10 Tips On How to Use Wireshark to Analyze Packets in Your Network

In any packet-switched network, packets represent units of data that are transmitted between computers. It is the responsibility of network engineers and system administrators alike to monitor and inspect the packets for security and troubleshooting purposes.

To do this, they rely on software programs called network packet analyzers, with Wireshark perhaps being the most popular and used due to its versatility and easiness of use. On top of this, Wireshark allows you to not only monitor traffic in real-time, but also to save it to a file for later inspection.

In this article we will share 10 tips on how to use Wireshark to analyze packets in your network, and hope that when you reach the Summary section you will feel inclined to add it to your bookmarks.

Installing Wireshark in Linux

To install Wireshark, select the right installer for your operating system / architecture from https://www.wireshark.org/download.html.

Particularly, if you are using Linux, Wireshark must be available directly from your distribution’s repositories for an easier install at your convenience. Although versions may differ, the options and menus should be similar – if not identical in each one.

------------ On Debian/Ubuntu based Distros ------------ 
$ sudo apt-get install wireshark

------------ On CentOS/RHEL based Distros ------------
$ sudo yum install wireshark

------------ On Fedora 22+ Releases ------------
$ sudo dnf install wireshark

There is a known bug in Debian and derivatives that may prevent listing the network interfaces unless you use sudo to launch Wireshark. To fix this, follow the accepted answer in this post.

Once Wireshark is running, you can select the network interface that you want to monitor under Capture:

Wireshark Network Analyzer

Wireshark Network Analyzer

In this article we will use eth0, but you can choose another one if you wish. Don’t click on the interface yet – we will do so later once we have reviewed a few capture options.

Setting Capture Options

The most useful capture options we will consider are:

  1. Network interface – As we explained before, we will only analyze packets coming through eth0, either incoming or outcoming.
  2. Capture filter – This option allows us to indicate what kind of traffic we want to monitor by port, protocol, or type.

Before we proceed with the tips, it is important to note that some organizations forbid the use of Wireshark in their networks. That said, if you are not utilizing Wireshark for personal purposes make sure your organization allows its use.

For the time being, just select eth0 from the dropdown list and click Start at the button. You will start seeing all traffic passing through that interface. Not really useful for monitoring purposes due to the high amount of packets inspected, but it’s a start.

Monitor Network Interface Traffic

Monitor Network Interface Traffic

In the above image we can also see the icons to list the available interfaces, to stop the current capture, and to restart it (red box on the left) and to configure and edit a filter (red box on the right). When you hover over one of these icons, a tooltip will be displayed to indicate what it does.

We will begin by illustrating capture options, whereas tips #7 through #10 will discuss how to do actually do something useful with a capture.

TIP #1 – Inspect HTTP Traffic

Type http in the filter box and click Apply. Launch your browser and go to any site you wish:

Inspect HTTP Network Traffic

Inspect HTTP Network Traffic

To begin every subsequent tip, stop the live capture and edit the capture filter.

TIP #2 – Inspect HTTP Traffic from a Given IP Address

In this particular tip, we will prepend ip== to the filter stanza to monitor HTTP traffic between the local computer and

Inspect HTTP Traffic on IP Address

Inspect HTTP Traffic on IP Address

TIP #3 – Inspect HTTP Traffic to a Given IP Address

Closely related with #2, in this case we will use ip.dst as part of the capture filter as follows:

Monitor HTTP Network Traffic to IP Address

Monitor HTTP Network Traffic to IP Address

To combine tips #2 and #3, you can use ip.addr in the filter rule instead of ip.src or ip.dst.

TIP #4 – Monitor Apache and MySQL Network Traffic

Sometimes you will be interested in inspecting traffic that matches either (or both) conditions whatsoever. For example, to monitor traffic on TCP ports 80 (web server) and 3306 (MySQL / MariaDB database server), you can use an OR condition in the capture filter:

Monitor Apache and MySQL Traffic

Monitor Apache and MySQL Traffic

In tips #2 and #3, || and the word or produce the same results. Same with && and the word and.

TIP #5 – Reject Packets to Given IP Address

To exclude packets not matching the filter rule, use ! and enclose the rule within parentheses. For example, to exclude packages originating from or being directed to a given IP address, you can use:

!(ip.addr ==

TIP #6 – Monitor Local Network Traffic (

The following filter rule will display only local traffic and exclude packets going to and coming from the Internet:

ip.src== and ip.dst==
Monitor Local Network Traffic

Monitor Local Network Traffic

TIP #7 – Monitor the Contents of a TCP Conversation

To inspect the contents of a TCP conversation (data exchange), right click on a given packet and choose Follow TCP stream. A window will pop-up with the content of the conversation.

This will include HTTP headers if we are inspecting web traffic, and also any plain text credentials transmitted during the process, if any.

Monitor TCP Conversation

Monitor TCP Conversation

TIP #8 – Edit Coloring Rules

By now I am sure you already noticed that each row in the capture window is colored. By default, HTTP traffic appears in green background with black text, whereas checksum errors are shown in red text with black background.

If you wish to change these settings, click the Edit coloring rules icon, choose a given filter and click Edit.

Customize Wireshark Output in Colors

Customize Wireshark Output in Colors

TIP #9 – Save the Capture to a File

Saving the contents of a capture will allow us to be able to inspect it with greater detail. To do this, go to File → Export and choose an export format from the list:

Save Wireshark Capture to File

Save Wireshark Capture to File

TIP #10 – Practice with Capture Samples

If you think your network is “boring”, Wireshark provides a series of sample capture files that you can use to practice and learn. You can download these SampleCaptures and import them via the File → Import menu.


Wireshark is free and open source software, as you can see in the FAQs section of the official website. You can configure a capture filter either before or after starting an inspection.

In case you didn’t notice, the filter has an autocomplete feature that allows you to easily search for the most used options that you can customize later. With that, the sky is the limit!

As always, don’t hesitate to drop us a line using the comment form below if you have any questions or observations about this article.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

18 Responses

  1. Alex says:

    nice articles, could you put more intermediate or professional examples?

  2. Naresh says:

    I was expecting some instructions on monitor mode for capturing remote interface.

  3. Carlos says:

    Very nice post!

    I believe you are missing the .src in tip #4

  4. Tek says:

    Thank you for this post! Found it and resolved my problem immediately after reading! Awesome! :)

  5. When i type “yum install wireshark-gnome” , it says no package found. please resolve this issue . i tried to find out on google, but failed to get any specific solution. I also downloaded .rpm files of wireshark and wireshark-gnome, but they require dependencies.

    • Justin I. says:

      I just installed Wireshark on my Fedora 20 box. Try running “yum install wireshark” I found on one post that you need both packages. wireshark and wireshark-gnome.

    • Gabriel A. Cánepa says:

      Try doing yum search all wireshark. This should return the list of packages with wireshark in their name or description. What distribution are you using? Please note that the package name should be wireshark, not wireshark-gnome.

  6. roberson says:

    Hi everyone. I installed it here in my server CENTOS 5 and after run the wireshark, look for me ((wireshark:5941): Gtk-WARNING **: cannot open display:) what i can do for fix it ?


    Ps: I’ve try run with my user without be root. Just i try run nameuser$ wireshark but he doesn’t work fine.

  7. Niranjan says:


    Also besides the above observation, I just wanted to let you know that I have installed the gtk+, glib after installing wireshark.

  8. Niranjan says:

    Hi Thanks for very descriptive info on Wireshark. It was very helpfull.

    However, I am facing some issues while trying to open wireshark from command prompt.

    [[email protected] ~]# wireshark

    (wireshark:14036): Gtk-WARNING **: cannot open display:
    [[email protected] ~]# wireshark –display=:0

    (wireshark:14047): Gtk-WARNING **: cannot open display: :0
    [[email protected] ~]#


    • Ravi Saive says:

      It’s something related to X windows display. which is not properly set.

    • Gabriel A. Cánepa says:

      Why would you open wireshark from the command line in a GUI environment?

      • 01101001b says:

        You know why. You launch a GUI app from console when it doesn’t initiate from GUI interface, to get a lead of the problem. A GUI app that doesn’t initiate from console, doesn’t run from GUI environment either. Again, you know that :-)

  9. muthii says:

    Thanks for putting this up I needed to analyze some traffic on my box.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.