Wireshark

1. What is Wireshark?

• Wireshark is a network packet capture tool.

• It shows every packet of data moving through your network.

• Think of it like a microscope for your internet traffic.

• Useful for:

  • Network admins (fix slow networks)

  • Security experts (spot attacks)

  • Developers (debug communication issues)

  • Students (learn about protocols like TCP, HTTP)

Example: If a website is slow, Wireshark shows whether the problem is with DNS, TCP handshake, or HTTP response.

2. Installing Wireshark

On Windows:

• Download from wireshark.org

• Install with default settings

• Keep "Npcap" selected (needed for capturing packets)

• Run as Administrator the first time

On macOS:

• Download the .dmg file

• Drag Wireshark to Applications

• Open and allow in Security settings if needed

On Linux:

• Ubuntu: sudo apt install wireshark

• Add your user to the Wireshark group: sudo usermod -aG wireshark $USER

• Log out and back in

3. Wireshark Interface Overview

• Top Pane: List of all packets (1 row = 1 packet)

• Middle Pane: Details of the selected packet

• Bottom Pane: Raw data (in hex and text)

• Toolbars:

  • Blue shark fin = Start capture

  • Red square = Stop capture

  • Filter bar = Type filters to show specific packets

4. Capturing Network Traffic

1. Open Wireshark

2. Pick your network interface (Wi-Fi, Ethernet)

3. (Optional) Add a capture filter (like tcp port 80)

4. Click the blue shark fin to start

5. Browse the internet or use apps

6. Click the red square to stop capture

Example: Use capture filter tcp port 80 to capture only HTTP traffic.

5. Using Filters

Capture Filters (before capture):

• host 192.168.0.1 – only this IP

• port 53 – only DNS

Display Filters (after capture):

• http – show HTTP packets

• ip.addr == 8.8.8.8 – traffic to/from Google DNS

• tcp.flags.syn == 1 && tcp.flags.ack == 0 – TCP SYN only

Type in filter bar and press Enter (green = valid filter).

6. Reading Packets

TCP Handshake:

• 1st: SYN

• 2nd: SYN-ACK

• 3rd: ACK

Follow TCP Stream:

• Right-click > Follow TCP Stream

• See full conversation (e.g., HTTP GET + response)

Info Column Clues:

• HTTP GET /index.html

• 200 OK (text/html)

• Standard query A example.com (DNS)

7. Saving and Exporting

Save Capture File:

• File > Save (saves full capture)

• File > Export Specified Packets (only selected or filtered ones)

Export Data:

• Export to text, CSV, or JSON

• File > Export Objects > HTTP (download images/files sent over HTTP)

Example: Use dns filter, then export displayed packets to a file called dns_only.pcapng

8. Advanced Features

Coloring Rules:

• Wireshark highlights packets with color (e.g., red for errors)

• View > Coloring Rules

• Add custom rules (e.g., color all DNS in blue)

Profiles:

• Different settings for different tasks

• Create via Edit > Configuration Profiles

• Switch from the bottom bar

Expert Info:

• Analyze > Expert Info

• Lists warnings and errors (e.g., retransmissions, resets)

• Helps quickly spot network problems

Example: See many red packets with "RST" or "TCP Retransmission"? There could be packet loss or broken connections.

Summary

• Wireshark helps see what's really happening in your network

• Start with simple captures and filters

• Use the UI panes to understand packet flow

• Export and save key data for later

• Use color, profiles, and expert tools to go deeper

Real-time troubleshooting scenario using Wireshark, broken down into easy step-by-step instructions.

Scenario: Website Is Very Slow to Load on One Computer

Problem:A user reports that opening https://example.com from their laptop is very slow, while it loads quickly on other devices.

Step-by-Step Troubleshooting Using Wireshark

Step 1: Prepare for the Capture

Goal: Capture only relevant packets (DNS, TCP, HTTP/HTTPS)

1. Open Wireshark (Run as Administrator on Windows)

2. Identify the active network interface (Wi-Fi or Ethernet) – you'll likely see traffic rising in the list.

3. Apply a capture filter (optional):You could use this to capture just web traffic:

   port 53 or port 80 or port 443

   This captures DNS, HTTP, and HTTPS.

Step 2: Start Capturing Traffic

1. Click the interface name (e.g., Wi-Fi), or click the blue shark fin icon to start capturing.

2. Ask the user to open the slow website in their browser (e.g., Chrome or Firefox).

3. Wait for the page to fully load (or fail), then click the red square to stop capture.

🔍 Step 3: Filter and Analyze the Traffic

Now you’ll find out what’s taking time — DNS lookup, TCP handshake, or server response.

Step 3.1: Check DNS Resolution

1. Use display filter:

   dns

2. Look for:

   • A packet like Standard query A example.com

   • Response time (Time column: hover to see delay)

   • Long delay (>500ms) between query and response = Slow DNS

   • Response errors (e.g., NXDOMAIN = domain doesn’t exist)

💡 Tip: Right-click DNS query > Follow > UDP Stream to see DNS conversation.

Step 3.2: Check TCP Handshake

1. Use filter:

   tcp.flags.syn == 1

2. Look for a SYN, followed by a SYN-ACK, then an ACK.

   • Large delay between SYN and SYN-ACK = Network lag or server unresponsive

   • Missing SYN-ACK = Connection timeout

💡 Tip: Click first SYN packet > Middle Pane (Packet Details) > TCP to view flags and timestamps.

Step 3.3: Analyze HTTPS or HTTP Traffic

1. Filter:

   http

   or

   tcp.port == 443

2. Check for:

   • HTTP GET requests

   • 200 OK or 301 Redirect responses

   • Big time gaps? Server may be slow or busy

Tip: Right-click on an HTTP packet > Follow TCP Stream to see full conversation.

Step 4: Identify Common Issues

Step 5: Save Evidence

1. Apply display filter to show the problem

2. File > Export Specified Packets

3. Choose “Displayed” or “Marked”

4. Save as .pcapng and share for escalation or documentation