Wireshark for Beginners: What to Actually Look For

I’ve lost count of how many students I’ve watched download Wireshark, fire it up, and immediately look like deer in headlights. Packets start flying across the screen, hundreds per second, and they have absolutely no idea what any of it means. Most close the application within ten minutes and never open it again.

That’s not their fault. It’s a teaching problem. Most Wireshark tutorials fall into one of two camps: either they assume you already have a networking degree and dive straight into advanced stuff, or they walk you through clicking buttons without ever explaining why. Neither approach actually builds skills you can use.

After years of building curriculum for our Security+ certification program, I’ve figured out what actually works: answer the “what am I looking for?” question first. Once that clicks, everything else falls into place. So forget the exhaustive feature tour. Let’s focus on practical packet analysis you can start using today.

You don’t need to memorize every Wireshark feature. You need to understand network traffic well enough that something weird makes you go “wait, that’s not right.”

What Is Wireshark Actually Doing?

Before we get into the how, let’s nail down the what. Wireshark is a packet analyzer. It grabs the raw data traveling through your network interface and translates it into something humans can actually read. Think of it like a translator that converts all those ones and zeros flowing through your network cable into structured information showing you exactly what’s going on.

Every time you hit a website, send an email, or connect to anything on a network, your computer exchanges packets with other systems. These packets have headers (addressing info about where things came from and where they’re going) and payloads (the actual data). Wireshark lets you see all of it. That’s incredibly useful for troubleshooting network problems, figuring out how applications communicate, and spotting suspicious activity.

It’s free, open source, and runs on Windows, Mac, and Linux. Grab it from wireshark.org. If you’re on Windows, make sure you install Npcap when it asks during setup. That’s the piece that actually captures packets from your network card. If you’re working in Linux, you’ll want to pair Wireshark skills with essential Linux security commands for a complete toolkit.

The Three Panel Layout You Need to Understand

When you start capturing and packets start rolling in, Wireshark shows them in three panels. Get your head around what each one does and everything else will make way more sense.

The Packet List (top panel) shows every captured packet as a single row. You get the packet number, timestamp, source address, destination address, protocol, length, and a quick info summary. This is your bird’s eye view. Scan this panel to spot interesting traffic, then click on specific packets to dig deeper.

The Packet Details (middle panel) breaks down whichever packet you’ve selected, layer by layer. You’ll see expandable sections for each protocol layer: Ethernet frame stuff, IP header details, TCP or UDP info, and finally whatever application protocol is running on top (HTTP, DNS, TLS, whatever). This follows the OSI model from your networking fundamentals. If you need a refresher on that, our complete CCNA guide covers the foundational knowledge that makes packet analysis click. Click the little arrows to expand each section.

The Packet Bytes (bottom panel) shows the raw hex and ASCII of the packet data. Honestly, most beginners ignore this one, and that’s fine at first. But it’s handy when you need to see exactly what bytes got transmitted. Click on any field in the middle panel and the corresponding bytes light up down here. It connects the human readable stuff to what’s actually on the wire.

Your First Capture: Start Simple

Alright, let’s actually do something. Here’s a simple exercise that won’t overwhelm you.

Open Wireshark and you’ll see a list of network interfaces. Pick the one you’re actually using (your Ethernet or Wi-Fi adapter). The active one will have a little squiggly activity graph showing traffic. Double click it to start capturing.

Packets immediately start flooding in. Don’t panic. This is totally normal. Don’t try to read them all. Instead, open your browser and visit a simple HTTP site (not HTTPS, since we want to see unencrypted traffic for this exercise). Try neverssl.com, which exists specifically for testing unencrypted connections.

Once the page loads, hit the red square button to stop capturing. Now you’ve got a capture file with everything that happened during that window. The trick is finding the relevant packets in all that noise.

Filters Are Everything: Learn These First

Filters are what make Wireshark actually usable. Without them, you’re drowning in an ocean of packets trying to find specific ones. With them, you can instantly zero in on exactly what you need. Learn a handful of essential filters and you’ll handle 90% of what comes your way.

Quick note: Wireshark has both capture filters and display filters. Capture filters limit what gets recorded before you start. Display filters change what’s shown after the fact without deleting anything. For now, just focus on display filters. You can always narrow down what you’re looking at without losing any data.

Combining Filters

You can combine filters using logical operators. Use and or && to require both conditions. Use or or || for either condition. Use not or ! to exclude.

For example: ip.addr == 192.168.1.100 and tcp.port == 80 shows only HTTP traffic to or from that specific host. Or dns or http shows both DNS and HTTP traffic. These combinations let you build precise queries for exactly what you’re investigating.

Following Streams: The Feature That Changes Everything

Looking at individual packets is like reading random words pulled from a conversation. Makes no sense. To understand what actually happened, you need to see the whole conversation assembled in order. That’s what “Follow Stream” does, and honestly, it’s probably the single most useful thing in Wireshark.

Right click any packet that’s part of a TCP connection and select Follow, then TCP Stream. Wireshark pops up a new window showing the complete back and forth between both endpoints, all reassembled in the right order. Client traffic shows in one color, server responses in another. You can read the actual data as the applications saw it.

For unencrypted stuff like HTTP, FTP, or Telnet, following the stream shows everything in plain text. The full HTTP request headers, the HTML that came back, cookies bouncing back and forth, form data that got submitted. This is incredibly powerful for understanding how applications behave. It also shows you exactly why encrypted connections matter. Credentials sent over unencrypted protocols? Completely visible to anyone capturing traffic.

What to Actually Look For: Practical Scenarios

Understanding features is one thing. Knowing what to look for is another. Packet analysis is one of the essential cybersecurity skills that separates capable analysts from those who just run tools without understanding them. Here are concrete scenarios where Wireshark helps you find answers.

Scenario 1: Why Is This Application So Slow?

Classic helpdesk ticket: users say some web app takes forever to load. Is it the network or the server? Capture traffic while loading the thing, then check the timestamps. The Time column shows when each packet arrived. Look for big gaps. If you see your GET request at time 0.001 and the response doesn’t show up until 3.456, that’s three seconds of the server sitting there thinking. If packets come back fast but there’s tons of them with retransmissions, that’s a network problem.

Wireshark color codes packets to help spot trouble. Black backgrounds usually mean problems like TCP retransmissions (data that had to be resent because it wasn’t acknowledged). Red text often means errors. Lots of black rows? You’ve got packet loss or congestion somewhere.

Scenario 2: What Servers Is This Machine Talking To?

Maybe you suspect a computer got compromised and want to see what external connections it’s making. Capture traffic for a few minutes while the machine sits idle (nobody actually using it). Then go to Statistics, select Endpoints, and check the IPv4 tab. You’ll see every IP address the machine talked to, plus packet and byte counts.

For more detail, check Statistics then Conversations. This shows pairs of addresses talking to each other, so you can see exactly which internal machine contacted which external server. Unexpected connections to foreign IPs or traffic on weird ports? Worth looking into. You can right click any address and apply it as a filter to zoom in on just that conversation.

Scenario 3: Is Someone Scanning Our Network?

Network scans have a pretty obvious pattern once you know what to look for. You’ll see a bunch of TCP SYN packets from one source going to tons of different ports, often in sequence (port 21, 22, 23, 25, and on and on). Filter with tcp.flags.syn == 1 and tcp.flags.ack == 0 to show just the initial connection attempts.

A normal user might hit a handful of services occasionally. A scanner will blast through dozens or hundreds of ports in seconds. If you see that pattern, grab the source IP and figure out if it’s an authorized security scan or someone doing reconnaissance who shouldn’t be.

Scenario 4: What DNS Lookups Are Happening?

DNS queries tell you a lot about what a system is up to. Every website visit starts with your computer asking a DNS server to translate the domain name into an IP address. Malware does this too, often querying command and control servers or weird looking domains.

Filter with dns and look at what’s being queried. The Info column shows the domain names. Normal traffic looks like recognizable stuff: google.com, microsoft.com, your company’s domain. Sketchy traffic might show random looking domain names, stuff with lots of numbers, or domains you’ve never heard of. If a supposedly idle computer is making tons of DNS queries to unfamiliar domains, that’s worth digging into.

Expert Info: Let Wireshark Help You Find Problems

Here’s a feature a lot of beginners miss completely: Expert Information. Go to Analyze in the menu, then Expert Information. Wireshark automatically scans the capture and flags potential issues, sorted by how serious they are.

Errors (red) are serious stuff like malformed packets or protocol violations. Always worth investigating. Warnings (yellow) flag weird conditions that might be problems, like connection resets or out of order packets. Notes (cyan) highlight interesting things like application error codes. Chat (blue) is just normal protocol chatter, nothing to worry about.

When you’re staring at a capture and have no idea where to start, Expert Information gives you a prioritized hit list. Click anything to jump straight to that packet. It’s like having an assistant who pre screens everything and says “hey, you might want to look at this.”

The Encryption Reality: What You Can and Cannot See

Here’s something tutorials love to gloss over: most traffic these days is encrypted, and Wireshark can’t magically decrypt it. When you capture HTTPS traffic, you’ll see the TCP handshake, the TLS negotiation, and then… encrypted blobs. You won’t see the actual HTTP requests and responses buried inside.

That’s not Wireshark failing. That’s encryption doing its job. The whole point is protecting data from anyone sniffing the network, and that includes you. If you want to understand more about how this protection works, our guide to encryption best practices digs into the details. You can still see metadata though: what IPs are talking, which ports, how much data, when. Just not the content itself.

There are ways to decrypt TLS in Wireshark if you have access to the encryption keys, but that’s advanced stuff for another day. For now, just know that analyzing encrypted traffic means focusing on patterns, volumes, and endpoints rather than content. And unencrypted traffic (which absolutely still exists on plenty of internal networks and legacy systems) shows you everything.

Building Your Skills: Practice Exercises

Like anything else, you get better at packet analysis by doing it. Here are some exercises that’ll build your skills without making your head explode.

Exercise 1: Capture traffic while doing a simple web search. Filter to DNS and find the lookup for the search engine. Then filter to HTTP or TLS and trace the actual connection. Follow the TCP stream if it’s unencrypted. Get the sequence down: DNS lookup, TCP handshake, request, response.

Exercise 2: Ping some host and capture those ICMP packets. ICMP is simple and unencrypted, perfect for understanding packet structure without complexity getting in the way. Look at the request and reply, poke around in the hex view.

Exercise 3: Grab a sample capture file from the Wireshark wiki (wireshark.org has a bunch) and practice analyzing traffic you didn’t generate yourself. This is closer to real life, where someone hands you a capture and says “figure out what’s going on.” Try the malware traffic samples for practice spotting suspicious patterns.

Exercise 4: Capture traffic on your home network for five minutes without doing anything specific. Then dig into what you find. You’ll discover all kinds of background chatter you never knew existed: automatic updates, cloud syncs, smart devices phoning home. It’s kind of eye opening to see how much your network talks without you telling it to.