Wireshark Download Team
Updated March 2026
Beginner Tutorial
Your first packet capture in 5 minutes. Learn how to use Wireshark to capture traffic, apply display filters, follow TCP streams, and troubleshoot network issues.
This tutorial assumes you already have Wireshark installed. If not, download Wireshark first (Windows) or see our Mac install guide. The steps below work on all platforms.
Learning how to use Wireshark starts with capturing live network traffic. Here's the quickest path from launch to captured packets.
When Wireshark starts, you'll see a list of network interfaces with small traffic graphs next to each name. The one with activity (a moving line) is your active connection. It's usually called Wi-Fi or Ethernet. Double-click it to start capturing.
Open a browser and visit any website. Wireshark will immediately show packets flowing in. Each row is one packet — you'll see hundreds appear within seconds. Don't worry about understanding them all yet.
Click the red square button in the toolbar (or press Ctrl+E). The capture stops and you now have a snapshot of all traffic during that window. You can scroll through it, filter it, and analyze it at your own pace.
To understand how to use Wireshark effectively, you need to know its three main panes. The Wireshark interface stacks them vertically.
One row per packet. Shows time, source/destination IP, protocol, and a brief summary. Color-coded: green = TCP, blue = DNS, black/red = errors.
Click any packet to see its layers: Ethernet → IP → TCP/UDP → Application. Expand each layer to inspect individual fields like ports, flags, and payloads.
Raw hex and ASCII dump of the selected packet. Hover over bytes to highlight the corresponding field in the details pane. Useful for protocol debugging.
A real capture contains thousands of packets. Display filters let you focus on what matters. Type a filter in the bar at the top and press Enter. Mastering filters is the key to learning how to use Wireshark productively.
| Filter | What It Shows | When to Use |
|---|---|---|
| Protocol Filters | ||
http | HTTP requests and responses | Debugging web traffic |
dns | DNS queries and replies | Troubleshooting name resolution |
tcp | All TCP traffic | General TCP analysis |
udp | All UDP traffic | Streaming, DNS, VoIP |
tls | TLS/SSL encrypted traffic | HTTPS connection analysis |
icmp | Ping requests and replies | Connectivity testing |
| IP Address Filters | ||
ip.addr == 192.168.1.100 | Traffic to/from this IP | Filter to one device |
ip.src == 10.0.0.5 | Traffic from this source | Track outbound traffic |
ip.dst == 8.8.8.8 | Traffic to this destination | Check DNS queries to Google |
| Port Filters | ||
tcp.port == 80 | HTTP traffic (port 80) | Web traffic analysis |
tcp.port == 443 | HTTPS traffic (port 443) | Encrypted web traffic |
tcp.port == 22 | SSH traffic | Remote connection debugging |
udp.port == 53 | DNS traffic (port 53) | Name resolution issues |
| Combining Filters | ||
http && ip.addr == 192.168.1.100 | HTTP from one device | Debug one machine's web traffic |
dns || icmp | DNS or ping traffic | Network diagnostics |
tcp.port == 80 && !ip.addr == 10.0.0.1 | HTTP except from gateway | Exclude noisy devices |
tcp.flags.syn == 1 && tcp.flags.ack == 0 | New TCP connections only | See who's initiating connections |
| Content Filters | ||
http.request.uri contains "api" | HTTP requests with "api" in URL | API traffic debugging |
frame contains "password" | Packets containing "password" | Security auditing |
tcp port 80) use different syntax and are applied during capture to reduce file size. Start with display filters — they're safer and more flexible.
Individual packets only show fragments. To see a full conversation between two devices (like an HTTP request and response), use Wireshark's "Follow TCP Stream" feature.
Apply a filter like http to find web traffic. Click any HTTP packet in the list.
A new window opens showing the entire conversation. Red text = data sent by the client. Blue text = data from the server. You'll see the full HTTP headers, HTML content, or API responses in readable form.
This is how you debug slow APIs, inspect headers, check for redirects, or see exactly what data was exchanged. Close the stream window to return to the main view — Wireshark auto-applies a filter showing only packets from that conversation.
SSLKEYLOGFILE environment variable.
Now that you know the basics, here's how to use Wireshark for real-world problems. Each scenario uses the filters and techniques from the steps above.
Filter: http && ip.addr == [server IP]
Look at time deltas between request and response packets. Large gaps indicate server-side delays. Check for TCP retransmissions (tcp.analysis.retransmission) which signal network issues.
Go to: Statistics → Conversations
Sort by bytes to see which connections transfer the most data. Click a row to filter the capture to that conversation. Identifies background downloads, streaming, or unauthorized traffic.
Filter: dns
See every domain name your machine looked up and the IP addresses returned. Slow DNS responses cause slow browsing. Look for NXDOMAIN (failed lookups) or unusually high response times.
Filter: http.request.uri contains "/api/"
Follow the TCP stream to see full request headers, body, and response. Useful for debugging REST APIs, checking authentication headers, or comparing expected vs actual payloads.
tcp port 80) and reduce the capture file size. Display filters are applied after capture — they use Wireshark's own syntax (like tcp.port == 80) and only hide packets from view. Start with display filters; they're more forgiving since you can always remove them to see all captured data.SSLKEYLOGFILE environment variable in your browser, which exports session keys to a file that Wireshark can read. This only works for your own traffic in a controlled environment.ip.addr == 192.168.1.100 to show all traffic to or from that IP. Use ip.src for source-only or ip.dst for destination-only. You can combine with other filters: ip.addr == 192.168.1.100 && tcp.port == 80 shows HTTP traffic from that device.tcp.port == 443 for TCP port 443 (HTTPS), or udp.port == 53 for UDP port 53 (DNS). To filter a range: tcp.port >= 8000 && tcp.port <= 9000. For source port specifically: tcp.srcport == 80.Now that you know how to use Wireshark for basic captures and filtering, here's where to go next: