What is the difference between capture filters and display filters in Wireshark?

Capture filters (BPF syntax) limit which packets Wireshark records to disk, reducing file size. Display filters (Wireshark syntax) hide packets from view without deleting them. Use capture filters when you know what traffic you need beforehand. Use display filters for interactive analysis after capture.

How do I capture packets on a remote server with Wireshark?

Use tcpdump on the remote server to capture to a file, then transfer it to your workstation and open in Wireshark. Example: ssh user@server 'sudo tcpdump -i eth0 -w -' | wireshark -k -i - streams packets directly to Wireshark over SSH in real time.

Can Wireshark capture encrypted HTTPS traffic?

Wireshark captures the encrypted packets but cannot read the payload without the session keys. Set the SSLKEYLOGFILE environment variable in your browser to export session keys, then configure Wireshark to use that file under Preferences > Protocols > TLS. This only works for your own browser sessions.

Why does Wireshark show TCP retransmissions and what do they mean?

TCP retransmissions appear when a sender does not receive an ACK within the expected timeout. Common causes include network congestion, packet loss, or a slow receiver. A small percentage is normal. Sustained retransmissions above 1-2% indicate a network path issue that needs investigation.

Wireshark: Network Protocol Analysis Guide

Wireshark network analysis gives you complete visibility into what is happening on your network at the packet level. When applications fail to connect, performance degrades mysteriously, or you need to verify that traffic is flowing as expected, Wireshark captures every packet and lets you drill down into protocol details that no other tool exposes. This guide covers practical Wireshark usage from installation through advanced filtering and real-world troubleshooting scenarios that network engineers and sysadmins encounter daily.

Prerequisites

A workstation running Linux, macOS, or Windows (Wireshark runs on all three)
Administrative or root access for packet capture (or membership in the wireshark group on Linux)
Basic understanding of TCP/IP networking (IP addresses, ports, protocols)
A network interface to capture on (Ethernet, Wi-Fi, or loopback)

Installing Wireshark

Linux

# Debian / Ubuntu
sudo apt install wireshark
# During installation, select "Yes" to allow non-root users to capture packets

# If you missed the prompt, reconfigure:
sudo dpkg-reconfigure wireshark-common
sudo usermod -aG wireshark $USER
# Log out and back in for group membership to take effect

# RHEL / Fedora
sudo dnf install wireshark wireshark-cli

# Arch Linux
sudo pacman -S wireshark-qt

On Linux, the wireshark group grants access to the capture interface. Without it, you must run Wireshark as root — which is a security risk and not recommended.

macOS

# Using Homebrew
brew install --cask wireshark

Or download from the official site. macOS requires the ChmodBPF helper to capture without root.

Windows

Download the installer from the Wireshark website. The installer includes Npcap (the Windows packet capture driver). Accept the Npcap defaults during installation.

Command-Line Alternative: tshark

Wireshark includes tshark, its command-line counterpart, which is useful for remote servers and scripting:

# Capture 100 packets on eth0
tshark -i eth0 -c 100

# Capture with a display filter
tshark -i eth0 -Y "http.request" -c 50

# Read a capture file
tshark -r capture.pcapng -Y "dns"

Capturing Network Traffic

Starting a Basic Capture

Launch Wireshark and you see a list of available network interfaces with sparkline graphs showing activity. Double-click an interface to start capturing immediately.

From the command line:

# List available interfaces
tshark -D

# Start capture on a specific interface
tshark -i eth0

# Capture to a file
tshark -i eth0 -w /tmp/capture.pcapng

# Capture with a ring buffer (5 files, 100MB each)
tshark -i eth0 -b filesize:102400 -b files:5 -w /tmp/rolling.pcapng

The ring buffer is essential for long-running captures on production systems. It prevents disk space exhaustion by overwriting the oldest file when the limit is reached.

Capture Filters (BPF Syntax)

Capture filters use Berkeley Packet Filter (BPF) syntax — the same syntax as tcpdump. They are applied before packets reach Wireshark, reducing the capture file size.

# Capture only traffic to/from a specific host
host 192.168.1.100

# Capture only HTTP and HTTPS traffic
port 80 or port 443

# Capture traffic between two specific hosts
host 10.0.0.1 and host 10.0.0.2

# Capture only TCP SYN packets (new connections)
tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0

# Capture only DNS traffic
port 53

# Capture traffic on a specific subnet
net 192.168.1.0/24

# Exclude SSH traffic (useful when capturing on a remote server)
not port 22

Set capture filters in Wireshark’s capture options dialog (Ctrl+K) or with tshark’s -f flag:

tshark -i eth0 -f "host 192.168.1.100 and port 443" -w /tmp/https_traffic.pcapng

Critical rule: Always set a capture filter when capturing on busy networks. An unfiltered capture on a gigabit link can generate hundreds of megabytes per minute.

Capture Permissions and Security

# Verify your user is in the wireshark group (Linux)
groups $USER | grep wireshark

# Check capture capabilities
getcap /usr/bin/dumpcap
# Should show: /usr/bin/dumpcap cap_net_admin,cap_net_raw=eip

Never run Wireshark as root. The GUI parses complex protocol data and any parser vulnerability becomes a root exploit. Instead, dumpcap (the actual capture binary) runs with elevated capabilities while the GUI runs as your normal user.

Display Filters — Finding What Matters

Display filters are Wireshark’s most powerful feature. Unlike capture filters, they work after capture and can filter on any protocol field Wireshark understands — hundreds of protocols with thousands of fields.

Essential Display Filters

# Filter by IP address
ip.addr == 192.168.1.100
ip.src == 10.0.0.1
ip.dst == 10.0.0.2

# Filter by port
tcp.port == 443
udp.port == 53

# Filter by protocol
http
dns
tls
tcp
arp
icmp

# HTTP requests only
http.request

# HTTP responses with specific status codes
http.response.code == 404
http.response.code >= 500

# DNS queries for a specific domain
dns.qry.name contains "example.com"

# TCP connection problems
tcp.analysis.retransmission
tcp.analysis.duplicate_ack
tcp.analysis.zero_window
tcp.analysis.reset

# TLS handshake packets
tls.handshake.type == 1    # Client Hello
tls.handshake.type == 2    # Server Hello

# Filter by packet size
frame.len > 1400
frame.len < 64

# Combine filters with logic operators
ip.addr == 192.168.1.100 and tcp.port == 80
dns or http
not arp and not icmp
(ip.src == 10.0.0.1 or ip.src == 10.0.0.2) and tcp.port == 443

Display Filters vs Capture Filters

Aspect	Capture Filters	Display Filters
Syntax	BPF (`host`, `port`, `net`)	Wireshark (`ip.addr`, `tcp.port`)
When applied	Before capture starts	After capture, in real time
Effect on file	Reduces file size	No effect (hides packets from view)
Protocol depth	Layer 2-4 only	All protocol layers
Can be changed	Only by restarting capture	Anytime during analysis
Performance	Filters in kernel (fast)	Filters in userspace (slower)
Use when	You know exactly what to capture	Exploring or analyzing a capture

Practical advice: Use a broad capture filter (e.g., host 192.168.1.100) to keep file size manageable, then use display filters to drill into specific protocols during analysis.

Analyzing Common Protocols

Following TCP Streams

One of Wireshark’s most useful features is reconstructing TCP conversations:

Find a packet belonging to the conversation you want
Right-click → Follow → TCP Stream
Wireshark shows the complete conversation with client data in one color and server data in another

This is invaluable for debugging HTTP APIs, SMTP sessions, database queries, and any text-based protocol. For encrypted traffic (TLS), you see the handshake but the payload is encrypted unless you provide session keys.

# Export a specific TCP stream with tshark
tshark -r capture.pcapng -q -z follow,tcp,ascii,0

Analyzing DNS Traffic

DNS issues cause some of the most confusing network problems. Filter and examine DNS:

# All DNS traffic
dns

# Only DNS queries (no responses)
dns.flags.response == 0

# DNS responses with errors
dns.flags.rcode != 0

# Queries for a specific domain
dns.qry.name == "api.example.com"

# Find NXDOMAIN responses (domain does not exist)
dns.flags.rcode == 3

Real-World Scenario: Diagnosing Slow Application Performance

You have a web application that intermittently takes 5+ seconds to respond. Server-side metrics show fast processing times. The problem is in the network.

Capture traffic between the client and server:

tshark -i eth0 -f "host 10.0.0.50 and port 443" -w /tmp/slow_app.pcapng

Reproduce the slow request from the client.

Open in Wireshark and apply filters:

tcp.analysis.retransmission or tcp.analysis.duplicate_ack

Check the TCP handshake time — if the SYN-SYN/ACK takes 200ms+, you have a routing or distance issue.
Look at time between packets — if the server sends data quickly but there are long gaps between client ACKs, the client network is congested.
Check for TCP window scaling issues:
```
tcp.analysis.zero_window
```
Zero window events mean the receiver’s buffer is full — the application is not reading data fast enough.

The answer often turns out to be: retransmissions on a lossy Wi-Fi link, DNS resolution delays, or a TLS handshake that includes a slow OCSP check.

Advanced Wireshark Features

IO Graphs

Wireshark’s IO Graphs (Statistics → IO Graphs) visualize traffic patterns over time. Create multiple graph lines for different filters:

Line 1: All traffic (frame)
Line 2: Retransmissions (tcp.analysis.retransmission)
Line 3: HTTP errors (http.response.code >= 400)

Spikes in retransmissions that correlate with traffic peaks reveal congestion. A steady trickle of retransmissions suggests a physical layer issue (bad cable, interference).

Expert Information

Navigate to Analyze → Expert Information for Wireshark’s automated diagnosis. It categorizes issues into:

Errors (red): malformed packets, checksum failures
Warnings (yellow): retransmissions, out-of-order segments, zero windows
Notes (cyan): duplicate ACKs, keep-alives
Chats (blue): normal protocol events (connection setup, HTTP requests)

Start your analysis here. If Expert Information shows hundreds of warnings, focus on those before diving into individual packets.

Decrypting TLS Traffic

To inspect HTTPS content in Wireshark:

# Set the environment variable before launching your browser
export SSLKEYLOGFILE=~/sslkeys.log
google-chrome &
# or
firefox &

In Wireshark: Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename → select ~/sslkeys.log.

Now Wireshark decrypts TLS traffic from that browser session. You see full HTTP/2 requests, headers, and response bodies. This only works for traffic from your own browser using that key log — you cannot decrypt other people’s traffic.

Statistics and Conversations

Wireshark provides extensive statistical views:

Statistics → Conversations: shows all communication pairs with packet counts and bytes
Statistics → Protocol Hierarchy: breakdown of traffic by protocol percentage
Statistics → Endpoints: lists all IP addresses with traffic volume
Statistics → HTTP → Requests: all HTTP requests sorted by URI

These views help you quickly understand the shape of a capture without manually scrolling through packets.

Comparing Wireshark with Network Analysis Alternatives

Feature	Wireshark (GUI)	tshark (CLI)	tcpdump	ngrep
Protocol decoders	3000+	3000+	Basic	Basic
GUI visualization	Yes	No	No	No
Display filters	Full Wireshark syntax	Full Wireshark syntax	BPF only	Regex on payload
Follow streams	Yes (TCP, UDP, TLS)	Yes	No	Partial
Runs on servers	Requires X11/VNC	Yes	Yes	Yes
Real-time capture	Yes	Yes	Yes	Yes
Read pcap files	Yes	Yes	Yes	Yes
Best for	Deep interactive analysis	Scripted analysis, remote	Quick capture, minimal install	Grep-style packet search

Use Wireshark for detailed interactive protocol analysis on your workstation. Use tshark for scripted analysis and remote captures. Use tcpdump when Wireshark is not installed and you need a quick capture. The three tools share the same pcap file format, so capture with one and analyze with another.

Troubleshooting Wireshark Issues

”No interfaces found” on Linux

# Check if dumpcap has the right capabilities
sudo setcap cap_net_admin,cap_net_raw=eip /usr/bin/dumpcap

# Verify your user is in the wireshark group
groups $USER

# If you just added yourself, log out and back in
# Or start a new session:
newgrp wireshark

Capture drops packets on high-speed links

# Increase the capture buffer (default is often too small)
# In Wireshark: Capture Options → Buffer size → set to 256 MB
# With tshark:
tshark -i eth0 -B 256 -w /tmp/capture.pcapng

# Use a capture filter to reduce volume
tshark -i eth0 -f "port 443" -B 256 -w /tmp/https_only.pcapng

If you still drop packets, use dumpcap directly (less overhead than tshark) or switch to a dedicated capture appliance for sustained high-speed capture.

Large capture files are slow to open

# Split a large capture into smaller files
editcap -c 100000 large_capture.pcapng split_capture.pcapng

# Use tshark to pre-filter and create a smaller file
tshark -r large_capture.pcapng -Y "http" -w http_only.pcapng

# Merge multiple capture files
mergecap -w merged.pcapng file1.pcapng file2.pcapng

Wireshark shows checksum errors everywhere

Modern NICs offload checksum calculation to hardware. Wireshark captures packets before the NIC adds checksums, so they appear invalid. Disable checksum verification:

Edit → Preferences → Protocols → TCP → uncheck “Validate the TCP checksum if possible”

Do the same for IPv4, UDP, and other protocols. This is cosmetic — your actual network traffic has correct checksums.

Gotchas and Edge Cases

Capturing on the wrong interface: On a machine with multiple NICs, you might capture on the management interface while the application traffic flows through a different interface. Use ip route get <destination> to verify which interface handles traffic to your target.

Promiscuous mode vs normal mode: By default, Wireshark enables promiscuous mode, capturing all packets the NIC sees (not just those addressed to your machine). On a switched network, you only see your own traffic and broadcast/multicast unless you configure port mirroring on the switch.

WiFi capture limitations: On Wi-Fi, you only see traffic to and from your own machine unless you use monitor mode, which requires a compatible adapter and disables your normal Wi-Fi connection.

Packet timestamps: Wireshark uses the capture machine’s clock for timestamps. If you compare captures from two machines, ensure their clocks are synchronized (NTP). Even a few hundred milliseconds of drift makes correlating events between captures misleading.

VLAN tags: If your capture interface is a VLAN sub-interface (e.g., eth0.100), the VLAN tags are stripped before Wireshark sees them. Capture on the parent interface (eth0) to see VLAN tags.

Summary

Wireshark captures and decodes 3000+ protocols — it is the definitive tool for understanding what is happening on your network at the packet level
Capture filters (BPF syntax) reduce file size by filtering before recording — always use them on busy networks to keep captures manageable
Display filters (Wireshark syntax) let you interactively drill into any protocol field — master ip.addr, tcp.port, tcp.analysis.*, and dns.qry.name for the most common troubleshooting
Follow TCP Stream reconstructs complete conversations between endpoints — essential for debugging API calls, authentication flows, and protocol errors
Expert Information and IO Graphs provide automated diagnosis and traffic visualization — start here before diving into individual packets
TLS decryption works with SSLKEYLOGFILE for your own browser traffic — invaluable for debugging HTTPS issues without a proxy