Meet Wireshark: Packets, Sniffers & Analyzers
Some tools cannot live in a terminal, and Wireshark is the classic example, it is a graphical tool for seeing network traffic. So beside this lesson you have a Packet Lab: a small captured session you can read and filter, exactly like Wireshark's packet list.
What Wireshark is
Wireshark captures and analyzes the data packets flying between your device and the network.
Three words to anchor:
- Packet, one unit of data on the network (an envelope with addresses and contents).
- Sniffer, something that captures packets off the wire.
- Analyzer, something that decodes and explains those packets so a human can read them.
Wireshark is both a sniffer and an analyzer.
Reading the packet list
Look at the Packet Lab on the right. Each row is one packet, with columns:
No. Time Source Destination Protocol Length Info
- Source / Destination, who sent it and who receives it (IP addresses).
- Protocol, DNS, TCP, TLS, HTTP, ICMP, ARP, colour-coded, just like Wireshark.
- Info, a human summary, e.g.
Standard query A google.comor51515 → 443 [SYN].
Scan the first rows: you will see an ARP lookup, then a DNS query and response, then a TCP handshake ([SYN], [SYN, ACK], [ACK]), then TLS. That is the request journey from earlier, captured packet by packet.
East-west vs north-south
Two directions describe where traffic flows:
- North-south, data flowing in and out of the network. Example: your browser (a client) talking to a web server on the internet.
- East-west, server to server traffic inside a network. Example: a database backup, or microservices calling each other.
Why it matters: defenders watch north-south at the perimeter, but a breach often spreads east-west, quietly, between internal hosts, which is why segmentation (two lessons back) exists.
Try it
In the Packet Lab, type dns to isolate the name lookups, then tcp to see the connections. You are doing real traffic analysis, just without installing anything. The next lesson is all about those filters.