← Back to Blog

February 18, 2024

Wireshark Basics: Reading Network Traffic Like a Pro

A practical guide to getting started with Wireshark for network analysis and security investigations.

wiresharknetworkingtoolscybersecurity

Wireshark is one of those tools that looks intimidating at first — thousands of packets scrolling by in real time, cryptic protocol names, hex dumps. But once you learn to read it, it becomes your superpower for understanding what’s really happening on a network.

First Steps

  1. Install Wireshark — Available for all platforms, free and open source
  2. Pick an interface — Usually your Wi-Fi or Ethernet adapter
  3. Start capturing — Hit the blue shark fin icon and watch the packets flow

Essential Filters

Don’t try to read everything. Use display filters to focus:

  • http — Only HTTP traffic
  • dns — DNS queries and responses
  • tcp.port == 443 — HTTPS traffic
  • ip.addr == 192.168.1.100 — Traffic to/from a specific IP
  • tcp.flags.syn == 1 && tcp.flags.ack == 0 — New TCP connections (SYN packets)

What to Look For

DNS queries reveal what domains a machine is contacting. Suspicious or encoded domain names could indicate C2 (command and control) traffic.

HTTP requests show unencrypted web traffic — URLs, headers, sometimes credentials sent in plain text (this is why HTTPS matters).

TCP handshakes tell you what connections are being established. Unusual ports or high volumes of SYN packets might indicate scanning or a SYN flood attack.

Practice Exercise

Capture traffic on your home network for 5 minutes. Filter for DNS. You’ll be surprised how many domains your devices are talking to — smart TVs, IoT devices, and background app telemetry generate a lot of noise. Learning to identify normal vs. suspicious traffic is a core skill for any security analyst.