💡 Introduction
If you're learning ethical hacking, network security, bug bounty, or IT troubleshooting, one tool you absolutely MUST master is Wireshark.
Wireshark is the world’s most widely used network protocol analyzer, trusted by cybersecurity professionals, penetration testers, and network engineers.
It helps you:
🔍 Capture network packets
📡 Monitor live traffic
🔐 Inspect encrypted/unencrypted data
🧠 Learn how protocols work (HTTP, TCP, DNS)
🚨 Identify suspicious activity or attacks
This bugitrix guide focuses on practical, real-life usage, not boring theory.
Let’s dive in 👇
🚀 1. What Is Wireshark? (Easy Explanation)
Wireshark is an open-source network packet analyzer that allows you to inspect data traveling across a network.
Think of it as a microscope for your internet traffic 🔬
It shows:
Packets sent/received
Source and destination IPs
Protocols used
Request/response bodies
Login attempts
DNS queries
ARP messages
Suspicious/malicious traffic
🎯 Ideal for ethical hackers, SOC analysts, and cybersecurity students.
Official Website → https://www.wireshark.org/
Documentation → https://www.wireshark.org/docs/
🛠️ 2. How to Install Wireshark
✔️ Windows
Download installer → https://www.wireshark.org/download.html
✔️ Linux (Ubuntu/Kali)
sudo apt install wireshark -y
✔️ macOS
brew install wireshark
Once installed, open Wireshark and you’ll see your network interfaces (Wi-Fi, Ethernet, etc.).
🔥 3. Understanding How Wireshark Works (Beginner-Friendly)
When a device sends or receives data, it travels in packets.
Wireshark lets you capture and analyze those packets.
Every packet contains:
Source IP
Destination IP
Protocol
Payload (content)
Flags
Ports
This helps you answer questions like:
“Why is my connection slow?”
“Is someone scanning my network?”
“Is this website sending data in plaintext?”
“Is malware communicating with a server?”
🎯 4. Start Capturing Traffic (Real Example)
Step 1: Open Wireshark
You’ll see a list of active network interfaces.
Step 2: Select your Wi-Fi or Ethernet interface
Click Start Capture.
Step 3: Watch packets flow in real-time
You'll see colors, protocols, addresses, and rates 💥
Hit Stop when you're ready to analyze.
🔍 5. Filtering Traffic (The Most Important Skill!)
Wireshark filters help you narrow down what you’re looking for.
Here are must-know filters:
🔹 Show only HTTP traffic
http
🔹 Show DNS traffic
dns
🔹 Show TCP packets
tcp
🔹 Show only traffic from a specific IP
ip.src == 192.168.1.10
🔹 Show only packets going to a specific IP
ip.dst == 192.168.1.10
🔹 Show only login attempts (POST requests)
http.request.method == "POST"
🔹 Show only errors
tcp.flags.reset == 1
Learning filters will make you feel like a real cyber detective 🕵️♂️💻
🧪 6. Practical Wireshark Use Cases (Real Ethical Hacking Examples)
✔️ 1. Capture Login Credentials (On Unsecured HTTP Sites)
If a website uses HTTP (not HTTPS), credentials often appear in plaintext.
Filter:
http.authbasic
You may see:
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Decode using:
Great for learning why HTTPS is mandatory 🔐
✔️ 2. Detect Port Scanning (Nmap Scan Detection)
When someone scans your system, Wireshark sees unusual patterns.
Filter:
tcp.flags.syn == 1 and tcp.flags.ack == 0
A long list of SYN packets means someone is scanning 🚨
✔️ 3. View DNS Queries
DNS often reveals information about:
Websites visited
Malware contacting domains
Suspicious hosts
Filter:
dns
Look for strange domain names 👀
✔️ 4. Analyze Slow Network or Packet Loss
Filter:
tcp.analysis.retransmission
Too many retransmissions means network congestion or attack.
✔️ 5. Inspect Unencrypted Traffic in Local Network
Filter:
tcp.port == 80
You can see:
Cookies
User agents
Requests/responses
Internal APIs
Careful: sniff only your own network legally!
✔️ 6. Capture ARP Spoofing Attacks
Filter:
arp
If you see:
Multiple ARP replies
Spoofed MAC addresses
…it may indicate MITM (Man-in-the-Middle) attack ⚠️
📘 7. bugitrix Wireshark Cheat Sheet
| Goal | Filter / Method |
|---|---|
| Show HTTP traffic | http |
| Show login POST data | http.request.method == "POST" |
| Show DNS | dns |
| Find suspicious resets | tcp.flags.reset == 1 |
| Capture only from IP | ip.src == x.x.x.x |
| Capture only to IP | ip.dst == x.x.x.x |
| Detect Nmap scans | tcp.flags.syn == 1 |
| Inspect plaintext data | tcp.port == 80 |
| Check ARP spoofing | arp |
🎯 8. Best Places to Practice Wireshark
Practice legally on these labs:
🔗 Wireshark Sample Captures → https://wiki.wireshark.org/SampleCaptures
🔗 TryHackMe Wireshark Room → https://tryhackme.com/
🔗 HackTheBox Academy → https://academy.hackthebox.com/
🔗 PacketTotal Analyzer → https://packettotal.com/
bugitrix recommends TryHackMe for beginners ⭐
⚠️ Ethical Reminder
Wireshark can capture sensitive data.
NEVER sniff networks you don’t own or have permission to test.
bugitrix supports ethical, legal cybersecurity only ❤️
🏁 Conclusion
Wireshark is one of the most powerful tools in the cybersecurity world.
With this bugitrix beginner guide, you learned how to:
Capture network traffic
Use powerful filters
Analyze HTTP, DNS, TCP, ARP
Detect real attack patterns
Perform packet-level investigations
Practice safely on real labs
Master Wireshark, and you'll understand networks like a pro hacker 👨💻⚡