Wireshark is a free, open-source network protocol analyzer that captures and displays packet data in real time Wireshark operates at the packet level, dissecting traffic across all OSI layers using over 500 protocol dissectors to decode everything from Ethernet frames to application-layer protocols like HTTP, DNS, and TLS. The tool runs on Windows, macOS, Linux, and Unix systems, leveraging capture libraries like pcap (Linux/macOS), Npcap (Windows), and WinPcap (legacy Windows) to intercept network traffic at the interface level before operating system processing. Wireshark's display filter engine uses a powerful multi-pass analysis system that allows retrospective filtering and reassembly of fragmented packets, TCP streams, and encrypted sessions when decryption keys are provided—making it indispensable for troubleshooting network performance, diagnosing protocol issues, and analyzing security incidents.
What This Cheat Sheet Covers
This topic spans 20 focused tables and 145 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Capture Modes
Before you see a single packet, your network card decides how much of the surrounding traffic it will hand over. The mode you pick determines whether you see only your own conversations, everything sharing the segment, or even raw wireless frames from networks you haven't joined — and getting this wrong is the most common reason a capture looks emptier than expected.
| Mode | Example | Description |
|---|---|---|
Enable via Capture Options checkbox | • Captures all packets on the network segment, not just those destined for your interface. • Requires network card support • Shows broadcast, multicast, and unicast traffic | |
802.11 wireless capture | • Captures all 802.11 frames including management, control, and data frames without association to an access point. • Requires compatible wireless adapter • Wi-Fi only, not Ethernet |