Packets • Troubleshooting • Cybersecurity • Home Lab

Wireshark is my packet microscope.

Nmap helps me find what is on the network. Wireshark helps me see what is actually happening on the network. If Nmap is the map, Wireshark is the microscope.

I use Wireshark when I want to understand DNS lookups, TCP handshakes, HTTP requests, TLS connections, DHCP, ARP, weird connection problems, and what devices are really saying to each other.

Start capturing See the workflow
Important: packet captures can expose private data. I only capture traffic on my own devices, my own lab network, or environments where I have clear permission.
Capture packets Pick an interface and record traffic.
Filter the noise Use display filters to focus on one protocol or host.
Inspect conversations Follow DNS, TCP, HTTP, TLS, ARP, and DHCP flows.
Explain what happened Turn packet evidence into troubleshooting notes.
Wireshark turns invisible network traffic into something I can read, filter, and reason about.

Why Wireshark matters

A lot of networking feels invisible until I capture packets. Wireshark makes the invisible part visible.

Troubleshooting

See what failed

If a website, server, VM, DNS lookup, or SSH connection is not working, Wireshark can help me see where the conversation breaks.

Networking

Learn protocols for real

Textbook protocols become much easier to understand when I can actually see ARP, DHCP, DNS, TCP, HTTP, and TLS packets on my own machine.

Cybersecurity

Analyze evidence

In CTFs, malware labs, honeypots, and incident-response practice, packet captures often tell the story of what happened.

Install Wireshark

Here is the magic of apt install again: on most Linux systems, Wireshark is one package install away, and like most Linux utilities, it is FREE. I usually install it with tcpdump and tshark so I can capture from the terminal too. 

sudo apt update
sudo apt install wireshark tcpdump tshark nmap -y
Note: during installation, Debian or Ubuntu may ask whether non-superusers should be able to capture packets. For a personal lab machine, I usually allow this and add my user to the wireshark group.

Allow packet capture without running as root

I do not want to run the whole Wireshark GUI as root. The cleaner setup is to allow the packet capture helper to capture traffic while my normal user runs Wireshark. 

# Reconfigure Wireshark capture permissions
sudo dpkg-reconfigure wireshark-common

# Add my user to the wireshark group
sudo usermod -aG wireshark "$USER"

# Refresh group membership for this terminal session
newgrp wireshark

# Optional: confirm dumpcap has capture capabilities
getcap /usr/bin/dumpcap
Security note: packet capture is powerful. Only give this permission to trusted users on your machine.

Quick start: capture my own traffic

The easiest first lab is to capture traffic from my own computer while I open a website, ping a device, or run a DNS lookup.

1

Find my network interface

I check which interface is active. It might be named wlan0, eth0, enp3s0, or something similar. 

ip link
ip -4 addr show
2

Open Wireshark

I start Wireshark and select the active interface. 

wireshark
3

Generate simple traffic

I create traffic that is easy to recognize. 

ping 1.1.1.1
dig example.com
curl http://example.com
4

Use display filters

I filter the packet list so I am not staring at every packet at once. 

dns
icmp
tcp
http

Capture filters vs display filters

This confused me at first. Wireshark has two different types of filters.

Filter type What it does Example
Capture filter Controls what gets recorded in the first place. host 192.168.1.50
Display filter Controls what I see after packets are already captured. ip.addr == 192.168.1.50
My beginner rule Capture broadly, then display-filter carefully. dns, http, tcp.port == 443
Practical tip: when I am learning, I usually avoid strict capture filters. I capture the traffic first, then use display filters so I do not accidentally miss the packet I needed.

Display filters I actually use

Display filters are one of Wireshark's superpowers. They let me cut through noise and focus on one protocol, host, port, or conversation.

Show DNS traffic

Good for seeing domain lookups. 

dns

Show ping traffic

Useful for checking ICMP echo requests and replies. 

icmp

Show one IP address

Focus on traffic to or from one device. 

ip.addr == 192.168.1.50

Show traffic from one source

Useful when I only care about packets leaving one machine. 

ip.src == 192.168.1.50

Show traffic to one destination

Useful when I am watching traffic going to a server. 

ip.dst == 192.168.1.50

Show a TCP port

Good for watching SSH, HTTP, HTTPS, or a custom app port. 

tcp.port == 22
tcp.port == 80
tcp.port == 443
tcp.port == 5000

Show ARP

ARP helps explain how devices find each other on a local network. 

arp

Show DHCP

DHCP helps me see how a device gets an IP address. 

dhcp

My normal Wireshark workflow

Wireshark can show too much at once. My workflow is to capture a small test, filter it, inspect the conversation, and write down what I learned.

01

Pick one question

What am I trying to learn: DNS failure, web request, SSH connection, DHCP, ARP, or latency?

02

Start capture

I capture on the interface that actually carries the traffic.

03

Generate traffic

I run one clear test command so the capture has something easy to find.

04

Filter and inspect

I use display filters, follow streams, and check packet details.

# Example workflow: watch a DNS lookup

# 1. Start Wireshark on the active interface

# 2. In another terminal, generate DNS traffic
dig example.com

# 3. In Wireshark, use this display filter
dns

# 4. Click the DNS query and response packets
# Look for:
# - the domain requested
# - the DNS server used
# - the answer returned
# - response time
# - errors like NXDOMAIN

First lab: watch DNS happen

DNS is one of the best first Wireshark labs because it is simple and easy to recognize. I ask for a name, and the network answers with an IP address.

Terminal

Generate the lookup

dig launchshell.org
dig example.com
dig cloudflare.com
Wireshark

Filter the capture

dns

I look for the query name, the DNS server, the response, and whether the lookup succeeded.

Why this is useful: DNS problems can make the internet feel broken even when the network connection itself is fine. Wireshark lets me prove whether the DNS request went out and whether a valid answer came back.

Second lab: watch a TCP handshake

TCP connections usually begin with a three-way handshake. Wireshark lets me see it instead of just memorizing it. 

# Generate simple TCP traffic
curl http://example.com

# Useful Wireshark display filters
tcp
http
tcp.port == 80
Step Packet Meaning
1 SYN My computer asks to start a TCP connection.
2 SYN, ACK The server acknowledges and agrees to start the connection.
3 ACK My computer confirms. The connection is established.

Third lab: compare HTTP and HTTPS

This is one of the clearest security lessons. HTTP is readable. HTTPS protects the content with encryption.

HTTP

Plain web traffic

curl http://example.com

With HTTP, Wireshark can show readable request and response details because the content is not encrypted.

HTTPS

Encrypted web traffic

curl https://example.com

With HTTPS, I can still see metadata like IPs, ports, timing, DNS, and TLS negotiation, but the page contents are encrypted.

Privacy note: this is why packet captures must be handled carefully. Even when content is encrypted, captures can still reveal hostnames, IP addresses, timing, device behavior, and network patterns.

Using Wireshark with Nmap

Nmap and Wireshark make a strong pair. Nmap tells me what ports are open. Wireshark lets me watch the scan packets and understand what the scan is doing. 

# Start Wireshark first, then run a small scan against my own device or lab target
nmap -sV 192.168.1.50

# Wireshark display filters to watch the scan
ip.addr == 192.168.1.50
tcp
tcp.flags.syn == 1
Learning moment: this is a good way to understand that tools are not magic. Nmap works by sending packets and reading responses. Wireshark lets me see those packets.

Capture from the terminal with tcpdump

Sometimes I do not want a GUI. I can capture packets with tcpdump, save them as a .pcap file, and open the file later in Wireshark. 

# List interfaces
ip link

# Capture traffic on an interface and save to a file
sudo tcpdump -i eth0 -w capture.pcap

# Capture only traffic for one host
sudo tcpdump -i eth0 host 192.168.1.50 -w host-capture.pcap

# Open the capture later
wireshark capture.pcap
Why this matters: on servers, VMs, and headless devices, terminal capture is often easier than running the full Wireshark GUI.

Use tshark for command-line packet analysis

tshark is basically Wireshark in the terminal. I do not need it for my first day, but it becomes useful for scripts, servers, and quick filtering. 

# Show live DNS packets
sudo tshark -i eth0 -Y dns

# Read a pcap file
tshark -r capture.pcap

# Read only HTTP packets from a pcap
tshark -r capture.pcap -Y http

# Show conversations from a pcap
tshark -r capture.pcap -q -z conv,tcp

Common protocols worth recognizing

Wireshark becomes much easier when I recognize the common protocols that appear in normal traffic.

Protocol What it does Why I care
ARP Maps IP addresses to MAC addresses on a local network. Helps explain local device discovery and gateway communication.
DHCP Gives devices IP addresses automatically. Useful when a device is not getting an IP address.
DNS Turns names into IP addresses. Useful when websites fail to load or a service name does not resolve.
ICMP Used by tools like ping. Useful for basic reachability testing.
TCP Reliable connection-based transport. Shows handshakes, retransmissions, resets, and connection behavior.
HTTP Plain web traffic. Good for learning request and response structure.
TLS Encryption layer used by HTTPS and many other services. Shows secure connection setup, certificates, and encrypted sessions.

Beginner mistakes to avoid

Wireshark is powerful, but it can overwhelm beginners because modern networks are noisy.

Avoid this

Bad habits

  • Capturing traffic on networks where I do not have permission
  • Trying to understand every packet at once
  • Forgetting which interface is actually active
  • Using strict capture filters too early and missing useful packets
  • Saving packet captures that contain private data without thinking
Do this instead

Better habits

  • Start with my own machine and my own lab traffic
  • Ask one question per capture
  • Use display filters like dns, icmp, and tcp.port == 80
  • Save short captures with clear filenames
  • Write down what I expected and what I actually saw

My basic Wireshark cheat sheet

This is the short version I would keep nearby. 

# Install Wireshark and command-line capture tools
sudo apt update
sudo apt install wireshark tcpdump tshark -y

# Allow my user to capture packets
sudo dpkg-reconfigure wireshark-common
sudo usermod -aG wireshark "$USER"
newgrp wireshark

# Find network interfaces
ip link
ip -4 addr show

# Open Wireshark
wireshark

# Generate simple traffic
ping 1.1.1.1
dig example.com
curl http://example.com
curl https://example.com

# Useful Wireshark display filters
dns
icmp
arp
dhcp
tcp
http
tls
ip.addr == 192.168.1.50
ip.src == 192.168.1.50
ip.dst == 192.168.1.50
tcp.port == 22
tcp.port == 80
tcp.port == 443

# Capture from the terminal
sudo tcpdump -i eth0 -w capture.pcap
sudo tcpdump -i eth0 host 192.168.1.50 -w host-capture.pcap

# Analyze pcap files from the terminal
tshark -r capture.pcap
tshark -r capture.pcap -Y dns
tshark -r capture.pcap -q -z conv,tcp

Final idea

Wireshark is one of the best tools for learning networking because it shows the evidence. Instead of guessing what happened, I can capture packets, filter the noise, inspect the conversation, and understand how devices actually communicate. Used safely, it is useful for troubleshooting, home labs, CTFs, packet analysis, server work, and cybersecurity fundamentals.