Master Wireshark: From Interface Basics to Advanced Packet Filtering

Wireshark is a network packet analysis tool that captures packets via WinPCAP and displays detailed information, widely used by network engineers and analysts.

Interface Overview

The main window consists of a Display Filter pane, a Packet List pane showing packet number, timestamp, source, destination, protocol, length, and a Packet Details pane that reveals protocol fields such as Frame, Ethernet II, IPv4, TCP, and HTTP.

Basic Capture Procedure

Select Capture → Options , choose the appropriate WLAN interface, and click Start to begin capturing. Perform an operation such as ping www.baidu.com; the resulting packets appear in the list.

Use the filter bar to narrow results, e.g., ip.addr == 119.75.217.26 and icmp, which shows only ICMP packets from or to the specified IP.

Capture Filters

Capture filters are set before capturing via Capture → Capture Filters . Examples: tcp – show only TCP packets host 192.168.1.104 – capture traffic to or from a specific host port 80 – capture traffic using port 80 src host 192.168.1.104 && dst port 80 – combine criteria with logical operators

Display Filters

After capture, use display filters to refine the view. Common syntax includes: tcp – display only TCP packets ip.src == 192.168.1.104 – source IP filter tcp.port == 80 – packets with TCP port 80 http.request.method == "GET" – HTTP GET requests

Logical operators and, or, not to combine conditions, e.g.,

ip.addr == 192.168.1.104 and icmp

Analyzing TCP Three‑Way Handshake

The handshake consists of three packets:

Client sends SYN (Seq=0, Ack=0) to request a connection.

Server replies with SYN+ACK (Seq=0, Ack=1).

Client sends final ACK (Seq=1, Ack=1) confirming the connection.

Wireshark can capture these packets when accessing a website (e.g., www.huawei.com) and applying a filter such as ip.addr == 211.162.2.183. The captured handshake packets illustrate the sequence numbers and acknowledgment numbers for each step.

Common Operations

Adjust timestamp display via View → Time Display Format → Date and Time of Day to view precise capture times.

These steps cover the essential Wireshark functionalities for packet capture, filtering, and protocol analysis.