Wireshark in brief: Open source · GUI + CLI (tshark) · Captures traffic on any interface · Understands 3,000+ protocols · Windows, macOS, Linux · No root required on Linux when set up correctly

What is Wireshark?

Wireshark puts your network card into promiscuous mode and captures every packet that passes the interface — not just traffic to and from your own machine, but everything on the segment you are listening on. You see HTTP headers, DNS queries, TLS handshakes, ARP broadcasts and much more in full detail.

It is not an attack tool. It is a diagnostic tool. Use it to troubleshoot network problems, verify your VPN is actually encrypting what it should, check that Pi-hole is catching DNS queries correctly, or discover devices on your network making unexpected outbound connections.

📌 Wireshark on your own network is legal. Capturing traffic on networks you do not own or have permission to monitor is illegal in most countries. Use it at home or in your own organisation with appropriate authorisation.

Install

Windows

Download the installer from wireshark.org/download.html. Accept the Npcap installation during setup — that is the driver layer Wireshark uses to capture packets on Windows. Without Npcap, Wireshark starts but cannot capture anything.

Linux (Debian/Ubuntu/Pi OS)

sudo apt update && sudo apt install wireshark -y

During installation, apt asks whether non-root users should be allowed to capture packets. Answer yes. Then add your user to the wireshark group and log out and back in: 

sudo usermod -aG wireshark $USER

Without this, Wireshark needs sudo to capture traffic. With the group membership, you can run it as your normal user.

macOS

brew install --cask wireshark

Homebrew installs Wireshark and the ChmodBPF kext that grants access to capture interfaces without root.

Your first capture

Open Wireshark. The start screen shows a list of network interfaces with a live waveform indicating traffic intensity. Double-click the interface you want to listen on — typically eth0, wlan0 or "Ethernet" on Windows.

Packets start scrolling immediately. Click the red square in the top-left to stop the capture. Click the blue shark-fin icon to start a new one.

⚠️ On an active home network, you can accumulate millions of packets quickly. Use capture filters (see below) to limit what gets recorded, or let the capture run briefly and stop it manually.

Reading the packet list

Wireshark's main window is split into three panes:

Click a packet in the list to explore its details. Click a line in the detail tree to highlight the corresponding bytes in the hex view.

Display filters — the most important skill

Display filters control what you see in the packet list without deleting any data. They do not change the capture, only the view. The filter bar sits at the top of the window and turns green for a valid filter, red for invalid and yellow as a warning.

Essential display filters:
dns — DNS traffic only
http — HTTP only (unencrypted)
tls — TLS/HTTPS only
arp — ARP broadcasts only
ip.addr == 192.168.1.100 — all traffic to/from one IP
ip.src == 192.168.1.100 — traffic from one IP only
tcp.port == 443 — traffic on port 443 only
!arp && !dns — hide ARP and DNS noise
http.request.method == "POST" — HTTP POST requests only

Combine filters with && (and), || (or) and ! (not). Right-click a field in the detail tree and Wireshark will build the filter expression for you.

Capture filters vs display filters

There is an important difference between the two:

Use capture filters to keep file sizes manageable during long captures. Use display filters for analysis. Set capture filters in the "Enter a capture filter..." field on the start screen before you double-click an interface.

Follow a TCP stream

Wireshark shows individual packets, but an HTTP request spans many packets. "Follow TCP Stream" reassembles them and shows the full conversation in a readable form.

Right-click any packet in a TCP connection and choose Follow → TCP Stream. Wireshark opens a window showing the full exchange. For unencrypted HTTP you can read headers, cookies and body content as plain text.

That is exactly what an attacker on your network would see. A strong argument for always using HTTPS and a VPN on public networks.

Practical homelab examples

Find devices making unexpected DNS lookups

dns

Filter for DNS and check the Source column. See IPs you do not recognise? Look at the domains they are querying. A smart TV resolving Google Analytics domains at 3am is telemetry you did not ask for.

Check that Pi-hole is actually blocking

dns && ip.dst == 192.168.1.x

Replace 192.168.1.x with your Pi-hole's IP. DNS responses returning 0.0.0.0 or :: are blocked domains. Responses returning a real IP are allowed through.

Spot unencrypted HTTP traffic

http

If HTTP is still running on your network, you will see which domains and which devices. Use Follow TCP Stream on an interesting request to check whether cookies or credentials are sent in plain text.

Verify WireGuard is encrypting traffic

udp.port == 51820

Start Wireshark, activate your WireGuard connection, and filter on UDP port 51820 (or your configured port). You should see WireGuard packets — but not the actual traffic in plain text. If you see HTTP or DNS traffic outside the VPN port, your client is leaking traffic outside the tunnel.

Find rogue DHCP servers

bootp

DHCP appears as BOOTP in Wireshark's protocol list. Run this filter and check whether more than one DHCP server appears on your network. Two DHCP responses from two different IPs is a sign of a rogue DHCP server.

Save and open captures

Wireshark saves captures in .pcapng format. Use File → Save As. You can open pcap files from tools like tcpdump directly in Wireshark.

To capture traffic on a headless Raspberry Pi, use tcpdump and analyse the file on your PC: 

# Capture 1000 packets on eth0 and save to file
sudo tcpdump -i eth0 -c 1000 -w capture.pcap

# Copy to your PC and open in Wireshark
scp [email protected]:~/capture.pcap .

Useful keyboard shortcuts

Ctrl+E          — Start/stop capture
Ctrl+Shift+F    — Display filter search
Ctrl+Alt+Shift+T — Follow TCP stream
Ctrl+G          — Go to packet number
Ctrl+M          — Mark/unmark packet

Frequently asked questions

Can Wireshark see encrypted HTTPS traffic?

Not the content. You can see that a TLS connection is happening, when, and to which IP, but not what is being sent. Wireshark can decrypt HTTPS if you have the TLS session keys — your browser can export them via the SSLKEYLOGFILE environment variable. Useful for debugging, not for eavesdropping.

Can I see traffic from other devices on my network?

Not directly on a modern switched network. Switches only send traffic to the destination port. To see other devices' traffic you need port mirroring on a managed switch, or run Wireshark on the router or Pi that sees all traffic passing through it.

What is the difference between Wireshark and tcpdump?

tcpdump is command-line and runs anywhere, including headless on a Pi. Wireshark has a GUI and is better for interactive analysis. Both use the same capture format (pcap/pcapng). The typical workflow: capture with tcpdump on the Pi, analyse with Wireshark on your PC.

Sources