Wireshark — Install, Use, Optimise (2026)

The reference network protocol analyser — captures, dissects, and visualises traffic across 3000+ protocols.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install wireshark; sudo usermod -aG wireshark $USER

macOS (brew)

brew install --cask wireshark

Windows

Download installer from wireshark.org

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

CLI capture (tshark)

sudo tshark -i eth0 -f "port 80" -w cap.pcap

Read pcap, extract HTTP requests

tshark -r cap.pcap -Y http.request -T fields -e http.host -e http.request.uri

Decrypt TLS (with key log)

export SSLKEYLOGFILE=/tmp/sslkeys.log; chrome ...; then in Wireshark: Edit→Preferences→Protocols→TLS→(Pre)-Master-Secret log filename

Statistics (conversations, IO, expert)

Statistics menu — Conversations, I/O Graph, Expert Information

Follow TCP stream

Right-click any packet → Follow → TCP Stream

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• GUI: dissection is single-threaded. Files >2GB lag badly. Split with editcap -c 100000 big.pcap split.pcap.
• tshark CLI is much faster than GUI for large files. Use it for searches/filters; GUI only for visual inspection.
• Capture filters (BPF, -f) drop packets at kernel — must-use for high-traffic interfaces.
• Display filters (-Y) drop after capture — use for refining a recorded pcap.
• dumpcap directly for 10Gbps+ — bypasses Wireshark UI overhead.
• Pre-filter at source: tcpdump -i eth0 -G 60 -W 24 -w cap_%H.pcap "port 443" rotates pcaps hourly, keeps 24.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Capturing without filter on a busy server fills disk fast. Always set -b filesize:100000 -b files:10.
• TLS decryption requires the SSLKEYLOGFILE — capturing only ciphertext is useless.
• Privilege creep: usermod adds you to wireshark group, but you must logout/login for it to take effect.
• Promiscuous mode requires interface to be on a span port or hub. Switched networks see only own traffic.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• tcpdump — pure CLI capture, lightweight.
• Zeek (formerly Bro) — IDS / network analysis at scale.
• Brim / Zui — Wireshark replacement with Zeek-style logs.

India context and engagement notes

In incident response (CERT-In timelines): pcap evidence is best collected at egress points BEFORE forwarding to investigators. Hash the file (sha256sum) for chain-of-custody, store on WORM media. Wireshark is the analysis tool — capture should be tcpdump on production gear.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.