What Is Wireshark? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Wireshark is a tool that lets you see all the data moving across a network, like watching the cars on a highway. It captures packets of information and shows you their contents so you can find problems or security issues. Network administrators and IT professionals use it to troubleshoot slow connections, investigate suspicious activity, and understand how applications communicate. You can think of it as a microscope for network traffic.
Commonly Confused With
tcpdump is a command-line packet analyzer that does the same kind of capture as Wireshark but without a graphical interface. It uses the same libpcap library and can save files in pcap format. Wireshark can read tcpdump output, but tcpdump is harder to use for beginners because you must remember text commands.
If you are on a server with no graphical desktop, you would use tcpdump to capture traffic and then transfer the file to your desktop to open in Wireshark.
NetMon is a Microsoft tool for capturing network traffic, similar to Wireshark, but it is Windows-only and not as widely supported for non-Microsoft protocols. Wireshark is cross-platform and supports a much larger number of protocol dissectors. NetMon was more common in older Windows environments.
If you need to analyze a protocol specific to Microsoft Exchange, you might use NetMon. But for general IT exams, Wireshark is the standard.
Nmap is a network scanning tool that discovers hosts and services on a network by sending crafted packets and analyzing responses. It does not capture live traffic like Wireshark. Nmap is used for security auditing and network inventory, while Wireshark is used for deep packet inspection.
You would use Nmap to find which ports are open on a server, and then use Wireshark to capture the actual data flowing through those ports.
Fiddler is a web debugging proxy that captures HTTP and HTTPS traffic on your computer. It is application-layer focused and can modify requests and responses. Wireshark captures all network traffic at the packet level, not just web traffic. Fiddler is better for testing web applications, while Wireshark can analyze any protocol.
To debug a web API call, you might use Fiddler. To see why a DNS lookup failed, you use Wireshark.
Must Know for Exams
Wireshark appears in several major IT certification exams, and its presence is more than just a passing mention. For CompTIA Network+ (N10-008 or N10-009), Wireshark is listed under domain 4.0 (Network Troubleshooting) and domain 5.0 (Network Operations). Candidates must know how to use Wireshark to capture packets, apply filters, and analyze traffic to identify issues like high latency, packet loss, or misconfigured services. The exam often presents a scenario where a user cannot access a website, and the candidate must interpret Wireshark output to find the cause, such as a missing DNS response or a TCP SYN timeout.
For CompTIA Security+ (SY0-601 or SY0-701), Wireshark is tied to domain 4.0 (Security Operations). Exam objectives explicitly mention packet analysis for detecting malicious activity. Candidates may see Wireshark screenshots showing an ARP request storm that indicates an ARP poisoning attack, or an HTTP packet with plaintext credentials that reveals a security risk. Security+ questions often ask what type of attack is visible in a Wireshark capture, such as a man-in-the-middle, denial of service, or SQL injection.
Cisco CCNA (200-301) is another major exam that heavily uses Wireshark. The exam covers network fundamentals, IP connectivity, and troubleshooting. Wireshark is used to verify that routing and switching are working correctly, to analyze DHCP and DNS exchanges, and to test ACLs. CCNA questions might show a capture of a ping command and ask why a particular packet has a TTL of 1, or how to filter for only UDP traffic. Understanding how to read Wireshark output is essential for passing the troubleshooting sections.
The Certified Ethical Hacker (CEH) exam also includes Wireshark as a key tool for footprinting and reconnaissance. CEH candidates must be able to identify network protocols, capture traffic during a penetration test, and detect anomalies. Questions may show a Wireshark capture of a FTP login and ask the candidate to extract the username and password. In all these exams, the ability to read packet details, use display filters, and follow TCP streams is directly tested. Wireshark is not just a tool you might use on the job. It is a tool you must understand to pass the exam.
Simple Meaning
Imagine you are trying to figure out why your internet is slow at home. You could guess, but that does not help much. Instead, you want to actually see every piece of data that goes in and out of your computer. That is exactly what Wireshark does. It acts like a digital wiretap that listens to all the conversations your computer has with other computers, servers, and websites.
Wireshark puts your network interface card into something called "promiscuous mode." Normally, your computer only pays attention to data meant for it. But Wireshark tells your network card to listen to everything that passes by, just like a nosy neighbor who reads every piece of mail that comes through the hall. Once Wireshark captures this data, it organizes it into packets, which are like tiny envelopes with a sender address, a receiver address, and a message inside.
You can then look inside each envelope to see what is being said. For example, you might see a packet that says "I am requesting the homepage of example.com" and another that responds with the website content. This is incredibly useful because it turns invisible network traffic into something you can read and analyze. When something goes wrong, like a website not loading or a strange program sending data to an unknown server, Wireshark helps you find the exact packet that caused the problem and examine its contents.
Wireshark does not just capture packets. It also understands hundreds of different network protocols, which are the languages computers use to talk to each other. It can decode HTTP web traffic, DNS lookups, email protocols, and many more. This makes it an essential tool for anyone studying for an IT certification, because exams often ask you to use Wireshark to diagnose issues or identify security threats.
Full Technical Definition
Wireshark is a cross-platform, open-source packet analyzer that operates at multiple layers of the OSI model, primarily layers 2 through 7. It uses the libpcap (on Unix-like systems) or WinPcap/Npcap (on Windows) library to capture raw network frames from a network interface. The capture process involves placing the interface into promiscuous mode, which allows the system to receive all packets on the network segment, not just those addressed to its own MAC address.
Once captured, each packet is time-stamped and stored in a buffer. Wireshark then dissects each packet according to its protocol stack. For example, an Ethernet frame contains a header with source and destination MAC addresses, followed by an IP packet. Wireshark parses the IP header to extract source and destination IP addresses, protocol type (TCP, UDP, ICMP), and other fields. It then passes the payload to the next layer, such as TCP, which provides sequence numbers, port numbers, and flags. Finally, it decodes the application-layer data, such as an HTTP request or a DNS query.
Wireshark supports hundreds of protocol dissectors, and it can reassemble fragmented packets and streams. For TCP connections, it can follow a full TCP stream (the "Follow TCP Stream" feature) to reconstruct the entire conversation, like a chat log between two machines. This is extremely valuable for troubleshooting application issues. Wireshark also provides powerful filtering capabilities using the Berkeley Packet Filter (BPF) syntax. Capture filters limit which packets are recorded before capture, while display filters sift through captured data to show only packets matching specific criteria, such as "tcp.port == 80" or "http.request".
In terms of standards, Wireshark adheres to all major RFC specifications and is regularly updated to support new protocols. It can read and write capture files in many formats, including pcap, pcapng, and others used by tools like tcpdump. The tool also offers statistical analysis features like IO graphs, protocol hierarchy statistics, and endpoint conversations. For security professionals, Wireshark can detect suspicious patterns, such as port scans, ARP spoofing, or unencrypted credentials transmitted in clear text. It is widely used in IT certification exams, including CompTIA Network+, Security+, and Cisco CCNA, to teach protocol analysis, network troubleshooting, and security fundamentals.
Real-Life Example
Think about a busy post office. Every day, thousands of letters and packages arrive and leave. Each piece of mail has a sender address, a recipient address, and a stamp showing the class of service. Now imagine that the post office workers suspect something is wrong. Maybe a package went missing, or someone is sending suspicious letters. They cannot just guess. They need to inspect the mail directly.
Wireshark is like giving those workers a magnifying glass and a logging system. Instead of just letting mail pass through, Wireshark copies every single letter and package that travels across the network. It records the exact time each piece of mail was seen, who sent it, who was supposed to receive it, and what was written inside. If a letter says "Please send me your password," Wireshark will show that text. If a package is marked "urgent" but never arrived, you can trace its entire journey.
In this analogy, your computer is the post office, and other computers are the different buildings around town. The network cable or Wi-Fi is the road the mail trucks drive on. Wireshark is the supervisor who stands at the loading dock with a clipboard, writing down every single piece of mail that goes by. When something goes wrong, the supervisor can flip through the clipboard and find exactly which piece of mail had the problem. That is how IT professionals use Wireshark to find why a website is not loading or why a file transfer failed halfway through.
The beauty of this tool is that you do not need to be a postal expert to use it. Wireshark translates all those confusing numbers and addresses into plain English, or at least something close to it. It shows you that "192.168.1.10" sent a request to "203.0.113.5" asking for a webpage, and the server replied with the HTML code. This makes Wireshark an indispensable tool for learning how networks really work, because it takes the invisible and makes it visible.
Why This Term Matters
Wireshark matters because the network is the backbone of modern IT. Without a way to see what is actually traveling across the wire, troubleshooting becomes guesswork. When a user complains that an application is slow or a website will not load, you can use Wireshark to look at the actual packets and see exactly where the delay is. Maybe it is a DNS resolution issue, a TCP retransmission, or a server that stops responding. With Wireshark, you can prove the problem is on the network, not the application, or vice versa.
Security is another critical reason. Wireshark can reveal malicious activity that other tools might miss. For example, if a computer on your network suddenly starts sending data to an unknown IP address at 3 AM, Wireshark can capture that traffic and show you exactly what is being sent. It can also detect man-in-the-middle attacks, ARP spoofing, and unencrypted protocols that leak sensitive information. In a world where data breaches are common, being able to inspect traffic is a fundamental skill.
For IT professionals studying for certifications, Wireshark is often a required tool. Exams like CompTIA Network+ expect you to know how to capture packets, apply filters, and interpret the results. Cisco CCNA exams include questions about protocol analysis and troubleshooting that rely on Wireshark output. Even security certifications like CompTIA Security+ and Certified Ethical Hacker (CEH) use Wireshark to teach packet analysis and attack detection. Mastering Wireshark is not just about passing an exam. It is about building a deeper understanding of how networks behave, which makes you a better administrator, engineer, or security analyst.
How It Appears in Exam Questions
Exam questions involving Wireshark typically fall into three categories: scenario-based, configuration, and troubleshooting. In scenario-based questions, you are given a description of a network problem and a screenshot of a Wireshark capture. For example, a question might say: "A user reports that they cannot access an internal web server. A packet capture shows many TCP SYN packets being sent to the server but no SYN-ACK replies. What is the most likely cause?" The answer choices could include a firewall blocking inbound traffic, a down server, or a misconfigured default gateway. The key is to recognize that the missing SYN-ACK indicates the server is not responding, possibly due to a firewall or service failure.
Configuration questions might ask you to select the correct Wireshark display filter to isolate specific traffic. For example: "You need to see only HTTP traffic from the IP address 192.168.1.10. Which display filter should you use?" The correct answer is "http and ip.src == 192.168.1.10." Another variation asks you to capture only traffic on TCP port 443 to troubleshoot HTTPS issues. You would need to know the capture filter "tcp port 443" or the display filter "tcp.port == 443."
Troubleshooting questions present a more complex scenario. For instance, "A user on VLAN 10 cannot reach a printer on VLAN 20. A Wireshark capture on the user's computer shows ARP requests for the printer's IP address but no ARP replies. What does this indicate?" The correct answer is that the ARP request is not being forwarded across VLANs, which points to a missing router-on-a-stick configuration or a misconfigured switch. Other troubleshooting questions might show a TCP conversation with many retransmissions, leading to a conclusion about network congestion or a faulty cable.
Another common pattern is security-related. A question shows a Wireshark capture with a high number of ICMP echo requests from a single source to a single destination. You are asked what type of attack is being performed. The answer is a ping flood or denial of service attack. Similarly, a capture showing repeated ARP replies from a different MAC address than the one expected indicates an ARP spoofing attack. These questions test your ability to apply Wireshark knowledge to real-world scenarios that appear on exams.
Practise Wireshark Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a help desk technician for a small company. An employee named Sarah calls you and says she cannot access the company's internal website at http://intranet.company.local. Other employees on the same network can reach it without any problem. You decide to use Wireshark to diagnose the issue.
You ask Sarah to open a browser and attempt to load the intranet while you capture traffic on her computer. You install Wireshark, select the correct network interface (her Wi-Fi card), and start the capture. Then you ask her to press Enter. After a few seconds, you stop the capture.
Looking at the packet list, you notice something interesting. Sarah's computer sent a DNS query asking for the IP address of intranet.company.local. The DNS server responded with a valid IP address, so DNS is working fine. Next, you see that Sarah's computer sent a TCP SYN packet to that IP address, but there is no SYN-ACK response. The capture shows several retransmissions of the SYN packet, all without any reply. This tells you that the web server itself is not responding to Sarah's connection attempts.
You then look at the destination IP address. It is 192.168.10.50. You ask another employee to open the intranet while you capture their traffic. Their capture shows a successful TCP handshake with the same IP address. So the server is working for other users. The difference is the source IP. Sarah's computer is on IP 192.168.20.10, while the other employee is on 192.168.10.15. The server is on the 192.168.10.0 network. You realize that Sarah is on a different subnet, and there must be a firewall that blocks traffic from 192.168.20.0 to the server, but allows traffic from 192.168.10.0. After checking the firewall rules, you find a misconfigured ACL that denies traffic from the 192.168.20.0 network. You correct the rule, and Sarah can now access the intranet.
This example shows how Wireshark helps you isolate the problem by showing the exact point of failure. Instead of guessing, you saw the DNS succeed and the TCP handshake fail, which pointed you straight to the firewall as the cause.
Common Mistakes
Thinking Wireshark can capture traffic on any network without special configuration.
Wireshark can only capture traffic that reaches the network interface of the machine it is running on. In a switched network, switches forward frames only to the destination port, so Wireshark will not see other hosts' traffic unless you use port mirroring or a hub.
Remember that Wireshark captures only what it sees locally. To capture traffic from other devices, you need to configure port mirroring on the switch or use a network TAP.
Confusing capture filters with display filters.
Capture filters use BPF syntax and are applied before capture, filtering out packets you do not want. Display filters use a different syntax and are applied after capture, hiding but not deleting packets. Using a display filter when you meant a capture filter can lead to missing evidence.
Use capture filters to reduce the amount of data captured when you know exactly what you need. Use display filters to analyze a large capture. Learn the syntax for both: capture filters use 'host 192.168.1.1' while display filters use 'ip.addr == 192.168.1.1'.
Assuming Wireshark can decrypt all encrypted traffic automatically.
Wireshark can only decrypt traffic if you provide the decryption keys or certificates. For HTTPS, you need the private key of the server. For WPA2, you need the pre-shared key. Without these, Wireshark shows only encrypted payloads.
Understand the limitations. Wireshark shows the handshake and metadata of encrypted traffic, but the data itself is gibberish unless you have the keys. In exams, you might be asked to identify protocols that are encrypted by looking at port numbers (e.g., 443) or the TLS handshake.
Forgetting to stop the capture before analyzing.
A live capture continuously adds new packets, which can overwhelm you and make it hard to focus on the problem. It also uses system resources. Many beginners start analyzing while capturing, leading to confusion.
Always stop the capture as soon as you have enough data. Then analyze the captured packets in a static view. This makes it easier to apply filters and examine specific packets without distraction.
Misinterpreting packet colors.
Wireshark uses color coding to indicate packet types or anomalies, but the coloring rules can be customized. A common default is light purple for TCP traffic, light blue for UDP, and black for packets with errors. Beginners might assume a color means something it does not.
Learn the default color scheme but always double-click a packet to see its actual details. Do not rely solely on colors. In exams, the color is usually not part of the question, but if it is, it will be explained in the scenario.
Exam Trap — Don't Get Fooled
{"trap":"An exam question shows a Wireshark capture with a lot of TCP retransmissions and asks the candidate to choose the cause. A common trap answer is 'The destination server is down.'","why_learners_choose_it":"Learners see the retransmissions and immediately assume the server is offline because packets are not being acknowledged.
This seems logical because retransmissions happen when no ACK is received.","how_to_avoid_it":"Retransmissions can be caused by many things, not just a down server. The server could be slow, the network could be congested, or a firewall could be dropping packets.
Always look at the entire capture. If the server is down, you would see no response at all, not just retransmissions. Also check if other packets to the same server succeed. The correct answer might be 'network congestion causing packet loss' or 'a faulty network cable introducing errors.'
Step-by-Step Breakdown
Select the correct network interface
Before you can capture traffic, you must tell Wireshark which network interface to listen on. On a computer with Wi-Fi and Ethernet, you need to choose the one that carries the traffic you want to analyze. Selecting the wrong interface means you capture nothing useful. Wireshark shows a list of interfaces with live traffic graphs to help you decide.
Start the capture
Click the shark fin icon or choose Capture > Start. Wireshark immediately begins capturing all packets that reach that interface. You will see packets appearing in real time. It is important to have a clear goal for what you are capturing, such as only traffic to a specific IP, to avoid gathering too much data.
Apply a display filter to narrow the view
Once capture begins, use the display filter bar to show only packets of interest. For example, type "dns" to see only DNS queries and responses. Filters do not delete packets, they just hide them. This makes it easier to focus on the relevant conversation without being overwhelmed by noise.
Stop the capture when you have enough data
After you have captured the relevant traffic, click the red stop button. Now you have a static set of packets to analyze. Stopping prevents new packets from coming in and mixing with the data you are examining. This is crucial for careful analysis.
Select a packet and examine its details
Click on a packet in the list. The middle pane shows the packet's protocol tree, with layers like Frame, Ethernet, IP, TCP, and the application data. You can expand each layer to see fields like source/destination MAC and IP addresses, ports, flags, and sequence numbers. This is where you find the clues to your problem.
Follow a TCP stream to see the full conversation
Right-click on a TCP packet and choose Follow > TCP Stream. Wireshark will reconstruct the entire TCP session and show the data exchanged between both endpoints, both directions. This is extremely helpful for reading HTTP responses, email headers, or any application data that spans multiple packets.
Practical Mini-Lesson
Wireshark is more than just a capture tool. It is a full-featured analysis platform that professionals use daily to troubleshoot network issues, verify security policies, and understand protocol behavior. To use it effectively, you need to know how to navigate its interface and interpret its output.
First, always plan your capture. If you start capturing without a clear goal, you will end up with thousands of packets and no idea where to look. Decide what protocol or device you want to investigate, and consider using a capture filter to limit data. For example, to capture only traffic to a web server, use the capture filter "host 192.168.1.100" before starting. This saves memory and makes analysis faster.
Second, learn to use display filters fluently. These are more flexible than capture filters because you can change them after the capture. Common filters include "ip.addr == 192.168.1.1" for a specific IP, "tcp.port == 80" for HTTP, and "dns" for all DNS traffic. You can combine filters with logical operators like "and", "or", and "not". For example, "http and not ip.addr == 192.168.1.1" shows HTTP traffic that does not involve that address.
Third, understand how to read the packet details pane. The tree view shows each protocol layer. For troubleshooting, focus on the TCP layer. Look for the flags: SYN starts a connection, SYN-ACK acknowledges it, and ACK continues the session. A RST (reset) flag means the connection was abruptly closed, often due to a firewall or application error. Retransmissions appear as packets with the same sequence number, and they indicate packet loss or network congestion.
Fourth, use the statistics tools. Wireshark can generate an IO graph showing traffic volume over time, which can reveal spikes from a denial of service attack. The Protocol Hierarchy Statistics window shows what percentage of traffic each protocol uses, which is useful for identifying unusual activity. The Endpoints window lists all communicating devices and their data usage.
Finally, be aware of what can go wrong. Capturing on a busy network can crash Wireshark or fill your hard drive. Always stop the capture after collecting the needed data. Also, do not capture on a production server without permission, as it can degrade performance. And remember that Wireshark cannot decrypt most encrypted traffic unless you have the keys. In real-world IT, you will often rely on the metadata (IP addresses, ports, timing) rather than the payload for troubleshooting encrypted sessions.
Memory Tip
Remember "Wireshark" as "Wire Shark", a shark that sniffs the wires and shows you what fish (packets) are swimming by.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →220-1102CompTIA A+ Core 2 →SC-900SC-900 →SOA-C02SOA-C02 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Frequently Asked Questions
Do I need special hardware to use Wireshark?
No, Wireshark runs on any standard computer with a network interface card. However, to capture traffic from other devices on a switched network, you may need to configure port mirroring on your switch.
Is Wireshark illegal to use?
Wireshark is legal to use for network troubleshooting and education on your own network. Using it to capture traffic on someone else's network without permission is illegal and considered wiretapping.
Can Wireshark capture Wi-Fi traffic?
Yes, but only if your wireless adapter supports monitor mode. Many consumer Wi-Fi cards do not, so you may need a special adapter or use an external tool like Aircrack-ng alongside Wireshark.
What is the difference between a capture filter and a display filter?
A capture filter is applied before capture and only saves packets that match the filter. A display filter is applied after capture and only shows matching packets, but all captured packets remain in memory.
Can Wireshark decrypt HTTPS traffic?
Yes, but only if you have the server's private key or use a man-in-the-middle approach with the client's SSL/TLS key log file. Without these, Wireshark sees only encrypted data.
Why is Wireshark important for IT certifications?
Many IT certifications test your ability to analyze packet captures to diagnose network problems and detect security threats. Wireshark is the industry standard tool for this, so exam questions often refer to it.
How do I save a Wireshark capture?
Go to File > Save As and choose a file name and location. The default format is pcapng, which can be read by Wireshark and other tools like tcpdump.
What does a black packet in Wireshark mean?
By default, black packets indicate that Wireshark detected a problem with the packet, such as a TCP checksum error or an invalid frame. You can customize the color scheme in the preferences.
Summary
Wireshark is an essential tool for anyone working in IT, from help desk technicians to security analysts. It allows you to capture and inspect every packet that travels across a network, turning invisible data into readable information. By decoding hundreds of protocols, Wireshark helps you diagnose why a website is slow, why a connection drops, or whether an attacker is sending malicious traffic. For IT certification candidates, understanding Wireshark is not optional. It appears in the objectives of CompTIA Network+, Security+, Cisco CCNA, and Certified Ethical Hacker exams, often in the form of screenshots that you must interpret to answer the question correctly.
To succeed in exams, you must know the difference between capture filters and display filters, how to follow a TCP stream, and how to recognize common protocols and anomalies. You should practice using Wireshark on your own network to become comfortable with its interface. Start with simple tasks like filtering for HTTP traffic or verifying a DNS lookup. As you gain experience, move on to troubleshooting scenarios like why a ping fails or how to spot a port scan.
Wireshark is a powerful tool, but it has limitations. It cannot capture traffic from other devices on a switched network without additional setup, and it cannot decrypt most encrypted traffic without keys. Be aware of these limitations in both real-world work and exam questions. Master Wireshark, and you will have a deep understanding of how networks really work, which is the foundation of a successful IT career.