Wireshark Tutorial for Beginners | Network Scanning Made Easy

Wireshark is one of the most powerful network traffic analyzers for both Mac and Windows. I'm going to show you how to use it to view the traffic on your network, analyze packet data, and identify any problematic or malicious activity. This video is an update to a Wireshark tutorial that I published over 8 years ago.

Since then, I've learned a lot more about Wireshark and cybersecurity in general. So let's get into it. Wireshark is free to download and use for both Mac and Windows.

When you first install it, there's an additional package that you also have to install, at least on Mac, so just make sure to read the readme files that you see when you first download it. Now once it's installed and open, you can immediately see in the capture section which network interface cards are picking up traffic. You obviously have to be connected to the networks that you want to look at with the device, the computer that you're using.

Generally speaking, you're going to want to look at your Ethernet or your Wi -Fi. Depending on your hardware setup, it can be difficult to sniff the packets on a Wi-Fi network. Mac users should be totally fine.

They have been for a long time with Wireshark able to do that. There has been some issues with Windows in the past. So to get started and just to jump right in and make sure we're getting good data, let's just double click on Ethernet to take a look.

When we double click, immediately Wireshark starts capturing packets and we can let it go and capture packets for as long as we'd like. So if you're troubleshooting a particular website or something like that, you'll want to try and access that website now while it's capturing. And then once you think you have enough data, once enough time has gone by, you can go ahead and you can click on the red stop button up here at the top left.

So now we have some information to work with. You can see at the very bottom of the screen, it tells us that it captured 242 packets and of those, all of them, 100% of them are currently being displayed. But as we filter things here in Wireshark, we'll probably drill that down so we're not seeing all of them at once.

Each of the rows that you see on the screen is a single packet of information. Whenever information is transferred over a network, it's transferred via packets. That means that every time you load a webpage, every time you upload or download something, packets of information are being transferred between your computer and a web server.

There are also a bunch of packets, especially nowadays, that are being transferred at any given time, especially as all of your IoT devices, your smart devices, communicate with each other and the router to make sure that they still have a connection. Because of this, one of the major challenges of Wireshark and doing network audits in general is sifting through all of the unimportant stuff, or at least the stuff that 's not important right now. So I'm going to show you how we can get a bird's eye view of really just everything that's going on here in Wireshark and then how we can go from there and filter things out to drill down and find exactly what we're looking for.

The first thing I like to do when looking at a new packet capture or a PCAP as it's known as, is to go up here in Wireshark and go to the statistics dropdown. Now there are some really cool statistics in here. I'm not going to go through all of them.

I'm going to go to one particular, but do note that this menu exists and it 's a really good place to go if you're looking for general information on stuff, especially like this capture file properties. This shows the properties of the entire PCAP that you have in front of you. But what I want to do is I want to click on this conversations option.

Now when I do that, this window pops up here in Wireshark and I can now see all of the conversations that are part of the PCAP that I just captured. So I can see, we have some tabs up here at the top to go through the different protocols. So I could for instance go to the TCP protocol and I can see that this particular IP address was communicating with, this happens to be my computer's IP address, and they sent 591 bytes in this conversation.

We can see how many packets were sent from A to B3, from B to A4, and how large those packets were, the duration of the conversation, and all of this really cool information. I should mention that any time you're doing network analysis, it's a good idea to know some of the IP addresses on your network. So for example, I know that my computer is 192.

168. 1. 220.

You can find that out just by going to your network settings on your computer, whether it's Mac or Windows, it'll be right in there. You also might want to know the IP address of your router. And if there's a particular device that you're trying to troubleshoot, it's a good idea to know maybe the Mac address of that device so that you can find it and see if it's even accessing the network at all.

One thing to look for in this section is you could look and see if your computer, so looking at your computer's IP address, is having any long conversations with an unknown device. If you see that happening, you could then dig a little bit deeper in Wiresh ark and try and discover what the purpose of the communication is or what device it's trying to communicate with. And actually, that brings up a good point, and I want to step back for a second.

You see, Wireshark is an incredibly powerful tool, but it's kind of like an open world sandbox game. It's better used with a particular goal in mind. So some examples include a device not working on your network, and maybe you can use Wireshark to see if there's any communication at all.

Maybe someone at your organization thinks they've been phished, so you want to reopen the link that they got in the sketchy email while capturing with Wireshark, obviously on a safe machine, to see what information can be gathered. Or more simply, maybe just to see what devices are constantly communicating on your network to see if you can improve your bandwidth. Wireshark can help with all of these situations, but the filters that you use and the packets that you focus on will be different.

So the rest of this video will be focused on helping you learn how to use W ireshark from a general perspective so that you can then start to learn on your own and seek tutorials specific to your situation. Okay, back to the conversation statistics pop-up where we left off. Here is where some Wireshark awesomeness happens.

You see, I brought you here to get a bird's eye view of everything that's going on in Wireshark, but we can actually use this screen to start filtering our packets. So what we can do is we can find an IP address that we want to, let's say we want to look at all the packets to and from a particular IP address. So I have my IP address and I want to find where it's in this address A field.

It's just going to make it a little bit easier for us. And then I'm going to right click on my IP address and I'm going to go to apply as filter. And then I'm going to go to selected and we have a number of different options in here.

I'm just going to quickly go over them a little bit so you kind of have an idea of what's going on. But you'll notice that the first one will filter on this particular conversation stream. So just this entire conversation.

The A, B with the two arrows will filter any packets that were sent between both A and B. The A arrow to B will show any packets sent from A to B. The next one is any packets B to A.

And then we've got this one, A is either sending or receiving from any IP address. And that's the one that we're actually going to use. But you can kind of use which one is specific to your situation.

So when I click on this, you'll notice that a filter is now automatically put up here in the top. And because we have the port in here as well, the filter included the port, which I don't really want for this particular situation. So I'm just going to close out the conversation window.

And then I can go into my filter and I can just delete out that port number part. So we can see it says IP. addr=192.

168. 1. 220.

That is how you can find any packets that were sent either to or from that IP address. You could have typed this in manually, but I showed you how you can do it a little bit easier by right clicking and applying those filters. You can do that from anywhere in Wireshark.

So you can right click in here and you can apply filters. You can follow conversations, which we're going to look at in a second. But just don't be afraid to use that right click.

There's a lot of valuable options from there. Now before we go any further, let's capture a more interesting PCAP so that we have some additional data to work with. So what I'm going to do is I'm just going to go up here and I'm going to go to the file menu.

I'm on Mac on Windows. Just click on the drop down menu and you're just going to close this particular PCAP. And it's going to ask you, do you want to save it?

You can save your PCAPs. You can export them to open them up and send them to people. We don't want to save this.

This wasn't important. So I'm going to hit continue without saving. It brings me back to the initial screen.

Now I'm going to start a new capture, but I'm going to be prepared and I'm going to load up a couple of websites while I do that capture so that we have some better data in there. Okay, so we will double click on Ethernet. And now I'm just going to load this one website.

And I'm going to load this other website. Make sure that one's actually loading. Okay, so I've loaded a couple of websites.

Now let's go ahead and hit stop. Now notice that we still have this filter up here. So I'm just going to delete that out so we can see everything.

So we can see we captured, if we look at the bottom, 5,536 packets. All of them are currently being displayed. So now what?

Well, it depends what you're looking for. But let's talk about looking for some general stuff. So first of all, in this filter bar, one thing that you can look at is if you're kind of afraid that somebody got hacked or phished or there's something sketchy going on, usually that is done over unsecure servers and networks and connections.

So you might want to look at HTTP and not encrypted level HTTPS. So in your filter here, you can just type HTTP. And you'll notice when it turns green, it means that it is an accepted equation filter.

If it's red, it's not going to work. So you need to try and figure it out. But it's green, so we can hit enter.

And now we're seeing all of the HTTP requests. Now this happens to be from the website that I loaded that was insecure. It was HTTP.

I want to show you something interesting about this. So notice, we can just click on really any of these packets. And we start to see this information down here at the bottom.

So let's close up some of these. I have these all open. But I think it'll be easier if we see it from a little bit of a higher level .

So you can see within this packet, we've got a number of different protocols that are encapsulated. We've got Ethernet, TCP, and then we've got HTTP. So this is the one that we're kind of looking at when we search for this.

And if we notice that Wireshark kind of highlights in blue things that you might find interesting here in Wireshark. So if we can drill this down, we can open this up. And you'll notice that we start to see information about what was happening here.

So we can see it was accessed via Macintosh and Intel Mac OS. We can see what browser was used. So what we can actually do is we can actually just right click on one of these packets up here.

And we can go to this follow option, which is used quite a bit here. And we want to follow the HTTP stream. And this will pop up a new window for us that essentially shows us all of the information that was sent in these packets.

Now the reason I'm showing you this HTTP is because if you were looking at a packet sent over an encrypted connection, you wouldn't really be able to read anything. A few little things, you would be able to probably see the computer type that it was sent on and all that stuff. But notice what we've got here.

We have this entire web page. This is the web page I went to. It's here in Wireshark now.

I could put this into a compiler, an HTML compiler, and it would print out the web page. So we've got everything in here. So what this means is this is how phishing works.

So the way phishing works is somebody sends you a link that maybe looks like your Bank of America link or a social media link. Oftentimes they have a reason. Maybe they know you're using Bank of America.

So they're trying to trick you. They're targeting you. And you open up that link.

And that link happens to look just like a Bank of America page, but it's not . It's a page that they built. They can build them super fast.

And it's now over an HTTP connection. So you enter your username and password. That person who's phishing you now can go in here to Wireshark if they're tapped into the network.

And they can see your username and password that you entered right here in W ireshark. So that is how an easy phish hack actually works. You do it with Wireshark, but you can also see if it's happening with Wiresh ark.

So I just wanted to show you that. And so we've got this entire web page here. So we can close this out.

We drilled all the way down and saw everything that was transferred in that packet. And now we're seeing the-- because we opened that up and we followed that stream, we're seeing all of the packets that were exchanged within that stream. So that's awesome.

But how can we look at secure traffic? Well, to look at insecure traffic, we're using HTTP. To look at secure traffic, we actually have to use TCP, but a specific port.

And that's usually port 80. It can also be port like 8000, 8001, 8002. But generally, you're going to be looking at port 80.

So what you would want to do is you would type TCP. port and then == 80. And then hit Enter.

And this will show you all of the packets that were sent on TCP port 80, aka encrypted traffic. When we start to look at the actual data within these packets, we can't read it because it's encrypted. Now, if you had the encryption key, you can actually upload that in here to Wireshark and you can decrypt it.

So if you're doing some hardcore security on an organizational network and you want to test things and you want to be able to see the data that's being sent or not sent here in Wireshark, you can upload your encryption codes to Wireshark so that you can actually see that. That's very advanced, though. So we're not going to look at that in this video.

Now, since we've been doing some different filters and stuff, I want to show you how to create a button here in Wireshark. So we did this filter to show all the traffic on port 80. What we can do is instead of having to type that every time, we can go over here to the right side of the screen and click on the plus icon.

Now it allows us to create a filter button. So we can just call this like HTTPS or we can just call it port 80, whatever we want to call it. We can enter some comments.

We can change the filter over here if we wanted to, but then we can click OK . And now we have this nice HTTPS button over here. So if we were to delete out our filter and view everything that we've captured and click HTTPS, boom, there we go.

So we've now created our first button. And I'm going to give you a bunch of filters here towards the end, and you should probably create a button for all of them because they're really commonly used filters . Okay, let's clear out this filter.

Let's start to talk about some coloring rules here in Wireshark. You've probably noticed I have some black lines, purple, green. What do they all mean?

Well, the easy way to find out is we want to go up here to the view menu and we want to go to coloring rules. And here you can see and modify if you want to all of the coloring rules here in Wireshark. So you can see black has to do with bad TCP, red has to do with aborted handshakes and that sort of thing.

So you can kind of get an idea. I'm going to show you some filters that might help you kind of see these, specifically these on your own network as well. But anytime you're wondering what exactly the coloring stands for, this is where you can find it and where you can modify it if you'd like.

So if we scroll down here a little bit, let's go. You'll notice on the right side of the scroll bar, we can kind of see the coloring as well. So these are things that Wireshark is highlighting.

It's an analysis tool. So it captures the information, which a lot of different tools can do. But then Wireshark runs its own analysis on that information and that's where these colored lines come through.

These red ones and black ones, Wireshark is saying, "Hey, there might be something here. " It's not like, "Hey, this is guaranteed malware. You're in trouble.

" This is, you might want to take a look at this. If you're looking for something on this network, these are good places to start. So we can see we've got maybe some spurious retransmissions.

This often happens at the beginning of a capture. You'll notice as the capture went on, it kind of stopped. So I wouldn't really worry about that, but I know people do ask in my other tutorial, people asked about that a lot.

But I'm going to show you how you can find those a little bit easier later. I'm going to show you a filter that will only pull out the Wireshark flag. So we'll get back to that.

But one thing I want to do is I want to do two quick things here. First of all, is I want to show you the preferences real quick. So in Mac, I'm going to go up to Wireshark and go to preferences.

But if you're using Wireshark, I'm sure you can find out how to get in the preferences on Windows too. So go into your preferences. And then within here, there's a cool option within the layout section.

So you can change how your windows are laid out. So by default, we have this one, two, three, which works pretty well. But one thing that is kind of a newer feature of Wireshark that people like to see sometimes is instead of in this third field, seeing the packet bytes, there's actually an option to see the packet diagram.

And if you enable that, you can actually see how this packet is structured. I think this is really good, especially for educational purposes. So you might want to poke around in Wireshark a little bit to see the actual structure of the packet, how many bytes it is, how the bytes are structured, that sort of thing.

But so yeah, that's a cool option as well. Another thing that I want to show you is how to add delta time here in Wires hark. So we have all of these columns up across the top, but they're completely customizable.

So I can just go to my preferences again. And this time I'm going to go to appearance and then columns. You'll notice that we can click the plus icon to add new columns.

So I could give this a name, say, call it delta. Well, I'll just call it delta. And then we can double click in this type field and choose the type.

We want delta time. So you can see you've got a number of different options. And then I can just, I can actually drag this field where I'd like it.

So I don't want it at the end. So we'll click OK. You'll notice we now have the delta field so we can see delta time as well here in Wireshark.

Okay, so now we've gone through a lot of the user interface and we've modified some settings. So now I'm going to show you a bunch of useful filters. I'll warn you though, this section of the video is probably more helpful for advanced users or at least once beginner users have played around a bit and are looking for some specific information.

So the first filter is a general filter that will hide less commonly looked at protocols. So to do this, we're going to go up here and we're going to do exclamation point. Then we're going to do open parentheses and we're going to add all the filters that we don't want to see.

So ARP or ARP or STP or LLDP or I guess CDP. And then we're going to close the parentheses. And right now, if we look at the bottom of Wireshark, we're displaying 5,536 .

Open that filter and we've taken out, you know, only 11 because like I said, those aren't looked at that much. But this will kind of clear it up a little bit depending on how long your capture file is. So you might want to add that one as a button.

Now the next one that we're going to look at is to see all of your TCP SYN flags, aka the first part of the three-way handshake. So this is when connections are being opened. So we're going to go up here to the filter field.

And for this one, we're going to do TCP. flags. And we're going to, we can actually click and choose it.

We don't have to type it all out. Flags. SYN==1, enter.

These are all of our, the first part of our three-way handshakes. So again, if you're, if you know what you're doing with network security, hopefully you find this helpful. I think you, you know, you know what I'm trying to show you here.

So that one might be another good button as well. The next filter is the one that I told you about earlier. How can we see just the stuff that Wireshark flagged?

We can go up here. And for this one, we can do TCP. analysis.

flags. And you'll notice that now we're only seeing the flagged packets from Wiresh ark. For those of you who like really are just using it for the first time and you're like worried that there's something going on in your network or something, you might want to start here.

There's probably nothing. I don't think, you know, looking through here, I don't, these are just kind of dropped packets and things like that. Retransmissions, fast retransmissions, spurious retransmissions, but they're not like a ton of them at once.

So you know, this isn't that concerning, but it's a good place to look if that's what you're looking for. To see if there are any specific packets that are from like an abortive release, aka one of your devices said, no, I'm not talking to you, go away, which is often a red flag. We can use the filter that is TCP.

flags. reset==1. You can see it's auto-filling for me.

So I do have a few of those. So you know, this is definitely something to potentially look at. So obviously there are a ton of filters that you can use and you can even get really creative with your filters here in Wireshark, but these filters should help you get started in digging deeper.

Like I said, it all depends on what you're looking for. If you want to see some examples of malicious network activity, you should check out this website, malware-traffic-analysis. net.

They have a bunch of PCAP files available for download. So you can just kind of click here in this traffic technical analysis. For each PCAP on the site, they give you some objectives so you can go in and investigate and try and figure it all out, which gives some structure to the open sandbox world of Wireshark and then they provide an explanation of how they got to the answers that are the correct answers.

So this is great practice for anybody looking to get into cybersecurity. And I know that there are plenty of cybersecurity programs that actually have their students use these exercises. So that's how good it is.

I hope that you now have an idea of how to get into Wireshark, capture some network data, and then start drilling down to exactly what you're looking for. If you found this video helpful, I would really appreciate a thumbs up here on YouTube. If you want to see more content like this, don't forget to subscribe to the channel.

Good luck analyzing the PCAPs and defending your network. I'm Anson Alexander and I will see you in the next one.