Wireshark

Mukesh Chanderia
May 6
7 min read

Updated: Sep 23

1. What is Wireshark?

Wireshark is a network packet capture tool.
It shows every packet of data moving through your network.
Think of it like a microscope for your internet traffic.
Useful for:
- Network admins (fix slow networks)
- Security experts (spot attacks)
- Developers (debug communication issues)
- Students (learn about protocols like TCP, HTTP)

Example: If a website is slow, Wireshark shows whether the problem is with DNS, TCP handshake, or HTTP response.

2. Installing Wireshark

On Windows:

Download from wireshark.org
Install with default settings
Keep "Npcap" selected (needed for capturing packets)
Run as Administrator the first time

On macOS:

Download the .dmg file
Drag Wireshark to Applications
Open and allow in Security settings if needed

On Linux:

Ubuntu: sudo apt install wireshark
Add your user to the Wireshark group: sudo usermod -aG wireshark $USER
Log out and back in

3. Wireshark Interface Overview

Top Pane: List of all packets (1 row = 1 packet)
Middle Pane: Details of the selected packet
Bottom Pane: Raw data (in hex and text)
Toolbars:
- Blue shark fin = Start capture
- Red square = Stop capture
- Filter bar = Type filters to show specific packets

4. Capturing Network Traffic

Open Wireshark
Pick your network interface (Wi-Fi, Ethernet)
(Optional) Add a capture filter (like tcp port 80)
Click the blue shark fin to start
Browse the internet or use apps
Click the red square to stop capture

Example: Use capture filter tcp port 80 to capture only HTTP traffic.

5. Using Filters

Capture Filters (before capture):

host 192.168.0.1 – only this IP
port 53 – only DNS

Display Filters (after capture):

http – show HTTP packets
ip.addr == 8.8.8.8 – traffic to/from Google DNS
tcp.flags.syn == 1 && tcp.flags.ack == 0 – TCP SYN only

Type in filter bar and press Enter (green = valid filter).

6. Reading Packets

TCP Handshake:

1st: SYN
2nd: SYN-ACK
3rd: ACK

Follow TCP Stream:

Right-click > Follow TCP Stream
See full conversation (e.g., HTTP GET + response)

Info Column Clues:

HTTP GET /index.html
200 OK (text/html)
Standard query A example.com (DNS)

7. Saving and Exporting

Save Capture File:

File > Save (saves full capture)
File > Export Specified Packets (only selected or filtered ones)

Export Data:

Export to text, CSV, or JSON
File > Export Objects > HTTP (download images/files sent over HTTP)

Example: Use dns filter, then export displayed packets to a file called dns_only.pcapng

8. Advanced Features

Coloring Rules:

Wireshark highlights packets with color (e.g., red for errors)
View > Coloring Rules
Add custom rules (e.g., color all DNS in blue)

Profiles:

Different settings for different tasks
Create via Edit > Configuration Profiles
Switch from the bottom bar

Expert Info:

Analyze > Expert Info
Lists warnings and errors (e.g., retransmissions, resets)
Helps quickly spot network problems

Example: See many red packets with "RST" or "TCP Retransmission"? There could be packet loss or broken connections.

Summary

Wireshark helps see what's really happening in your network
Start with simple captures and filters
Use the UI panes to understand packet flow
Export and save key data for later
Use color, profiles, and expert tools to go deeper

Real-time troubleshooting scenario using Wireshark, broken down into easy step-by-step instructions.

Scenario: Website Is Very Slow to Load on One Computer

Problem:A user reports that opening https://example.com from their laptop is very slow, while it loads quickly on other devices.

Step-by-Step Troubleshooting Using Wireshark

Step 1: Prepare for the Capture

Goal: Capture only relevant packets (DNS, TCP, HTTP/HTTPS)

Open Wireshark (Run as Administrator on Windows)
Identify the active network interface (Wi-Fi or Ethernet) – you'll likely see traffic rising in the list.
Apply a capture filter (optional):You could use this to capture just web traffic:
port 53 or port 80 or port 443
This captures DNS, HTTP, and HTTPS.

Step 2: Start Capturing Traffic

Click the interface name (e.g., Wi-Fi), or click the blue shark fin icon to start capturing.
Ask the user to open the slow website in their browser (e.g., Chrome or Firefox).
Wait for the page to fully load (or fail), then click the red square to stop capture.

🔍 Step 3: Filter and Analyze the Traffic

Now you’ll find out what’s taking time — DNS lookup, TCP handshake, or server response.

Step 3.1: Check DNS Resolution

Use display filter:
dns
Look for:
- A packet like Standard query A example.com
- Response time (Time column: hover to see delay)
- Long delay (>500ms) between query and response = Slow DNS
- Response errors (e.g., NXDOMAIN = domain doesn’t exist)

💡 Tip: Right-click DNS query > Follow > UDP Stream to see DNS conversation.

Step 3.2: Check TCP Handshake

Use filter:
tcp.flags.syn == 1
Look for a SYN, followed by a SYN-ACK, then an ACK.
- Large delay between SYN and SYN-ACK = Network lag or server unresponsive
- Missing SYN-ACK = Connection timeout

💡 Tip: Click first SYN packet > Middle Pane (Packet Details) > TCP to view flags and timestamps.

Step 3.3: Analyze HTTPS or HTTP Traffic

Filter:
http
or
tcp.port == 443
Check for:
- HTTP GET requests
- 200 OK or 301 Redirect responses
- Big time gaps? Server may be slow or busy

Tip: Right-click on an HTTP packet > Follow TCP Stream to see full conversation.

Step 4: Identify Common Issues

Symptom	Likely Cause
DNS query takes 2-3 seconds	Slow or incorrect DNS server
TCP handshake takes >1s	Network lag or firewall interference
Long delay after GET request	Slow server response
Many [TCP Retransmission] packets	Packet loss
[RST] (Reset) from server	Server closed connection early
SSL Handshake fails	Server certificate/config issue

Step 5: Save Evidence

Apply display filter to show the problem
File > Export Specified Packets
Choose “Displayed” or “Marked”
Save as .pcapng and share for escalation or documentation

Wireshark Display Filters for BGPv6

All BGPv6 traffic (TCP/179 only):
tcp.port == 179 && ipv6
BGP Keepalives only:
bgp.type == 4
👉 Use this to see if keepalives are being sent by leaf and/or received from the PE.
BGP Open messages (session bring-up):
bgp.type == 1
BGP Update messages (route advertisements/withdrawals):
bgp.type == 2
BGP Notification messages (session errors):
bgp.type == 3
Keepalives per direction (leaf vs PE):
- From leaf (source = leaf’s IPv6):
  bgp.type == 4 && ipv6.src == 2a00:1028:1:dc::2
- From PE (source = PE’s IPv6):
  bgp.type == 4 && ipv6.src == 2a00:1028:1:dc::1

Filter on tcp.port == 179 && ipv6 → verify keepalives both ways.

Filter on icmpv6.type == 2 → check if “Packet Too Big” arrived (bug trigger).

ARP (Address Resolution Protocol)

1. What is ARP?

ARP is used to map IP addresses → MAC addresses.
Example: If PC1 wants to talk to 192.168.1.5, it first asks:
“Who has 192.168.1.5? Tell me your MAC.”

2. ARP Packet Types

ARP Request (Opcode = 1) → Broadcast → “Who has X.X.X.X?”
ARP Reply (Opcode = 2) → Unicast → “I am X.X.X.X, here’s my MAC.”
RARP (Reverse ARP) → obsolete, used by diskless devices.

arp

Lab Exercise

Open your arp-storm.pcap.
Apply filter: arp.opcode == 1 (only requests).
Apply filter: arp.opcode == 2 (only replies).

RARP (Reverse Address Resolution Protocol)

1. What is RARP?

ARP: IP → MAC (Find MAC when you know IP).
RARP: MAC → IP (Find IP when you only know MAC).

👉 It was used by diskless workstations/servers (with no hard drive).At boot, they know their MAC (burned into NIC), but not their IP .So they ask:

“This is my MAC: aa:bb:cc:dd:ee:ff — can anyone tell me my IP?”

Today, RARP is obsolete and replaced by DHCP.

2. RARP Packet Types

RARP Request (Opcode = 3) → Broadcast → “Who knows my IP for MAC aa:bb:cc:dd:ee:ff?”
RARP Reply (Opcode = 4) → Unicast → “MAC aa:bb:cc:dd:ee:ff should use IP 192.168.1.100.”

Look at Opcode field in the middle pane:
- 3 = RARP Request.
- 4 = RARP Reply.

Apply filter: arp.opcode == 3

: arp.opcode == 4

IPv4 Basics

1. What is IPv4?

Internet Protocol version 4.
Provides logical addressing (32-bit IP addresses).
IP = like a postal address → tells packets where to go.

2. IPv4 Header Fields (things exam LOVES to test)

In Wireshark, click any IPv4 packet → expand Internet Protocol Version 4.

Key fields:

Source & Destination IP → who’s talking.
TTL (Time To Live) → decreases by 1 at every router hop.
- If it reaches 0 → packet discarded.
- Exam trick: TTL can help estimate hops away.
Protocol → tells which Layer 4 protocol is inside (e.g., TCP = 6, UDP = 17, ICMP = 1).
Identification (IP ID) → used for fragmentation.
Flags → Don’t Fragment (DF), More Fragments (MF).
Header Checksum → error check.

3. Exam Traps

Private IP ranges:
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
APIPA (Automatic Private IP Addressing): 169.254.x.x.
NAT changes IP headers.
TTL values:
- Windows often starts at 128.
- Linux/Unix often starts at 64.
- Cisco often starts at 255.

If you capture a TTL of 118, and default was 128, the host is ~10 hops away.

4. Hands-On

In Wireshark:

Open any IPv4 capture
Apply filter:

ip
(shows only IPv4 traffic).
Right-click → “Decode As” if Wireshark misidentifies protocol.
Check Statistics → Protocol Hierarchy → verify how much IPv4 traffic is present.

IPv6 Basics

Your capture: v6.pcap

1. IPv6 Overview

128-bit addresses (vs 32-bit IPv4).
Written in hexadecimal: 2001:0db8:85a3::8a2e:0370:7334.
Designed because IPv4 addresses are running out.

2. IPv6 Address Types

Link-Local (fe80::/10) → auto-assigned, only valid inside local LAN.
Global Unicast (like IPv4 public).
Multicast (ff00::/8) → replaces broadcast.
Anycast → same IP used by multiple servers, routing sends to “nearest.”

3. IPv6 Header Fields

Version = 6
Traffic Class = like IPv4 TOS/DSCP.
Flow Label = for QoS/stream identification.
Payload Length = data size.
Next Header = protocol inside (e.g., 6 = TCP, 17 = UDP).
Hop Limit = like IPv4 TTL.

4. Hands-On with Your v6.pcap