or security, Wireshark is the tool that turns abstract protocol descriptions into something you can actually see and explore.
Capturing Traffic
When you open Wireshark, you choose a network interface to capture from. Your machine may have multiple interfaces, an Ethernet card, a Wi-Fi adapter, and a loopback interface. Wireshark can only capture from one interface at a time, so it matters which one you pick. Traffic between your machine and the network goes through your physical adapter. Traffic sent from your machine to itself using the loopback address 127.0.0.1 only appears on the loopback interface and will not show up on Ethernet captures.
Once you start a capture, Wireshark shows packets in real time. Each row in the packet list corresponds to one packet, showing the time, source, destination, protocol, length, and a brief description.
The Three-Pane View
Wireshark's main window has three panes. The top pane is the packet list, a scrolling list of all captured packets. The middle pane is the packet details, a tree view of the selected packet, showing each protocol layer and all its fields. The bottom pane is the raw bytes of the packet in hexadecimal alongside the ASCII representation.
The details pane is where you spend most of your time when analysing. You can expand each layer to see individual fields. Click on a field in the details pane and the corresponding bytes in the hex dump are highlighted, and vice versa. This makes it easy to understand exactly where in the raw data each piece of information lives.
Reading IP Fragmentation
When Wireshark displays a fragmented packet, it shows the raw values for the fragmentation fields but also translates them for you. For example, the fragment offset field stores the value divided by 8 (since the field only has 13 bits), but Wireshark displays the actual byte offset after multiplying back. Both the raw header value and the calculated byte offset are visible, which makes it easy to verify your understanding of how the field works.
All fragments of the same original packet share an IP ID. Wireshark uses this to group them together. If you have a fragment train in a capture, you can follow it visually by filtering on the IP ID value.
Display Filters
With real traffic, the packet list fills up fast. Display filters let you narrow what you see without stopping the capture or discarding packets. Wireshark uses its own filter syntax, and a few basics go a long way.
ip.addr == 192.168.1.100 # traffic to or from this IP
tcp.port == 80 # HTTP traffic
icmp # all ICMP packets
tcp.flags.syn == 1 # SYN packets only
ip.flags.mf == 1 # packets with more-fragments flag set
ip.frag_offset > 0 # non-first fragmentsDisplay filters do not affect what is captured, they only change what you see. You can switch between different filters freely and all your packets are still there.
Following Streams
One of Wireshark's most useful features is the ability to follow a TCP or UDP stream. Right-click any packet in a conversation and choose Follow -> TCP Stream. Wireshark reassembles all the packets belonging to that connection and shows you the full data exchange as readable text. For unencrypted protocols like HTTP or FTP, you can read the entire session, headers, requests, responses, and payload, in one place.
Capture Filters vs Display Filters
Wireshark has two distinct filtering systems. Capture filters are applied before packets are saved, they use a different syntax (the same as tcpdump) and permanently discard traffic that does not match. Use them when you know exactly what you want and need to reduce file size or performance impact. Display filters are applied after capture and use Wireshark's own syntax. They are non-destructive and reversible.
A practical approach is to use a broad capture filter or none at all, then use display filters to explore the captured data. This way you never accidentally discard something you needed.
Statistics and Conversations
Beyond looking at individual packets, Wireshark has a Statistics menu with useful views. The Conversations window shows all source/destination pairs and how much data each exchanged. The Protocol Hierarchy shows what proportion of traffic used each protocol. IO Graphs let you plot traffic volume over time, which is useful for spotting spikes or patterns. These higher-level views help you find what to investigate before diving into individual packets.
Saving and Loading Captures
Captures are saved as pcap or pcapng files. These can be shared, loaded on a different machine, and opened later. Most capture tools produce compatible files, a capture taken with tcpdump can be opened in Wireshark for analysis. Saving captures with filters applied saves only the displayed packets, while saving without filters saves everything.
Conclusion
Wireshark makes the invisible visible. Every protocol you study. TCP handshakes, DNS resolution, ICMP error messages, fragmentation, can be observed directly in a capture. The best way to learn both Wireshark and networking is to generate traffic, capture it, and then trace what you see against what the protocol should be doing. Doing that a few times solidifies concepts faster than any amount of reading.