Back to all guides
IntermediateNetwork Analysis16 min read

root@css:~$ wireshark &

Capturing & Reading Traffic with Wireshark

Use Wireshark to capture packets on your own network, apply display filters, and understand what plaintext versus encrypted traffic looks like.

What you'll learn

  • >Capture packets safely on your own network
  • >Apply display filters to isolate traffic
  • >See why HTTPS matters by comparing plaintext and encrypted flows

// warning: Only capture traffic on networks you own or are authorized to monitor. Capturing other people’s traffic without consent is illegal in most jurisdictions.

Wireshark is a packet analyzer that shows you exactly what is traveling across a network, byte by byte. It is the single best tool for truly understanding how protocols work — and for seeing first-hand why encryption matters.

1. Starting a capture

  1. 1Launch Wireshark and select your active network interface (often "wlan0" or "eth0").
  2. 2Click the blue shark-fin icon to begin capturing.
  3. 3Generate some traffic — load a website or ping a host.
  4. 4Click the red square to stop the capture when you have enough data.

2. Display filters

A busy capture can have thousands of packets. Display filters let you focus on exactly what you care about.

output
http                      # only HTTP packets
ip.addr == 192.168.1.10   # traffic to/from one host
tcp.port == 443           # HTTPS traffic
dns                       # DNS lookups only
Common Wireshark display filters

3. Plaintext vs encrypted

Filter for "http" and you can read request paths, headers, and sometimes form data in clear text. Now filter for "tls" — the payload is unreadable ciphertext. This contrast is the most convincing argument for always using HTTPS.

// tip: Right-click any packet and choose "Follow > TCP Stream" to reconstruct an entire conversation. On plaintext HTTP this is eye-opening; on TLS it shows only encrypted bytes.

// note: Takeaway: anything sent over plain HTTP, FTP, or Telnet can be read by anyone on the path. Always prefer their encrypted equivalents (HTTPS, SFTP, SSH).

// ethics_notice: Practice only on systems you own or are explicitly authorized to test. These materials are for education and defense.

Next tutorial

Hardening Your Linux System