CampusFlow
Packet Analysis Lab

πŸ“‘ Wireshark Packet Analyzer

Dive deep into network traffic with an interactive packet analyzer simulator. Inspect real-world protocol interactions, decode packet structures, and master the art of network forensics β€” all from your browser.

What is Wireshark?

Packet CaptureWireshark captures live network traffic by placing the network interface in promiscuous mode, recording every packet that passes through. Captures can be saved in PCAP/PCAPNG format for later analysis and sharing.
Protocol DecodingOver 3,000 protocol dissectors allow Wireshark to decode everything from Ethernet frames to application-layer protocols like HTTP and DNS, presenting them in a human-readable hierarchical view.
Traffic AnalysisAnalysts use Wireshark for network troubleshooting, security incident investigation, protocol development, and education. Display filters, coloring rules, and statistics help pinpoint issues quickly.

Interactive Packet Analyzer Simulator

16 packets
Packet List16 of 16 packets
No.TimeSourceDestinationProtocolLengthInfo
10.000000192.168.1.1008.8.8.8DNS72Standard query 0x0123 A example.com
20.0023458.8.8.8192.168.1.100DNS82Standard response 0x0123 A 93.184.216.34
30.003100192.168.1.10093.184.216.34TCP7049152 β†’ 80 [SYN] Seq=0 Win=64240
40.01250093.184.216.34192.168.1.100TCP7080 β†’ 49152 [SYN, ACK] Seq=0 Ack=1 Win=64240
50.012600192.168.1.10093.184.216.34TCP5449152 β†’ 80 [ACK] Seq=1 Ack=1 Win=64240
60.013000192.168.1.10093.184.216.34HTTP148GET /index.html HTTP/1.1
70.04520093.184.216.34192.168.1.100HTTP520HTTP/1.1 200 OK (text/html)
80.045300192.168.1.10093.184.216.34TCP5449152 β†’ 80 [ACK] Seq=95 Ack=467 Win=63720
90.045800192.168.1.10093.184.216.34HTTP152GET /logo.png HTTP/1.1
100.06210093.184.216.34192.168.1.100HTTP1250HTTP/1.1 200 OK (image/png)
110.062200192.168.1.10093.184.216.34TCP5449152 β†’ 80 [ACK] Seq=247 Ack=1689 Win=62400
120.065000192.168.1.10093.184.216.34TLS256Client Hello (SNI: example.com)
130.07230093.184.216.34192.168.1.100TLS312Server Hello + Certificate
143.500000192.168.1.10093.184.216.34TCP5449152 β†’ 80 [FIN, ACK] Seq=247 Ack=1689 Win=62400
153.51200093.184.216.34192.168.1.100TCP5480 β†’ 49152 [FIN, ACK] Seq=1689 Ack=248 Win=64240
163.512100192.168.1.10093.184.216.34TCP5449152 β†’ 80 [ACK] Seq=248 Ack=1690 Win=62400
Packet Details
Select a packet to view its details
Hex Dump
Select a packet to view hex dump

Capture Statistics

16
Total Packets
3.512 s
Capture Duration
204
Avg Packet Size (bytes)
3256
Total Bytes
DNS
213%
TCP
850%
HTTP
425%
TLS
213%

Wireshark Features

Display Filters

Filter packets using expressions like `http`, `tcp.port == 80`, or `ip.addr == 192.168.1.1` to isolate specific traffic.

Capture Filters

Use BPF syntax to capture only relevant traffic: `host 93.184.216.34`, `port 80`, or `tcp`.

Follow TCP Stream

Reconstruct the full TCP conversation between two endpoints to see the raw application-layer data exchange.

IO Graphs & Statistics

Visualize throughput, packet rates, protocol hierarchy, and endpoint conversations with built-in graphing tools.

Protocol Hierarchy

View a tree of all detected protocols with packet counts and percentages to understand traffic composition.

Export Objects

Extract files (images, executables, documents) transferred over HTTP, SMB, or other protocols from the capture.

Wireshark Interview Questions

1
What is Wireshark and how does it capture packets?

Wireshark is a network protocol analyzer that captures packets by putting the network interface into promiscuous mode, allowing it to see all traffic passing through the interface. It uses libpcap/WinPcap to capture raw frames from the network adapter.

2
What is the difference between a display filter and a capture filter?

Capture filters use BPF (Berkeley Packet Filter) syntax and are applied before capture, dropping non-matching packets entirely. Display filters use Wireshark's own expression syntax and only hide packets from viewβ€”they can be changed after capture without re-capturing.

3
How do you analyze a TCP three-way handshake in Wireshark?

Filter by `tcp.stream eq <n>` to isolate a TCP flow. The three-way handshake appears as: (1) Client sends [SYN] with Seq=0, (2) Server responds [SYN, ACK] with Seq=0 and Ack=1, (3) Client sends [ACK] with Seq=1 and Ack=1. This establishes the connection.

4
What does the [PSH] flag in a TCP packet mean?

The PSH (Push) flag tells the receiving system to deliver the data to the application immediately without buffering. In Wireshark, [PSH, ACK] packets typically carry application-layer payload like HTTP requests or responses.

5
How can you identify a TLS handshake in Wireshark?

Filter by `tls` or `ssl`. The TLS handshake begins with Client Hello (containing supported cipher suites and SNI), followed by Server Hello (selected cipher suite and certificate), then key exchange and finished messages. Look for protocol version 0x0303 (TLS 1.2) or 0x0304 (TLS 1.3).