How Wireshark works

Wireshark collects network traffic from the wire through the computer's network interface, running in promiscuous mode (if needed), to inspect and display information related to protocols, IP addresses, ports, headers, and packet length. The following diagram is an illustration of how all the elements work together to display packet-level information to the user (source: https://www.wireshark.org):

Wireshark comes with the Winpcap/libcap driver, which enables NIC to the run in promiscuous mode; the only time you don't have to sniff in promiscuous mode is when the packets are directly, intentionally destined/generated to and/or from your device.

On operating systems, you should have privileges to run Wireshark. There are three processes that every protocol analyzer follows: collect, convert, and analyze. These are described as follows:

  • Collect: Choose an interface to listen to traffic and capture network packets.
  • Convert: Increase the readability of non-human-readable data. Packets are converted to easily understood information through a GUI.
  • Analyze: Analyze network traffic pertaining to the packets, protocols, raw data and more through the usage of statistical and graphical features.

As discussed in the previous chapter, protocols are the set of rules and regulations that govern the process of communication between two network devices and control the environment under which they operate.