# Wireshark ## What is Wireshark Wireshark is a free and open-source network protocol analyzer and packet capture tool. It is one of the most widely used network troubleshooting and analysis tools in the world. Wireshark captures packets from a network interface and displays detailed information about each packet including the protocol being used, the source and destination addresses, and the full content of each packet. It can analyze captured packets in real time or read packets from previously saved capture files. ## How Wireshark Works Wireshark puts the network interface into promiscuous mode, which allows it to capture all packets on the network segment, not just packets addressed to the local machine. It uses a packet capture library called libpcap on Unix systems and WinPcap or Npcap on Windows to capture packets at the network driver level. Captured packets are stored in memory and displayed in the Wireshark graphical interface in real time. The interface shows each packet on one line with a summary, and clicking on a packet shows the detailed protocol dissection of its headers and data. ## Wireshark Interface The main Wireshark interface has three panes. The packet list pane at the top shows one line per captured packet with columns for packet number, time, source address, destination address, protocol, length, and a brief description. The packet details pane in the middle shows a tree-structure breakdown of all the protocol layers in the selected packet, allowing inspection of every field in every header. The packet bytes pane at the bottom shows the raw hexadecimal and ASCII representation of the packet data. ## Capture Filters Capture filters are applied during packet capture to capture only packets matching specific criteria, reducing the amount of data captured. Capture filters use BPF syntax. Examples include host 192.168.1.1 to capture only traffic to or from that IP, port 80 to capture only HTTP traffic, tcp to capture only TCP traffic, and combinations like host 192.168.1.1 and port 443 to capture HTTPS traffic to a specific host. ## Display Filters Display filters are applied after capture to show only packets matching specific criteria from the already-captured data. Wireshark display filters use a different syntax from capture filters. Examples include ip.addr equals 192.168.1.1 to show packets involving that IP, tcp.port equals 80 for HTTP traffic, http for all HTTP traffic, and dns for all DNS traffic. Filters can be combined with and, or, and not operators. ## Practical Uses of Wireshark Wireshark is used to troubleshoot slow network performance by identifying retransmissions, high latency, and congestion. It is used to diagnose application issues by examining the actual requests and responses exchanged between client and server. Security analysts use it to analyze suspicious traffic and investigate incidents. Network developers use it to verify their implementations send and receive correct packets. Students use it to see how protocols actually work in practice.