A Professor Wingman Class 404
NetMgmt.Lab

Week 11

Introduction to Wireshark and Network Traffic Observation

Use Wireshark to capture and observe network traffic in an approved lab environment.

Lesson recap

Wireshark turns the invisible visible. Every packet on the wire, every DNS lookup, every ARP request — you see it all. That's also why running Wireshark on a network you don't own is a serious problem (legally and ethically). In this lab you'll capture traffic on a network you control, generate some pings, and use display filters to find your packets in the storm. The 'aha' moment is when you watch ICMP echo request → echo reply with your own eyes. After that, ping is no longer magic.

Learning goals

  • Explain Wireshark and packet capture
  • Identify a network interface
  • Start and stop a capture
  • Apply a display filter
  • Inspect a single packet
  • Use packet captures as troubleshooting evidence

Key terms

Wireshark

A network protocol analyzer for capturing and inspecting traffic.

Packet Capture (pcap)

A recording of network traffic, usually saved as a .pcap or .pcapng file.

Capture Filter

Filter applied while capturing — packets that don't match are discarded.

Display Filter

Filter applied after capture — narrows what's visible without losing data.

ICMP

The protocol used by ping (echo request / echo reply).

ARP

Resolves IP addresses to MAC addresses on a LAN.

Promiscuous Mode

NIC mode that captures all frames on the wire, not just ones addressed to it.

Curated videos

Learn Wireshark in 10 Minutes — Tutorial for Beginners

Vinsloev Academy

Learn Wireshark! Tutorial for Beginners

Chris Greer

How to Filter Traffic — Wireshark Lesson 5

Chris Greer

Commands

icmp
arp
ip.addr == 192.168.1.10
http
dns
tcp.port == 443
ip.addr == 192.168.1.10 and tcp.port == 80

Checkpoint checklist

Sign in to save your progress across devices.
  • Wireshark interfaces identified
  • Basic capture completed
  • Generated ping traffic
  • Used display filter (icmp)
  • Inspected one packet
  • Capture file saved only if instructed
  • Saved required evidence
  • Answered the reflection questions

Pro tips from the instructor

  • ONLY capture on networks you own or have written permission to capture. School Wi-Fi is not one of them.
  • Capture filters use BPF syntax (`tcp port 80`); display filters use Wireshark syntax (`tcp.port == 80`). They are NOT the same.
  • Right-click a packet → Follow → TCP Stream to reconstruct an entire conversation.

Try this — stretch exercises

Optional hands-on practice that goes beyond the workbook. Check items off as you complete them — progress saves in this browser.

0/2
  • Start a capture, browse to http://example.com (note: http, not https), stop the capture, and find the HTML in the TCP stream.
  • Generate ARP traffic: `arp -d *` (Windows, admin) then ping your gateway. Watch the ARP request/reply appear.

Files to save this week

  • 📁 Week11_WiresharkInterfaces_YourLastName.png
  • 📁 Week11_BasicCapture_YourLastName.png
  • 📁 Week11_ICMPPingCapture_YourLastName.png
  • 📁 Week11_DisplayFilter_YourLastName.png
  • 📁 Week11_PacketDetails_YourLastName.png
  • 📁 Week11_WiresharkObservationReport_YourLastName