📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 7 OF 100
100-Day Ethical Hacking Course
🔴 Day 7 — Packet Analysis – Wireshark Tutorial for Beginners
Day 100 — Professional Pentester
07
The first time I used Wireshark on a live network and watched an HTTP login scroll past with a username and password sitting in plain text — I genuinely sat back in my chair. Not because I didn’t know it was theoretically possible. Because seeing it actually happen, in real time, on a real network, changes how you think about every unencrypted connection you’ve ever made.
Today you’re going to have that moment. In your own lab. With your own traffic. And you’ll understand — viscerally, not theoretically — exactly why the security concepts we’ve been building toward matter.
Wireshark is the world’s most widely used network protocol analyser. It’s free, open source, and pre-installed on Kali Linux. Security professionals, network engineers, incident responders, and students all use it daily. What it does is simple: it shows you every packet crossing a network interface, decoded into human-readable form.
By the end of today, you’ll know how to launch a capture, navigate Wireshark’s three-pane interface, write display filters to isolate specific traffic, follow a complete TCP conversation, and explain to anyone why HTTP is dangerous and HTTPS matters. These are professional-level skills. Let’s build them.
📋 Day 7 Contents
- What Wireshark Does & Why Hackers Use It
- Launching & The Three-Pane Interface
- Your First Live Capture
- Colour Coding — Reading Traffic at a Glance
- Display Filters — The Most Important Skill
- Reading DNS, HTTP & ICMP Traffic
- Follow TCP Stream — See Full Conversations
- HTTP Credentials in Cleartext — The Demo
- Saving Captures & Export Tips
- Day 7 Practical Task
What Wireshark Does — And Why Every Security Professional Uses It
Your network interface is constantly sending and receiving data. Right now, as you read this, your machine is exchanging DNS queries, TCP keepalives, maybe some HTTP requests and encrypted HTTPS traffic. Most of this is invisible because your operating system only shows you the final result — a webpage, an email, a file download.
Wireshark makes it visible. It puts your network interface into promiscuous mode — a state where it captures every packet crossing the interface, not just the ones addressed to your machine. Every packet is captured, decoded by protocol, and displayed in a format you can read and analyse.
🔍
Network Troubleshooting
See exactly what’s happening when a connection fails, slows down, or behaves unexpectedly
🔬
Protocol Learning
See how TCP, DNS, HTTP, TLS actually work by watching real exchanges packet by packet
🐛
Malware Analysis
Observe what a suspicious process communicates — command-and-control servers, data exfil
⚠️
Security Demonstration
Show clients exactly how their HTTP traffic exposes credentials — nothing convinces like seeing it live
⚖️ Legal reminder: All Wireshark captures in this course happen within your own Kali VM and local lab network. Capturing traffic on networks you don’t own — including shared WiFi at cafes, hotels, or workplaces — without explicit permission is illegal under computer crime laws globally. The techniques we learn are for understanding and defending, not surveillance.
Launching Wireshark & The Three-Pane Interface
Wireshark is pre-installed on Kali Linux. Open a terminal and launch it — we’ll run it with sudo to ensure we have permission to put interfaces into promiscuous mode.
Launching Wireshark in Kali Linux
Launch with root privileges (needed for promiscuous mode)
sudo wireshark &
The & runs it in the background so your terminal stays usable
Or from Applications menu:
Applications → 09 – Sniffing & Spoofing → Wireshark
If you see a permission error, add your user to wireshark group:
sudo usermod -aG wireshark $USER
newgrp wireshark
When Wireshark opens, you see the interface selection screen. Before starting a capture, you need to choose which network interface to listen on. You’ll recognise these from Day 5’s networking lesson.
Wireshark’s Three-Pane Interface — What Each Section Does
PANE 1
Packet List — The Stream of Captures
No.TimeSourceDestinationProtoLengthInfo
10.000192.168.56.18.8.8.8DNS73Standard query A google.com
20.0128.8.8.8192.168.56.1DNS89Standard query response A 142.250.185.46
30.013192.168.56.1142.250.185.46TCP6649234→80 [SYN] Seq=0
40.024142.250.185.46192.168.56.1TCP6680→49234 [SYN, ACK] Seq=0
50.025192.168.56.1142.250.185.46HTTP412GET /login HTTP/1.1
Each row = one packet. Click any row to inspect it in Panes 2 and 3.
PANE 2
Packet Details — Decoded Protocol Layers
▶ Frame 5: 412 bytes on wire
▶ Ethernet II: Src 08:00:27:aa:bb:cc → Dst 52:54:00:dd:ee:ff
▶ Internet Protocol: Src 192.168.56.1 → Dst 142.250.185.46
▶ Transmission Control Protocol: 49234 → 80 [PSH, ACK]
▼ Hypertext Transfer Protocol
GET /login HTTP/1.1\r\n
Host: target.com\r\n
Cookie: session=abc123\r\n
Expandable tree of every OSI layer — click arrows to drill into each protocol.
PANE 3
Packet Bytes — Raw Hexadecimal + ASCII
000045 00 01 9c 00 01 40 00 40 06 78 9a c0 a8 38 01E…..@.@.x…8.
00108e fa b9 2e c0 64 00 50 00 00 00 00 00 00 00 00…..d.P……..
002047 45 54 20 2f 6c 6f 67 69 6e 20 48 54 54 50 2fGET /login HTTP/
003031 2e 31 0d 0a 48 6f 73 74 3a 20 74 61 72 67 651.1..Host: targe
Raw bytes — hex on left, ASCII translation on right. HTTP in red shows readable text.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)