Bird
Raised Fist0
Cybersecurityknowledge~6 mins

Wireshark packet capture basics in Cybersecurity - Full Explanation

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you want to understand what is happening on a computer network, you need a way to see the tiny pieces of data moving around. These pieces are called packets, and capturing them helps you find problems or learn how devices talk to each other.
Explanation
Packet Capture
Packet capture is the process of intercepting and recording data packets as they travel across a network. This allows you to see the exact information sent and received by devices in real time.
Packet capture lets you observe network data directly to understand communication.
Wireshark Interface
Wireshark shows captured packets in a list with details like time, source, destination, and protocol. You can click on each packet to see its full contents broken down into layers.
Wireshark’s interface organizes packet data for easy inspection.
Starting a Capture
To start capturing, you select a network interface (like Wi-Fi or Ethernet) in Wireshark and click start. Wireshark then records all packets passing through that interface until you stop it.
You must choose the right network interface to capture relevant packets.
Filters
Filters help you focus on specific packets by setting rules, such as showing only traffic from a certain IP address or using a certain protocol. This makes it easier to find important data in large captures.
Filters narrow down captured data to what matters most.
Saving and Analyzing Captures
Captured packets can be saved to a file for later review or sharing. Analyzing these files helps diagnose network issues, detect attacks, or learn how protocols work.
Saving captures allows detailed analysis and sharing with others.
Real World Analogy

Imagine listening to a busy conversation in a crowded room. Packet capture is like recording all voices so you can replay and understand what each person said. Filters are like focusing on just one speaker to hear clearly.

Packet Capture → Recording all voices in a crowded room
Wireshark Interface → A transcript showing who said what and when
Starting a Capture → Choosing which room or group to listen to
Filters → Listening only to one person’s voice in the recording
Saving and Analyzing Captures → Saving the recording to replay and study later
Diagram
Diagram
┌─────────────────────────────┐
│      Network Traffic         │
└─────────────┬───────────────┘
              │
      ┌───────▼────────┐
      │  Network Interface │
      └───────┬────────┘
              │
      ┌───────▼────────┐
      │   Wireshark     │
      │  Packet Capture │
      └───────┬────────┘
              │
      ┌───────▼────────┐
      │  Packet List    │
      ├───────────────┤
      │ Packet Details │
      └───────────────┘
This diagram shows network traffic flowing into a network interface, then being captured by Wireshark, which displays packets in a list and detailed view.
Key Facts
PacketA small unit of data sent over a network.
Network InterfaceThe hardware or software point where a device connects to a network.
Capture FilterA rule that limits which packets Wireshark records during capture.
Display FilterA rule that limits which captured packets are shown in Wireshark’s interface.
ProtocolA set of rules that devices use to communicate on a network.
Common Confusions
Believing capture filters and display filters are the same.
Believing capture filters and display filters are the same. Capture filters limit what data is recorded, while display filters only hide or show packets after capture.
Thinking Wireshark can capture packets from all networks without setup.
Thinking Wireshark can capture packets from all networks without setup. Wireshark captures only from interfaces it has access to; capturing wireless traffic may need special setup.
Summary
Packet capture lets you see the exact data moving on a network to understand or troubleshoot it.
Wireshark organizes captured packets so you can inspect details and use filters to focus on important data.
Choosing the right network interface and using filters correctly are key to effective packet capture.

Practice

(1/5)
1. What is the primary purpose of Wireshark in cybersecurity?
easy
A. To capture and analyze network packets in real time
B. To encrypt network traffic for security
C. To block unauthorized network access
D. To create virtual private networks (VPNs)

Solution

  1. Step 1: Understand Wireshark's function

    Wireshark is a tool designed to capture and display network packets as they travel through a network.

  2. Step 2: Identify the correct purpose

    Among the options, only capturing and analyzing packets matches Wireshark's main use.

  3. Final Answer:

    To capture and analyze network packets in real time -> Option A

  4. Quick Check:

    Wireshark captures packets = To capture and analyze network packets in real time [OK]
Hint: Wireshark shows network data live, not encrypt or block [OK]
Common Mistakes:
  • Confusing Wireshark with firewall or VPN tools
  • Thinking Wireshark encrypts data
  • Assuming Wireshark blocks traffic
2. Which of the following is the correct way to start a packet capture in Wireshark?
easy
A. Click on 'File' then 'Open Capture'
B. Click on 'Capture' then 'Start'
C. Click on 'Analyze' then 'Filter'
D. Click on 'Edit' then 'Preferences'

Solution

  1. Step 1: Identify the menu for starting capture

    In Wireshark, the 'Capture' menu contains options to start or stop capturing packets.

  2. Step 2: Match the correct action

    Clicking 'Capture' then 'Start' begins the live packet capture process.

  3. Final Answer:

    Click on 'Capture' then 'Start' -> Option B

  4. Quick Check:

    Start capture via Capture menu = Click on 'Capture' then 'Start' [OK]
Hint: Start capture under 'Capture' menu, not 'File' or 'Edit' [OK]
Common Mistakes:
  • Choosing 'File' to start capture instead of 'Capture'
  • Confusing 'Analyze' with starting capture
  • Looking in 'Edit' menu for capture options
3. Consider the following Wireshark filter: ip.src == 192.168.1.10. What does this filter do?
medium
A. Shows packets where the destination IP is 192.168.1.10
B. Shows packets with any IP address except 192.168.1.10
C. Shows packets where the source IP is 192.168.1.10
D. Shows packets where either source or destination IP is 192.168.1.10

Solution

  1. Step 1: Understand the filter syntax

    The filter ip.src == 192.168.1.10 means packets where the source IP address equals 192.168.1.10.

  2. Step 2: Match filter meaning to options

    Only Shows packets where the source IP is 192.168.1.10 correctly describes packets with source IP 192.168.1.10.

  3. Final Answer:

    Shows packets where the source IP is 192.168.1.10 -> Option C

  4. Quick Check:

    ip.src filter = source IP = Shows packets where the source IP is 192.168.1.10 [OK]
Hint: ip.src means source IP, ip.dst means destination IP [OK]
Common Mistakes:
  • Confusing source IP with destination IP
  • Assuming filter matches both source and destination
  • Thinking filter excludes the IP address
4. You tried to filter packets with tcp.port == 80 but no packets appear. What could be a likely reason?
medium
A. Port 80 is not used for TCP traffic
B. The filter syntax is incorrect
C. Wireshark does not support filtering by port
D. You captured packets on the wrong network interface

Solution

  1. Step 1: Check filter syntax correctness

    The filter tcp.port == 80 is valid syntax to filter TCP packets on port 80.

  2. Step 2: Consider capture context

    If no packets appear, a common cause is capturing on the wrong network interface where no HTTP traffic (port 80) passes.

  3. Final Answer:

    You captured packets on the wrong network interface -> Option D

  4. Quick Check:

    Wrong interface capture = no matching packets = You captured packets on the wrong network interface [OK]
Hint: No packets? Check if capturing on correct network interface [OK]
Common Mistakes:
  • Assuming filter syntax is wrong without checking
  • Believing Wireshark can't filter by port
  • Thinking port 80 is not TCP by default
5. You want to capture only HTTP traffic from a specific device with IP 10.0.0.5 using Wireshark. Which filter should you apply?
hard
A. ip.addr == 10.0.0.5 and tcp.port == 80
B. ip.src == 10.0.0.5 or ip.dst == 10.0.0.5 and tcp.port == 80
C. ip.addr == 10.0.0.5 or tcp.port == 80
D. ip.src == 10.0.0.5 and tcp.port == 80

Solution

  1. Step 1: Define the filter requirements

    You want packets where the device IP is either source or destination and the traffic is HTTP (TCP port 80).

  2. Step 2: Analyze each filter option

    ip.addr == 10.0.0.5 and tcp.port == 80 uses ip.addr == 10.0.0.5 which matches source or destination IP, combined with tcp.port == 80 to filter HTTP traffic. This matches the requirement exactly.

  3. Step 3: Identify issues in other options

    ip.src == 10.0.0.5 or ip.dst == 10.0.0.5 and tcp.port == 80 lacks parentheses, so 'or' and 'and' precedence causes incorrect filtering. ip.addr == 10.0.0.5 or tcp.port == 80 matches any packet with IP 10.0.0.5 or any TCP port 80 packet, which is too broad. ip.src == 10.0.0.5 and tcp.port == 80 only matches packets where 10.0.0.5 is source, missing destination packets.

  4. Final Answer:

    ip.addr == 10.0.0.5 and tcp.port == 80 -> Option A

  5. Quick Check:

    ip.addr covers both ends + tcp.port 80 = ip.addr == 10.0.0.5 and tcp.port == 80 [OK]
Hint: Use ip.addr for both source/destination IPs in filters [OK]
Common Mistakes:
  • Not using parentheses causing wrong logic in filters
  • Using only ip.src or ip.dst missing half the traffic
  • Using 'or' instead of 'and' causing too many packets