Subheading:
A practical walkthrough of learning packet analysis as a cybersecurity beginner, including the filters and exercises that actually helped.
I had read about networking for months. I knew what TCP/IP meant. I could explain the OSI model if you asked me. But none of that prepared me for actually opening Wireshark and watching live traffic for the first time.
Here is what that experience taught me, broken down the way I wish someone had explained it to me.
What Wireshark Actually Does
Wireshark is a free, open source packet analyzer. It captures the data moving across your network interface and renders it in a readable format instead of leaving it as invisible background traffic.
If you are coming from a dev background, think of it like opening dev tools in your browser, except instead of seeing your own frontend network requests, you are seeing every single packet moving across your machine, including ones you did not know existed.
Setup
Installation is simple across platforms.
On Windows, the installer also prompts you to install Npcap, a packet capturing driver. Do not skip this. Wireshark will not capture live traffic without it.
On Linux:
sudo apt install wireshark
You will be prompted to allow non-root users to capture packets. Say yes, then add your user to the wireshark group so you are not running it as root every time:
sudo usermod -aG wireshark $USER
Log out and back in for the group change to take effect.
First Capture: What to Expect
Open Wireshark, select your active interface, hit start. Within seconds, your screen fills with traffic. This is not a bug. This is just everything your machine is quietly doing in the background that you never see.
The interface has three panels:
Packet list at the top, one row per packet, with source, destination, protocol, and a short info field.
Packet details in the middle, a layer by layer breakdown of whatever packet is selected.
Raw bytes at the bottom, hex and ASCII side by side.
Clicking a packet in the top panel updates the other two instantly. This is the core loop you will use constantly.
Filtering: The Actual Skill
Capturing is trivial. Filtering is where the skill is.
http
shows only HTTP traffic.
ip.addr == 192.168.1.1
shows traffic to or from a specific address.
http && ip.src == 192.168.1.1
combines both.
If you are used to writing queries or regex in your dev work, this will feel familiar fast. The filter bar is essentially a query language for network traffic.
A Practical Exercise
Start a capture. Visit any site still running plain HTTP, not HTTPS. Load the page. Stop the capture.
Filter with http. Click into one of the GET requests. Look at the packet details panel.
You will see the exact request your browser sent, headers and all, completely unencrypted and readable. This is the clearest, most concrete demonstration of why HTTPS exists that I have come across. Reading about TLS is one thing. Watching plaintext HTTP traffic sitting there in the open is another.
Where This Actually Gets Used
This is not just a learning exercise. Wireshark shows up in:
Network security monitoring, watching for anomalous traffic patterns in real environments.
Penetration testing, understanding how an application actually communicates before testing it.
Digital forensics, reconstructing what happened during an incident from captured traffic.
CTF competitions, specifically network forensics categories, where you are handed a .pcap file and need to extract a flag hidden somewhere in the captured traffic.
If you plan to do any CTFs, get comfortable with this tool early. You will be handed pcap files more often than you expect.
Mistakes I Made Early On
I tried to understand every packet individually instead of filtering down to what mattered. Do not do this. Filter first, then read.
I avoided using filters at all for the first week because I did not know the syntax. The basic filters above cover most beginner use cases. Learn five or six of them and you are already functional.
I ignored the bottom panel completely at first. The raw hex and ASCII view is genuinely useful once you are looking for something specific, like a string inside a payload.
Final Thoughts
If you are a dev moving into security, or just starting out in cybersecurity generally, Wireshark is one of the fastest ways to convert abstract networking concepts into something you can see and interact with directly. The learning curve is real for the first hour, then it flattens out fast once filtering clicks.
Top comments (0)