Wireshark: Reading Network Traffic

After this lesson, you will be able to: Capture and analyze network traffic in Wireshark: capture vs display filters, reading each header layer, following a TCP stream, and extracting credentials from a plaintext HTTP capture to prove why HTTPS is required.

Wireshark is the standard tool for seeing exactly what crosses a network. This lesson covers capture vs display filters, reading a packet layer by layer, following a TCP stream to reassemble a conversation, identifying protocols, and a lab that extracts a username and password from plaintext HTTP traffic.

Prerequisites:TCP vs UDP: The Protocol Difference

Capture filters vs display filters

Capture filters (BPF syntax, set before you start) decide what Wireshark records at all, for example 'tcp port 80'; use them to keep huge captures manageable. Display filters (set after capture) decide what you see from an already-recorded set, for example 'http.request' or 'ip.addr == 10.0.0.5'. The rule of thumb: capture broadly enough not to miss the event, then narrow with display filters to find it.

Reading a packet, layer by layer

Click a packet and the detail pane shows it as nested layers: the Ethernet frame (source/destination MAC), the IP header (source/destination IP, TTL), the TCP or UDP header (ports, flags, sequence numbers), and the application payload (the actual HTTP request, DNS query, etc.). This is the OSI model made concrete: each layer wraps the one above it. Learning to expand and read these is the core Wireshark skill.

Following a stream and identifying protocols

Right-click a packet and choose Follow > TCP Stream to reassemble an entire conversation from its individual packets into readable text. You can immediately tell HTTP (you can read the request and response) from HTTPS (you see the TLS handshake, then encrypted application data you cannot read without the key). DNS queries show the domain being looked up; ARP packets show who-has/is-at broadcasts. Recognizing protocols at a glance is what makes triage fast.

Lab: extract credentials from plaintext HTTP

Use a provided pcap (or capture your own login to a deliberately HTTP-only test app). This demonstrates exactly why authentication over plain HTTP is unacceptable.

1
1. Open the capture and set the display filter: http.request.method == "POST".
2
2. Find the POST to the login endpoint and select it.
3
3. Expand the HTML Form URL Encoded section in the detail pane (or Follow > TCP Stream).
4
4. Read the username and password fields in cleartext.
5
5. Reflect: anyone on the path (same Wi-Fi, a poisoned ARP table, a malicious router) could read these. This is why HTTPS exists and why HTTP login forms are a critical finding.

Quick Check

You captured a login but the credentials are unreadable encrypted bytes. What does that tell you?

Pick the best interpretation.

The site used HTTPS (TLS), so the payload is encrypted and you cannot read it without the session keysWireshark is brokenThe password was hashed in the browserThe capture filter dropped the password

Common mistakes only experienced analysts catch

Confusing capture and display filters (different syntax: BPF vs Wireshark's). Capturing on the wrong interface and seeing nothing. Drowning in noise because no display filter is applied. Assuming you can decrypt HTTPS from a normal capture (you cannot without the keys). Forgetting Follow TCP Stream, then trying to read a conversation packet by packet. Not saving the pcap, so the evidence is lost when Wireshark closes.

←TCP vs UDP: The Protocol Difference

Back to Networking and Protocol Security

ARP Spoofing and Poisoning→