← Back to Tools
Tools / Network Analysis / Wireshark
Network Analysis

Wireshark

The world's most popular network protocol analyzer for deep packet capture, traffic inspection, and live network forensics.

Category
Network Analysis
Platform
Linux / Windows / macOS
Type
GUI + CLI / Open Source
Skill Level
Beginner → Advanced

What is Wireshark?

Wireshark is the world's most widely-used network protocol analyzer. It lets you capture and interactively browse traffic running on a computer network in real time, or read it from a saved capture file. With support for hundreds of protocols and a rich GUI alongside the powerful tshark CLI companion, it's the go-to tool for network troubleshooting, protocol development, and security analysis during authorized penetration testing engagements.

⚠ Legal Notice

Only capture traffic on networks you own or have explicit written permission to monitor. Unauthorized packet capture violates Pakistan's PECA 2016 and international cybercrime laws.

Installation

# Update packages
sudo apt update

# Install Wireshark (pre-installed on Kali)
sudo apt install wireshark -y

# Add your user to the wireshark group (capture without root)
sudo usermod -aG wireshark $USER
newgrp wireshark

# Install tshark (CLI version)
sudo apt install tshark -y

# Check version
wireshark --version

Basic Usage — GUI

Launch the GUI, select an interface, and start capturing. Use the display filter bar at the top to narrow down traffic in real time.

# Launch GUI
wireshark

# Open an existing capture file
wireshark -r capture.pcap

# Start capturing on a specific interface immediately
wireshark -i eth0 -k

# Start capture, stop after 100 packets
wireshark -i eth0 -k -c 100

tshark — CLI Usage

tshark is Wireshark's terminal counterpart — ideal for scripting, remote sessions, and automated analysis.

# List available interfaces
tshark -D

# Capture live traffic on eth0
tshark -i eth0

# Capture and save to file
tshark -i eth0 -w output.pcap

# Read and display a saved capture
tshark -r capture.pcap

# Apply a display filter while reading
tshark -r capture.pcap -Y "http.request"

# Extract only specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport

# Capture only 500 packets then stop
tshark -i eth0 -c 500

# Capture with a BPF capture filter (faster, kernel-level)
tshark -i eth0 -f "tcp port 80"

Essential Display Filters

Display filters narrow what Wireshark shows you after capture. They use Wireshark's own filter syntax (not BPF).

# Show only HTTP traffic
http

# Show only DNS queries and responses
dns

# Filter by source or destination IP
ip.addr == 192.168.1.1
ip.src == 10.0.0.5
ip.dst == 10.0.0.1

# Filter by port
tcp.port == 443
udp.port == 53

# Show only TCP SYN packets (connection initiation)
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Show only failed TCP connections (RST flag)
tcp.flags.reset == 1

# Filter by HTTP method
http.request.method == "POST"

# Search for a string in packet content
frame contains "password"

# FTP credentials in plaintext
ftp.request.command == "PASS"

# Show ARP requests only
arp.opcode == 1

Capture Filters (BPF)

Capture filters are applied before packets are recorded — more efficient than display filters for high-traffic environments. Use the -f flag with tshark or set them in Wireshark's capture options.

# Only capture traffic to/from a specific host
host 192.168.1.100

# Only capture on port 80
port 80

# Capture only TCP traffic
tcp

# Exclude traffic from your own machine
not host 192.168.1.1

# Capture only ICMP (ping) packets
icmp

# Traffic between two hosts
host 10.0.0.1 and host 10.0.0.2

Common Flags (tshark)

Common Use Cases

Further Reading

Wireshark pairs well with tools like tcpdump, netcat, and Zeek for deeper network analysis workflows. Practice with real .pcap challenge files on platforms like TryHackMe, HackTheBox, and hackzia.site labs. Always refer to the official Wireshark documentation at wireshark.org/docs before deploying in a live engagement.