How to Use Wireshark: A Beginner-Friendly Guide to Network Scanning

Wireshark Tutorial for Beginners: Network Scanning Made Easy

Wireshark is one of the most powerful and widely used network protocol analyzers available for free. It allows users to capture and inspect network traffic in real-time, making it an essential tool for network administrators, cybersecurity professionals, and IT enthusiasts.

Key Features of Wireshark:

• Packet Capture: Records all network traffic passing through a selected interface.

• Deep Inspection: Decodes hundreds of protocols (HTTP, HTTPS, TCP, UDP, DNS, etc.).

• Filtering Capabilities: Helps isolate specific traffic (e.g., HTTPS on port 443).

• Troubleshooting: Identifies network issues like latency, retransmissions, and malicious activity.

• Cross-Platform: Available for Windows, macOS, and Linux.

Getting Started with Wireshark

1. Installing Wireshark

• Download Wireshark from the official website.

• On macOS, you may need to install additional dependencies (check the README file).

• On Windows, install WinPcap/Npcap (included in the installer).

2. Launching Wireshark

• Open Wireshark, and you’ll see a list of available network interfaces (Wi-Fi, Ethernet, etc.).

• Select the active interface (e.g., Ethernet or Wi-Fi) and double-click to start capturing packets.

3. Understanding the Wireshark Interface

• Packet List Pane: Displays all captured packets.

• Packet Details Pane: Breaks down each packet’s layers (Ethernet, IP, TCP, HTTP, etc.).

• Packet Bytes Pane: Shows raw hexadecimal data.

• Filter Bar: Allows filtering specific traffic (e.g., tcp.port==443 for HTTPS).

Capturing and Analyzing Network Traffic

1. Basic Packet Capture

• Start capturing by clicking the blue shark fin icon (or double-clicking an interface).

• Perform network activities (e.g., browsing a website).

• Click the red stop button to end the capture.

2. Filtering Traffic

Wireshark captures thousands of packets, so filtering helps focus on relevant data.

Common Filters:

Example: Analyzing HTTPS Traffic (Port 443)

• Type tcp.port==443 in the filter bar.

• Wireshark will display only HTTPS traffic (encrypted).

• To analyze deeper, right-click a packet → Follow → TCP Stream (but content remains encrypted unless decrypted with a key).

Example: Analyzing HTTP Traffic (Port 80)

• Type http in the filter bar.

• Right-click a packet → Follow → HTTP Stream to see raw website data (useful for detecting phishing attacks).

Advanced Wireshark Techniques

1. Identifying Suspicious Activity

• Unencrypted HTTP Traffic: Look for login forms sending credentials in plaintext.

• Unexpected Connections: Check for devices communicating with unknown IPs.

• TCP Resets (tcp.flags.reset==1): Indicates abrupt connection terminations (possible attacks).

2. Using Wireshark’s Statistics Tools

• Go to Statistics → Conversations to see which devices are communicating.

• Check Statistics → HTTP → Packet Counter to analyze web traffic patterns.

3. Exporting and Sharing PCAP Files

• Save captures (File → Save As) for later analysis.

• Share PCAP files with colleagues for troubleshooting.

Practical Cybersecurity Use Cases

1. Detecting Phishing Attacks

• If a user clicks a malicious link, Wireshark can capture:

  • The fake website loading over HTTP (not HTTPS).

  • Credentials being sent in plaintext.

2. Finding Malware Traffic

• Websites like Malware-Traffic-Analysis.net provide real-world PCAPs for training.

• Analyze unusual connections (e.g., devices contacting known malicious IPs).

3. Troubleshooting Network Issues

• High Latency? Check for TCP retransmissions (tcp.analysis.retransmission).

• No Internet? Verify DNS queries (dns) and gateway communication.

Next Steps:

✅ Practice capturing real traffic.
✅ Experiment with filters (tcp.port==443, http, etc.).
✅ Explore malware PCAPs for hands-on training.