To start capturing packets, you can click on the name of an interface from the list of interfaces. For example, if you want to capture traffic on your Ethernet network, double-click on the Ethernet connection interface:
As soon as you click on the name of the interface, you will see that the packages start to appear in real time. Wireshark captures every packet that's sent to or from your network traffic. You will see random flooding of data in the Wireshark dashboard. There are many ways to filter traffic:
- To filter traffic from any specific IP address, type ip.addr == 'xxx.xx.xx.xx' in the Apply a display filter field
- To filter traffic for a specific protocol, say, TCP, UDP, SMTP, ARP, and DNS requests, just type the protocol name into the Apply a display filter field
We can use the Apply a display filter box to filter traffic from any IP address or protocol:
The graphical interface of Wireshark is mainly divided into the following sections:
- The toolbar, where you have all the options that you can perform on the pre and post capture
- The main toolbar, where you have the most frequently used options in Wireshark
- The filter bar, where you can apply filters to the current capture quickly
- The list of packages, which shows a summary of each package that is captured by Wireshark
- The panel of details of packages that, once you have selected a package in the list of packages, shows detailed information of the same
- The packet byte panel, which shows the bytes of the selected packet, and highlights the bytes corresponding to the field that's selected in the packet details panel
- The status bar, which shows some information about the current state of Wireshark and the capture