Wireshark Interface Overview and Using Filters to Analyze a TCP Three‑Way Handshake

Wireshark Main Interface

The Wireshark window is divided into several panes: Display Filter, Packet List Pane, Packet Details Pane, Dissector Pane (hex view), and Miscellaneous (address bar, etc.).

Importance of Filters

When beginners capture traffic, they often receive thousands of packets, making it hard to locate relevant data. Filters help quickly isolate the needed information.

There are two kinds of filters:

Display filters – applied in the main window to show only packets that match the expression.

Capture filters – set under Capture → Capture Filters to limit what is captured in the first place.

Filters can be saved by entering an expression in the Filter bar, clicking **Save**, and giving it a name (e.g., "Filter 102").

Filter Expression Rules

Common syntax includes:

Protocol filter: tcp – shows only TCP packets.

IP filter: ip.src == 192.168.1.102 or ip.dst == 192.168.1.102 .

Port filter: tcp.port == 80 or tcp.srcport == 80 .

HTTP method filter: http.request.method == "GET" .

Logical operators: and , or .

Example expressions:

http

Show only HTTP traffic

ip.src == 192.168.1.102 or ip.dst == 192.168.1.102

Show packets with source or destination 192.168.1.102

Packet List Pane

This pane displays each captured packet’s number, timestamp, source address, destination address, protocol, length, and brief info. Colors differentiate protocols, and the coloring rules can be edited via View → Coloring Rules.

Packet Details Pane

This pane is crucial for inspecting each protocol field. Typical hierarchy includes:

Frame – physical‑layer overview.

Ethernet II – data‑link layer header.

Internet Protocol Version 4 – IP header.

Transmission Control Protocol – TCP segment header.

Hypertext Transfer Protocol – HTTP data.

TCP Packet Example

The following screenshots show the fields of a captured TCP packet.

Analyzing a TCP Three‑Way Handshake

After opening Wireshark, navigate to http filter and locate the GET request for http://www.cr173.com . Right‑click the packet and choose “Follow TCP Stream” to view the related packets.

The capture shows three packets representing the SYN, SYN‑ACK, and ACK of the handshake, followed by the HTTP request packet, confirming that HTTP runs over a TCP connection.

First Handshake Packet

The client sends a SYN packet with sequence number 0.

Second Handshake Packet

The server replies with a SYN‑ACK packet, acknowledging the client’s ISN + 1.

Third Handshake Packet

The client sends an ACK packet (SYN flag cleared, ACK flag set) with the server’s sequence number + 1.

After these three packets, the TCP connection is established and data can be exchanged.