What is Wireshark and how to use it | Cyber ​​Security | CompTIA (2023)

What is Wireshark and how to use it | Cyber ​​Security | CompTIA (1)Few tools are as useful to IT professionals as Wireshark, the network packet capture tool. Wireshark helps you capture network packets and display them at a granular level. Once these packages are broken down, you can use them for real-time or offline analysis. With this tool, you can take a close look at your network traffic and then filter and break it down, get away from the root cause of problems, support network analysis and ultimately network security. In this free Wireshark tutorial, you'll learn how to capture, interpret, filter, and examine data packets for effective troubleshooting.

read below You may also be interested in...

What is cybersecurity? Learn what cybersecurity is and understand the definitions of the different types of threats. What is identity theft? Learn what phishing is. Understand the definition, how it works, and how to defend against phishing attacks from CompTIA, the voice of information technology. What is phishing?What is phishing? Understand the CompTIA definition and how to prevent and protect against it.

What is Wireshark?

Wireshark is a network protocol analyzer or application that captures packets from a network connection, e.g. B. from your computer to your home office or the Internet. Packet is the name given to a discrete unit of data on a typical Ethernet network.

Wireshark is the world's most widely used packet sniffer. Like any other packet sniffer, Wireshark does three things:

  1. Packet Capture:Wireshark eavesdrops on a network connection in real time and then captures entire streams of traffic, potentially tens of thousands of packets at a time.
  2. Filtration:Wireshark can slice all this random data live using filters. Applying a filter gives you exactly the information you need to see.
  3. Display:Wireshark, like any good packet sniffer, allows you to dive right into the middle of a network packet. It also allows you to visualize entire conversations and network flows.

What is Wireshark and how to use it | Cyber ​​Security | CompTIA (5)

Figure 1: Visualization of a packet capture in Wireshark

Packet sniffing can be compared to caving: going into a cave and wandering around. People who use Wireshark on a network are like people who use flashlights to see what interesting things they can find. Finally, when you use Wireshark over a network connection (or a flashlight in a cave), you are effectively using a tool to find tunnels and tubes to see what you can see.

What is Wireshark used for?

Wireshark has many uses, includingNetwork troubleshootingThey have performance issues. Cybersecurity professionals often use Wireshark to trace connections, view the content of suspicious network transactions, and identify bursts of network traffic. It's an important part of any IT professional's toolkit, and hopefully the IT professional has the knowledge to use it.

When to use Wireshark?

Wireshark is a secure tool used by government agencies, educational institutions, businesses, small businesses, and non-profit organizations to troubleshoot network problems. Also, Wireshark can be used as a learning tool.

Those new to information security can use Wireshark as a tool to analyze network traffic, understand how communication occurs when specific protocols are involved, and where it fails in specific problems.

Of course, Wireshark can't do everything.

First, it can't help a user who has poor understandingnetwork protocols.No tool, no matter how great, is a very good replacement for knowledge. In other words, to use Wireshark successfully, you must learn exactly how a network works. This means understanding things like the TCP three-way handshake and various protocols including TCP, UDP, DHCP, and ICMP.

Second, under normal circumstances, Wireshark cannot get traffic from every other system on the network. On modern networks that use what are known as switches, Wireshark (or any other standard packet capture tool) can only eavesdrop on the traffic between your local computer and the remote system you are communicating with.

Third, while Wireshark can display bad packets and apply color codes, it doesn't actually have any warnings; Wireshark is not an Intrusion Detection System (IDS).

Fourth, Wireshark cannot help decrypt encrypted traffic.

Finally, it is quite easy to spoof IPv4 packets. Wireshark can't really tell you if a specific IP address it finds in a captured packet is real or not. This requires a little more knowledge on the part of an IT professional, as well as additional software.

Common Use Cases for Wireshark

Here's a high-level example of how a Wireshark capture can help pinpoint a problem. The following figure shows a problem on a home network where the Internet connection was very slow.

As the figure shows, the router considered a common target unreachable. This was discovered by digging into IPv6 Internet Control Message Protocol (ICMP) traffic, which is highlighted in black. In Wireshark, any packet marked as black is considered a problem.

(Video) What Is Wireshark? | What Is Wireshark And How It Works? | Wireshark Tutorial 2021 | Simplilearn

What is Wireshark and how to use it | Cyber ​​Security | CompTIA (6)

Figure 2 Drilling Down into a Packet to Identify a Network Problem with Wireshark

In this case, Wireshark helped determine that the router was malfunctioning and couldn't find YouTube very easily. Resetting the cable modem resolved the issue. Of course, while this particular issue didn't require the use of Wireshark, it's fine to close the issue with authority.

If you look back at the bottom of Figure 2, you'll see that a specific package is highlighted. This shows the ins and outs of a TCP packet that is part of a TLS (Transport Layer Security) conversation. This is a great example of digging into the captured packet.

Using Wireshark doesn't allow you to read the encrypted content of the packet, but it can identify the version of TLS that the browser and YouTube are using to encrypt things. Interestingly, the encryption has changed to TLS version 1.2 during the eavesdropping.

Wireshark is often used to identify more complex network problems. For example, if a network experiences too many retransmissions, congestion can occur. By using Wireshark, you can identify specific transmission problems as shown in Figure 3 below.

What is Wireshark and how to use it | Cyber ​​Security | CompTIA (7)

Figure 3: Viewing packet flow statistics using Wireshark to identify retransmissions

By confirming this kind of problem, you can reconfigure or change the router to speed up the traffic.

How to use Wireshark

You can download Wireshark for free atwww.wireshark.org. It is also freely available as an open source application on theGNU General Public Licenseversion 2.

How to install Wireshark on Windows

If you are a user of the Windows operating system, download the appropriate version for your particular version. For example, if you are using Windows 10, grab the Windows 64-bit installer and follow the wizard to install it. You need administrator rights for installation.

How to Install Wireshark on Linux

if you have oneSistema Linux, install Wireshark in the following order (note that you need root privileges):

$ sudo apt-get install Wireshark

$ sudo dpkg-reconfigure wireshark-common

$ sudo usermod -a -G Wireshark $USER

$ newgrp Wireshark

After completing the steps above, log out and back in, then start Wireshark:

$ Wireshark y

How to Capture Packets with Wireshark

Once you've installed Wireshark, you can start capturing network traffic. But remember: to capture packets, you must have the appropriate permissions on your computer to put Wireshark in promiscuous mode.

(Video) Wireshark Tutorial - Installation and Password sniffing

    • On a Windows system, this usually means you have administrator access.
    • On a Linux system, this usually means you have root access.

    As long as you have the correct permissions, you have several options to actually start the ingestion. The best way is to select Capture >> Options in the main window. This will open the Capture Interfaces window as shown in Figure 4 below.

    What is Wireshark and how to use it | Cyber ​​Security | CompTIA (8)

    Figure 4: The Capture Interfaces dialog in Wireshark

    This window lists all available interfaces. In this case, Wireshark offers several to choose from.

    For this example, we choose the Ethernet 3 interface, which is the most active interface. Wireshark visualizes the traffic by showing a moving line that represents the packets on the network.

    Once the network interface is selected, simply click the Start button to start capturing. At the beginning of the acquisition, it is possible to see the packets appearing on the screen as shown in Figure 5 below.

    What is Wireshark and how to use it | Cyber ​​Security | CompTIA (9)

    Figure 5: Wireshark Captures Packets

    When you have entered all the packages you want, just click the red square button above. Now you need to examine a static packet capture.

    What does color coding mean in Wireshark?

    Now that you have some packages, it's time to figure out what they mean. Wireshark attempts to help you identify packet types by applying sensitive color coding. The following table describes the default colors for the main package types.

    Color en Wireshark

    package type

    Pours purple


    Light Blue



    packets with errors

    light green

    http traffic

    Light yellow

    Windows-specific traffic, including Server Message Blocks (SMB) and NetBIOS

    dark yellow


    dark gray

    TCP SYN, FIN, and ACK traffic

    The default color scheme is shown in Figure 6 below. You can see it by going to View >> Color Rules.

    What is Wireshark and how to use it | Cyber ​​Security | CompTIA (10)

    Figure 6: Default Color Rules

    You can even change the default settings or apply a custom rule. If you don't want to color anything, go to View and then click Colorize Package List. It's a lever. So if you want to recolor, just go back and click Colorize Package List again. It is even possible to color specific conversations between computers.

    In Figure 7 below, you can see standard UDP (light blue), TCP (light purple), TCP handshake (dark grey), and routing traffic (yellow).

    What is Wireshark and how to use it | Cyber ​​Security | CompTIA (11)

    Figure 7: Show Color Packets in Wireshark

    However, you are not limited to interpreting based solely on color. It is possible to view the input/output (I/O) statistics of a complete packet capture.

    Simply go to Statistics >> I/O Graph in Wireshark and you will see a graph similar to the one shown in Figure 8.

    (Video) [Hindi] What is wireshark | Complete wireshark tutorial | Introduction

    What is Wireshark and how to use it | Cyber ​​Security | CompTIA (12)

    Figure 8: Ingress/Egress Traffic Graph Display in Wireshark

    This particular graph shows the typical traffic generated by a home office. The spikes in the graph are bursts of traffic caused by the generation of aDistributed Denial of Service (DDoS)-Angriffwith some Linux systems.

    In this case, three large bursts of traffic were generated. Cybersecurity professionals often use Wireshark as a quick and dirty way to identify traffic spikes during attacks.

    It is also possible to capture the amount of traffic generated between one system and another. If you go to Statistics and then select Conversations, you will see a summary of the conversations between the endpoints as shown in Figure 9 below.

    What is Wireshark and how to use it | Cyber ​​Security | CompTIA (13)

    Figure 9 Display of Terminal Conversations in Wireshark

    In the above case, Wireshark was used to see if an old device could be traced from MCI communications running on a customer's network.

    It turned out that the client did not even know that this device was on the network. So it was removed to helpMake the network a little more secure.Also note that this network connection sees a lot of traffic to Amazon (then it manages a server on AWS) and Box.com (then Box for system backup).

    In some cases, it is even possible to use Wireshark to identify the geographic location of source and destination traffic. If you click the Map button at the bottom of the screen (see Figure 9 above), Wireshark will show you a map (Figure 10) with the best estimate of the location of the IP addresses it has identified.

    What is Wireshark and how to use it | Cyber ​​Security | CompTIA (14)

    Figure 10: Viewing geographic estimates in Wireshark

    Because IPv4 addresses are easily spoofed, you cannot completely trust this geographic information. But it can be quite accurate.

    How to filter and inspect packets in Wireshark

    You can apply Wireshark filters in two ways:

  1. In the display filter window at the top of the screen
  2. Highlighting a package (or part of a package) and right-clicking on the package

Wireshark filters use key phrases like the following:


Specifies an IPv4 address


Specifies an IPv6 address


Source: where the package came from

summer schedule

Destination: where the package is going

You can also use the following values:


It means "and", as in "Select IP address and"


Means "same" as "Select only IP address"


Means "no", as in, does not indicate a specific IP address or source port

Valid filter rules are always colored green. If you make a mistake in a filter rule, the box will turn bright pink.

Let's start with some basic rules. Suppose you want to see packets that only contain the IP address somewhere. I would create the following command line and paste it into the filter window:

ip.address ==

(Video) Wireshark Course for Cybersecurity Beginners

Figure 11 shows the results of adding this filter:

What is Wireshark and how to use it | Cyber ​​Security | CompTIA (15)

Figure 11: Applying a filter to a capture in Wireshark

Alternatively, you can tag a packet's IP address and then create a filter for it. After selecting the IP address, right-click and then select the Apply as filter option.

You will then see a menu with additional options. One of them is called Selected. If you choose Selected, Wireshark will create a filter that only shows packets with that IP address.

You can also choose to filter a specific IP address using the following filter, also shown in Figure 12:

!IP address==

What is Wireshark and how to use it | Cyber ​​Security | CompTIA (16)

Figure 12: Filtering a specific IP address in Wireshark

You are not limited to just IPv4 addresses. For example, if you want to see if a specific computer is up and using an IPv6 address on your network, you can open a copy of Wireshark and apply the following rule:

ipv6.dst == 2607:f8b0:400a:15::b

The same rule is shown in Figure 13.

What is Wireshark and how to use it | Cyber ​​Security | CompTIA (17)

Figure 13: Applying an IPv6 filter in Wireshark

This system is clearly alive and well and talking on the net. There are many possibilities.

Additional filters include:


Filters packets to display a port of your choice, in this case port 8080

!(ip.src ==

Show all packets except those from

!(ipv6.dst ==


Show all packets except those going to IPv6 address 2607:f8b0:400a:15::b

ip.address == &&

ip.address ==

Shows both and


Show HTTP requests only - useful for troubleshooting or visualizing web traffic

As you can see, Wireshark is a powerful application.

Do you want to know more about Wireshark?

If you want to dig a little deeper, check out the hour-long webinar titled below.Using Wireshark: A Practical Demonstration. It's available on demand - all you have to do is sign up and you'll be able to watch the video.

And the following table provides links to Wireshark as well as actual packet captures that you can use to learn more. You can even download a quick "Cheat Sheet" in PDF format from Packetlife.net.

(Video) Learn Network Attacks Using Wireshark



Wireshark website


Wireshark Sample Packet Captures


Packet captures galore, with an emphasis on security


Packet capture per protocol


Additional packet captures




Red CompTIA+,CompTIA Security+y CompTIA-Cybersicherheitsanalyst (CySA+)They all cover Wireshark and network packet capture, as well as other computer networking and cybersecurity topics.Online training tools like CompTIA CertMasterto be able to help.Learny CompTIA Laboratoriesit can help you improve your skills before becoming certified.Download the exam objectivesto see for free which certification is right for you.

Read more about internet security.


What is Wireshark and how do you use it? ›

Wireshark is a network protocol analyzer, or an application that captures packets from a network connection, such as from your computer to your home office or the internet. Packet is the name given to a discrete unit of data in a typical Ethernet network. Wireshark is the most often-used packet sniffer in the world.

What is Wireshark quizlet? ›

What is Wireshark? Wireshark is a network packet analyzer. What is a network packet analyzer function? A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Five free network analyzers worth any IT admin's time.

What are the main features of Wireshark? ›

  • Deep inspection of hundreds of protocols, with more being added all the time.
  • Live capture and offline analysis.
  • Standard three-pane packet browser.
  • Multi-platform: Runs on Windows, Linux, OS X, FreeBSD, NetBSD, and many others.
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility.

How does Wireshark works? ›

How does Wireshark work? Wireshark is a packet sniffer and analysis tool. It captures data of traffic on the local network and stores that data for offline analysis. Wireshark captures network traffic from Ethernet, Bluetooth, Wireless, etc.

How do I capture data in Wireshark? ›

Capturing your traffic with Wireshark
  1. Select Capture | Interfaces.
  2. Select the interface on which packets need to be captured. ...
  3. Click the Start button to start the capture.
  4. Recreate the problem. ...
  5. Once the problem which is to be analyzed has been reproduced, click on Stop. ...
  6. Save the packet trace in the default format.
Aug 28, 2020

How do I pull an IP address from Wireshark? ›

Finding an IP address with Wireshark using ARP requests
  1. To get an IP address of an unknown host via ARP, start Wireshark and begin a session with the Wireshark capture filter set to arp, as shown above.
  2. Then wait for the unknown host to come online. ...
  3. Once you've spotted the request, click on it.

What problem can you solve by using Wireshark? ›

Common problems that Wireshark can help troubleshoot include dropped packets, latency issues, and malicious activity on your network. It lets you put your network traffic under a microscope, and provides tools to filter and drill down into that traffic, zooming in on the root cause of the problem.

Why do hackers use Wireshark? ›

Using packet analysis to sniff network traffic can achieve the following goals: Footprinting and reconnaissance: As a precursor to an active attack, hackers use Wireshark to capture unencrypted traffic in order to gather as much information about the target as possible.

What attacks can Wireshark detect? ›

This document is divided into sections that deal with different real attacks to local networks, such as ARP Spoof, DHCP Flooding, DNS Spoof, DDoS Attacks, VLAN Hopping, etc. Wireshark is used as the main support tool to help detect, or to a greater extent, analyse the problems generated by these attacks.

What can Wireshark be used for quizlet? ›

Wireshark can be used to view network traffic on any network in the world. Wireshark can only view traffic on a local NIC or from a saved pcap file.

What is TCP Wireshark? ›

By default, Wireshark's TCP dissector tracks the state of each TCP session and provides additional information when problems or potential problems are detected. Analysis is done once for each TCP packet when a capture file is first opened. Packets are processed in the order in which they appear in the packet list.

In what order do Wireshark coloring rules process? ›

sequentially from top to bottom in the order they are listed, until a match is found for each packet. If there is no match, the Wireshark default Coloring rule is applied. Essentially, a more specific rule should be placed before a general rule to ensure that the Coloring rule is triggered during processing.

Can you tell if someone is using Wireshark on your network? ›

You can't detect a fully passive sniffer on the network, with "fully passive" meaning that the PC running Wireshark (or any other sniffing software) uses a network card with its TCP/IP stack disabled. That way the card will only listen and never talk, so you can't spot it on the network.

How is Wireshark used for security? ›

Like most packet sniffers out there, Wireshark captures, filters, and visualizes network data and traffic. It starts by accessing a network connection and grabbing whole sections of data traffic in real-time. It can capture anywhere from dozens to tens of thousands of data packets at a time.

Can Wireshark capture passwords? ›

Wireshark can capture not only passwords, but any type of data passing through a network – usernames, email addresses, personal information, pictures, videos, or anything else. Wireshark can sniff the passwords passing through as long as we can capture network traffic.

How do I monitor websites visited with Wireshark? ›

To use:
  1. Install Wireshark.
  2. Open your Internet browser.
  3. Clear your browser cache.
  4. Open Wireshark.
  5. Click on "Capture > Interfaces". ...
  6. You'll want to capture traffic that goes through your ethernet driver. ...
  7. Visit the URL that you wanted to capture the traffic from.
Oct 22, 2021

Can you sniff an IP address? ›

A network sniffing tool or an Address Resolution Protocol (ARP) scan can be used to intercept packets on a network and gather IP addresses to spoof.

Can you identify device by IP? ›

Every device has a unique address called IP (Internet Protocol) address on your network using which they connect to the internet. Every device on your network can be identified, even unknown IP addresses on routers, using the IP address.

Can you find someone's information with an IP address? ›

To clarify, it does not reveal your location. If someone was able to get your IP address they could learn a bit about your Internet service, such as which provider you use to connect to the Internet, but they really can't locate you, your home, or your office.

Is Wireshark a security tool? ›

Wireshark is a popular, free and open-source packet capture tool that enables network and security administrators to take a “deep dive” analysis into traffic moving through a network.

Can Wireshark be used for spying? ›

Under certain conditions - yes it can. The Wireshark will capture packets your computer can see on it's network interface.

What do hackers want the most? ›

Unfortunately, some attackers want to steal your data just to prove that they can. They are not motivated by monetary gain, access to free resources or the ability to steal your users' identities. They simply want to prove to themselves – and their hacker friends, perhaps – that they can break past your defenses.

What are the disadvantages of Wireshark? ›

It cannot run from outside a network. Wireshark doesn't facilitate packet injection; it doesn't capture a passing packet stream and enables new packets to be substituted for those already passing by.

Is Wireshark a security risk? ›

The developers providing code to Wireshark (literally hundreds) have very divergent programming experience, from advanced networking specialists to novice programmers, making it more likely that new bugs get in. As a result, Wireshark is more vulnerable to attacks than most other programs.

Does a VPN hide from Wireshark? ›

With a Wireshark VPN, you can browse the internet in complete anonymity while verifying that your Wireshark VPN traffic is actually being encrypted.

What tools does Wireshark have? ›

  • Dedicated capture tools.
  • Monitoring/tracing tools.
  • Traffic generators.
  • Capture file editors and/or anonymizers.
  • Capture file repair.
  • Capture file tools.
  • Capture file conversion.
  • Collections.

What are flags in Wireshark? ›

The TCP flags are: SYNchronization: Request a connection. ACKnowledgement: Acknowledges receipt of a packet. FINish: Gracefully closes a connection. ReSeT: Immediately terminates a connection.

How do I read a Wireshark capture? ›

Wireshark can read in previously saved capture files. To read them, simply select the File → Open menu or toolbar item. Wireshark will then pop up the “File Open” dialog box, which is discussed in more detail in Section 5.2. 1, “The “Open Capture File” Dialog Box”.

How does Wireshark analyze traffic? ›

How does Wireshark work? Wireshark is a packet sniffer and analysis tool. It captures network traffic from ethernet, Bluetooth, wireless (IEEE. 802.11), token ring, and frame relay connections, among others, and stores that data for offline analysis.

Can Wireshark detect malware? ›

It lets administrator to see what"s happening on network at a microscopic level. The purpose of this paper is to demonstrate how Wireshark is applied in network protocol diagnosis and can be used to find some basic indicators of compromise for a malware.

What does red and black mean in Wireshark? ›

For example, if Wireshark detects potential problems, it colors them with red text on a black field. Don't be too concerned if you see some packets that appear this way – it might indicate a problem, but then again it might not.

What does purple mean in Wireshark? ›

First, notice that packets are highlighted in a variety of colors. Wireshark uses colors to help identify the types of traffic. Light blue is used for UDP traffic, light purple for TCP traffic, and black identifies packets with errors. You can view and modify color rules by clicking View > Coloring Rules.

What can hackers do with Wireshark? ›

Wireshark can also be used as a tool for hackers. This usually involves reading and writing data transmitted over an unsecure or compromised network. Nefarious actors may seek out confidential data such as credit-card information, passwords, search queries, private messages, emails, financial transactions, and more.

What are things Wireshark can do? ›

Wireshark helps:
  • Network administrators troubleshoot problems across a network.
  • Security engineers examine security issues across a network.
  • QA engineers verify applications.
  • Developers debug protocol implementations.
  • Network users learn about a specific protocol.
Aug 19, 2022

Is Wireshark easy to learn? ›

Wireshark is much easier to learn when you take this course and try everything you see for yourself! Wireshark is a free open-source packet analyzer that is the number one tool for network analysis, troubleshooting, software and communications protocol development, and related education in networking.

Can Wireshark steal passwords? ›

Wireshark can capture not only passwords, but any type of data passing through a network – usernames, email addresses, personal information, pictures, videos, or anything else. Wireshark can sniff the passwords passing through as long as we can capture network traffic.

Can you spy with Wireshark? ›

If you're on the same Wi-Fi network, it's as simple as opening Wireshark and configuring a few settings. We'll use the tool to decrypt WPA2 network traffic so we can spy on which applications a phone is running in real time.

How do I see what websites are viewed on Wireshark? ›

To use:
  1. Install Wireshark.
  2. Open your Internet browser.
  3. Clear your browser cache.
  4. Open Wireshark.
  5. Click on "Capture > Interfaces". ...
  6. You'll want to capture traffic that goes through your ethernet driver. ...
  7. Visit the URL that you wanted to capture the traffic from.
Oct 22, 2021

What is the best way to learn Wireshark? ›

5 Best Wireshark Online Courses for Beginners in 2023
  1. Wireshark: Packet Analysis and Ethical Hacking: Core Skills [UDEMY] ...
  2. Wireshark for Basic Network Security Analysis [Coursera] ...
  3. Start Using Wireshark to Hack like a Pro [Udemy] ...
  4. Wireshark Essential Training Online Class [LinkedIn Learning]


1. Wireshark Packet Sniffing Usernames, Passwords, and Web Pages
2. Wireshark Tutorial for Beginners
(Anson Alexander)
3. What is Wireshark ? - Wireshark Tutorial for Beginners | [ தமிழில் ]
(Rubik's Hacker)
4. Wireshark Tutorial for BEGINNERS // Where to start with Wireshark
(Chris Greer)
5. Why Did I Learn Wireshark? How Can You?
(Chris Greer)
6. Wireshark Network Analysis Tool for Hacking | Cyber Security | Part 1
(InfoSec Operator)
Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated: 03/16/2023

Views: 5745

Rating: 4.4 / 5 (75 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.