Wireshark is an open-source network protocol analyser used to capture and inspect traffic on a computer network. It is the standard tool of its category, supports several thousand protocols, runs on every major operating system, and is used by penetration testers, network engineers, developers, and security operations teams.
What Wireshark does
Wireshark captures packets from a network interface, decodes them using its protocol dissector library, and presents the result in a layered view that shows each protocol field with its value, raw bytes, and meaning. Filters narrow the view to specific traffic (a particular IP, port, protocol, or higher-level field), and follow-stream features reassemble fragmented protocols such as TCP, HTTP, and TLS into readable flows.
Common use cases
Network troubleshooting identifies why a connection is slow, why a handshake fails, or why a protocol negotiation behaves unexpectedly. Wireshark sees what the application logs do not.
Security analysis reviews captured traffic for indicators of compromise, beaconing patterns, unencrypted credentials, and policy violations.
Penetration testing uses Wireshark to confirm what tools such as Nmap and Burp send and receive on the wire, to capture handshakes for offline cracking, and to inspect protocol-level behaviour during exploitation.
Application development validates that wire-level behaviour matches the specification, especially when integrating with binary protocols, IoT devices, or legacy systems.
Capture modes
Promiscuous mode captures all traffic visible to the network interface, including traffic addressed to other hosts on the same Ethernet segment. On switched networks, promiscuous mode only sees broadcast and same-host traffic unless the switch is configured to mirror traffic to the capture port.
Monitor mode on wireless interfaces captures raw 802.11 frames, including beacons, probe requests, and management frames that ordinary connections do not deliver.
Capture files store packets for later analysis. The pcap format is portable across tools (tcpdump, Bro/Zeek, Suricata, Snort).
Privacy and legal considerations
Capturing traffic that includes other people’s communications without authorisation may breach the Investigatory Powers Act 2016 and the Computer Misuse Act 1990 in the UK. Internal network captures during a penetration test should be covered by the engagement’s written authorisation. Personal data observed during capture is subject to UK GDPR; engagement agreements typically restrict storage, handling, and disposal of capture files containing personal data.
Related terms
See also: ARP scan, man-in-the-middle attack, and SSL.
Leave a Reply