๐ก Introduction
If you're learning ethical hacking, network security, bug bounty, or IT troubleshooting, one tool you absolutely MUST master is Wireshark.
Wireshark is the worldโs most widely used network protocol analyzer, trusted by cybersecurity professionals, penetration testers, and network engineers.
It helps you:
๐ Capture network packets
๐ก Monitor live traffic
๐ Inspect encrypted/unencrypted data
๐ง Learn how protocols work (HTTP, TCP, DNS)
๐จ Identify suspicious activity or attacks
This bugitrix guide focuses on practical, real-life usage, not boring theory.
Letโs dive in ๐
๐ 1. What Is Wireshark? (Easy Explanation)
Wireshark is an open-source network packet analyzer that allows you to inspect data traveling across a network.
Think of it as a microscope for your internet traffic ๐ฌ
It shows:
Packets sent/received
Source and destination IPs
Protocols used
Request/response bodies
Login attempts
DNS queries
ARP messages
Suspicious/malicious traffic
๐ฏ Ideal for ethical hackers, SOC analysts, and cybersecurity students.
Official Website โ https://www.wireshark.org/
Documentation โ https://www.wireshark.org/docs/
๐ ๏ธ 2. How to Install Wireshark
โ๏ธ Windows
Download installer โ https://www.wireshark.org/download.html
โ๏ธ Linux (Ubuntu/Kali)
sudo apt install wireshark -y
โ๏ธ macOS
brew install wireshark
Once installed, open Wireshark and youโll see your network interfaces (Wi-Fi, Ethernet, etc.).
๐ฅ 3. Understanding How Wireshark Works (Beginner-Friendly)
When a device sends or receives data, it travels in packets.
Wireshark lets you capture and analyze those packets.
Every packet contains:
Source IP
Destination IP
Protocol
Payload (content)
Flags
Ports
This helps you answer questions like:
โWhy is my connection slow?โ
โIs someone scanning my network?โ
โIs this website sending data in plaintext?โ
โIs malware communicating with a server?โ
๐ฏ 4. Start Capturing Traffic (Real Example)
Step 1: Open Wireshark
Youโll see a list of active network interfaces.
Step 2: Select your Wi-Fi or Ethernet interface
Click Start Capture.
Step 3: Watch packets flow in real-time
You'll see colors, protocols, addresses, and rates ๐ฅ
Hit Stop when you're ready to analyze.
๐ 5. Filtering Traffic (The Most Important Skill!)
Wireshark filters help you narrow down what youโre looking for.
Here are must-know filters:
๐น Show only HTTP traffic
http
๐น Show DNS traffic
dns
๐น Show TCP packets
tcp
๐น Show only traffic from a specific IP
ip.src == 192.168.1.10
๐น Show only packets going to a specific IP
ip.dst == 192.168.1.10
๐น Show only login attempts (POST requests)
http.request.method == "POST"
๐น Show only errors
tcp.flags.reset == 1
Learning filters will make you feel like a real cyber detective ๐ต๏ธโโ๏ธ๐ป
๐งช 6. Practical Wireshark Use Cases (Real Ethical Hacking Examples)
โ๏ธ 1. Capture Login Credentials (On Unsecured HTTP Sites)
If a website uses HTTP (not HTTPS), credentials often appear in plaintext.
Filter:
http.authbasic
You may see:
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Decode using:
Great for learning why HTTPS is mandatory ๐
โ๏ธ 2. Detect Port Scanning (Nmap Scan Detection)
When someone scans your system, Wireshark sees unusual patterns.
Filter:
tcp.flags.syn == 1 and tcp.flags.ack == 0
A long list of SYN packets means someone is scanning ๐จ
โ๏ธ 3. View DNS Queries
DNS often reveals information about:
Websites visited
Malware contacting domains
Suspicious hosts
Filter:
dns
Look for strange domain names ๐
โ๏ธ 4. Analyze Slow Network or Packet Loss
Filter:
tcp.analysis.retransmission
Too many retransmissions means network congestion or attack.
โ๏ธ 5. Inspect Unencrypted Traffic in Local Network
Filter:
tcp.port == 80
You can see:
Cookies
User agents
Requests/responses
Internal APIs
Careful: sniff only your own network legally!
โ๏ธ 6. Capture ARP Spoofing Attacks
Filter:
arp
If you see:
Multiple ARP replies
Spoofed MAC addresses
โฆit may indicate MITM (Man-in-the-Middle) attack โ ๏ธ
๐ 7. bugitrix Wireshark Cheat Sheet
| Goal | Filter / Method |
|---|---|
| Show HTTP traffic | http |
| Show login POST data | http.request.method == "POST" |
| Show DNS | dns |
| Find suspicious resets | tcp.flags.reset == 1 |
| Capture only from IP | ip.src == x.x.x.x |
| Capture only to IP | ip.dst == x.x.x.x |
| Detect Nmap scans | tcp.flags.syn == 1 |
| Inspect plaintext data | tcp.port == 80 |
| Check ARP spoofing | arp |
๐ฏ 8. Best Places to Practice Wireshark
Practice legally on these labs:
๐ Wireshark Sample Captures โ https://wiki.wireshark.org/SampleCaptures
๐ TryHackMe Wireshark Room โ https://tryhackme.com/
๐ HackTheBox Academy โ https://academy.hackthebox.com/
๐ PacketTotal Analyzer โ https://packettotal.com/
bugitrix recommends TryHackMe for beginners โญ
โ ๏ธ Ethical Reminder
Wireshark can capture sensitive data.
NEVER sniff networks you donโt own or have permission to test.
bugitrix supports ethical, legal cybersecurity only โค๏ธ
๐ Conclusion
Wireshark is one of the most powerful tools in the cybersecurity world.
With this bugitrix beginner guide, you learned how to:
Capture network traffic
Use powerful filters
Analyze HTTP, DNS, TCP, ARP
Detect real attack patterns
Perform packet-level investigations
Practice safely on real labs
Master Wireshark, and you'll understand networks like a pro hacker ๐จโ๐ปโก