• Wireshark is open source packet analyzer used for Network Troubleshooting, Analysis, Software Workflow, Communication Protocol development & debugging.
• It can be operated in GUI Mode as well as in command line mode. Non-GUI mode can be operated using Tshark command.
• It is similar tcpdump but it adds all the protocols dissector & comes with packet filtering option.
• It is developed to run on Linux, Unix, BSD, Solaris, Windows & Mac operating system.
• It is Packet Sniffer & used to analyze traffic of System, Network through port mirroring. It can used for sniffing password through the Man in the Middle Attack (MITM) of vulnerable protocol i.e., Telnet, HTTP etc.
• It is cross-platform & uses Qt Widget Toolkit to implements its User Interface.
• Originally it was Ethereal & in May 2006 it was renamed as Wireshark.

• Wireshark uses “pcap“ (pcap uses application programming interface for capturing network traffic. Unix like operating system uses libpcap i.e., Library Packet capture & Windows uses winpcap i.e., Windows packet capture) to capture packets on Network Interface Card i.e., Ethernet, Wi-Fi, Loopback interface etc.
• It can capture USB raw packet using usbpcap i.e., USB Packet Capture.
• It can capture all the protocols i.e., ARP, STP, ICMPv4, ICMPv6, IPv4, IPv6, LLMNR, MDNS, SSDP, NetBIOS,RIPv1,RIPv2,RIPNG,OSPF,VOIP,RTSP,TCP,UDP,DHCP, DNS,Frames,SSL,TLS,HTTP,SIP & much more.

Wireshark can be operated in two modes of your Network Interface Card as listed below

1. Non-Promicious Mode : It capture traffic that is being sent & receive by your system. In general Sent Traffic + Receive Traffic
2. Promicious Mode : It capture all the traffic that hits your Network Interface Card i.e., Broadcast & Multicast from other system. In general Sent Traffic +Receive Traffic + Other. By default Promicious Mode option is checked in Wireshark.

Follow the below steps to install Wireshark.

1.  Goto Wireshark Website https://www.wireshark.org/ & Download Wireshark as per your Operating System.

2. Install Wireshark & check all the package option i.e., Winpcap, Tshark, Qt Plugin, usbpcap & libpcap etc. It will prompt you to install pcap & after that it will get successfully installed.

In this tutorial we will use wireshark to capture https://google.com website. To do so follow the below steps

1. Open Wireshark, Select the Interface option depending upon your connection & Start the capture as shown in below Image Wireshark_Lab-1.1. I am having Wireless Connection so I’ll select Wireless Connection.

2. Open the browser & type google.com on address bar.

3. Stop the capture by clicking on Red button on the main toolbar & see the Wireshark captured packets as shown in below Image Wireshark_Lab-1.2.

4. Analyzing the Packets
DNS Query of google.com is resolved & TCP Handshake has occurred.

IP Address 192.168.43.116(My System) has sent DNS Query to 192.168.43.1 (Which my Internet Connection Gateway) & DNS Query Reply has been received as shown in Image Wireshark_Lab-1.3.

IP Address 192.168.43.116 has sent TCP SYN Packet to IP address 172.217.166.74 (Which is google.com IP Address) & Destination port number 443 (HTTPS). In return SYN–ACK has been received from IP: 172.217.166.74 as shown in Image Wireshark_Lab-1.2. Which seems that TCP Handshake has occurred after that Application Traffic will flow.

Note: Google.com uses pool of IP addresses for Server Load Balancing in your case it may vary.

Hence, in this way the Traffic can be Analyzed & Issue can be Troubleshooted.

I personally recommend Network & Security Professionals to use Wireshark in order to understand Root Cause of problem.