Had a web app that was slow as hell. Users complaining, timeout errors everywhere. Checked the server logs - nothing unusual. Looked at database queries - all optimized. Even checked CDN settings - perfect.
Finally installed Wireshark and saw the real problem: the app was making 47 separate HTTP requests to load one page, each one waiting for the previous to finish. The actual fix took 5 minutes (enable HTTP/2). Finding it took 2 hours without Wireshark, 5 minutes with it.
What Wireshark actually does
Wireshark captures network traffic and shows you what's actually happening at the packet level. Instead of guessing why your API calls are timing out or why your site is slow, you can see the actual data flowing between machines.
It understands hundreds of protocols out of the box - HTTP, TCP, UDP, DNS, TLS, and plenty more I'd never heard of before using it. The packet dissection shows you what each byte means, which is way more useful than staring at hex dumps.
Getting it installed
# macOS
brew install --cask wireshark
# Linux (Ubuntu/Debian)
sudo apt-get install wireshark
# Add your user to wireshark group
sudo usermod -aG wireshark $USER
# Windows - download from wireshark.orgOn macOS and Linux you'll need admin privileges to capture traffic. Wireshark will ask for permission when you first try to start a capture.
Starting your first capture
When you open Wireshark, you'll see a list of network interfaces:
# Common interface names:
en0 # macOS WiFi/Ethernet
eth0 # Linux Ethernet
wlan0 # Linux WiFi
lo # Loopback (localhost traffic)Pick the active one (usually the one showing traffic counters increasing) and click the blue shark fin icon to start capturing.
Open a browser and load a website. Stop the capture and you'll see thousands of packets. Now the real fun begins - making sense of all this data.
Filters: The only thing that actually matters
Without filters, Wireshark is overwhelming. Here's what I use constantly:
# Find traffic for a specific host
ip.addr == 192.168.1.1
# HTTP traffic only
http
# DNS queries
dns
# Specific port
tcp.port == 443
# Combine filters
http and ip.addr == 10.0.0.5
tcp.port == 443 or tcp.port == 80Right-click any packet and select "Apply as Filter" → "Selected" to build filters automatically. I use this constantly instead of memorizing syntax.
Following TCP streams
This is the feature that made Wireshark click for me. Right-click any TCP packet → "Follow" → "TCP Stream" and you see the entire conversation in order, with different colors for each direction.
Suddenly you're not looking at individual packets anymore - you're seeing the full request/response cycle. You can read the HTTP headers, see where the connection slows down, find the exact point where something breaks.
Real problems I actually solved with Wireshark
Slow API calls
API was taking 8 seconds to respond. Server logs showed the query completed in 200ms. Captured traffic in Wireshark and found the client was sending a request, waiting for TCP slow-start to complete, then finally sending the payload. Fixed by enabling TCP_NODELAY on the socket.
Intermittent connection failures
Random 504 errors that we couldn't reproduce. Wireshark showed the load balancer was closing idle connections after 60 seconds, but the client was trying to reuse connections after 65 seconds. Adjusted the keepalive settings and problem disappeared.
DNS resolution weirdness
Some domains worked, others didn't. Filtered for DNS traffic and saw our DNS server returning SERVFAIL for specific domains, but the same queries worked when we used 8.8.8.8. Turned out our ISP's DNS was blocking certain domains. Switched to Cloudflare DNS.
Understanding the packet list
The main window shows columns that are actually useful:
- Time: How long since capture started. Sort by this to find slow requests
- Source/Destination: Who's talking to whom
- Protocol: HTTP, TCP, UDP, DNS, etc.
- Length: Packet size in bytes
- Info: Protocol-specific details (HTTP method, DNS query, etc.)
Right-click the column headers to add more. I often add "Delta Time" to see time between packets - helps spot where things are waiting.
HTTP vs HTTPS
HTTP traffic is readable - you can see headers, request methods, response codes, even the response body. Filter with http and you'll see every HTTP request.
HTTPS is encrypted. You can see the connection setup (TLS handshake), SNI (which hostname you're connecting to), and packet sizes/timing, but not the actual content. For debugging most issues this is still enough - you can tell if a connection succeeded, how long it took, and roughly how much data was transferred.
Common filters I actually use
# Show me HTTP errors
http.response.code >= 400
# Find specific host
http.host == "api.example.com"
# TCP problems - retransmissions indicate packet loss
tcp.analysis.retransmission
# DNS issues
dns.qry.type == 1 # A records
dns.flags.rcode == 3 # NXDOMAIN
# Show me everything except keepalive pings
not icmp and not igmp and not mdnsThese filters took me way too long to learn. Would've been nice if I'd found them all in one place instead of piecing them together from random blog posts.
Exporting HTTP objects
Sometimes useful for debugging:
- Apply filter:
http - File → Export Objects → HTTP
- See all images, scripts, files transferred
- Save specific ones or export all
Saved me once when I needed to figure out exactly what JavaScript files a third-party script was loading.
Stats that are actually useful
Under Statistics menu:
- Conversations: See which endpoints are talking to each other most
- Protocol Hierarchy: Breakdown of what protocols are being used
- IO Graph: Traffic over time - useful for spotting patterns
- HTTP → Packets → Requests: All HTTP requests with timing info
What I wish I'd known starting out
- You can capture in one place and analyze in another. Save captures (.pcap files) and open them later.
- Captures get huge fast. Use capture filters (not just display filters) if you're running long captures.
- Wireshark can decode protobuf if you have the .proto file. Saved me hours of manual decoding.
- Coloring rules make a huge difference. Right-click the packet list → Coloring Rules.
- Learn to recognize TCP handshake (SYN, SYN-ACK, ACK) - helps verify connections are actually starting.
When Wireshark is overkill
| Use Wireshark when | Use simpler tools when |
|---|---|
| Need to see actual packet contents | Just checking if something is reachable (ping) |
| Debugging protocol-level issues | Checking DNS resolution (nslookup/dig) |
| Analyzing performance bottlenecks | Basic HTTP testing (curl) |
| Investigating security incidents | Quick port checks (netstat) |
Learning resources that helped
- Official docs - better than you'd expect
- Wiki - good for specific protocol questions
- CloudShark - online pcap analyzer (useful for sharing captures)
Bottom line
Wireshark has a learning curve, no question about it. First time I opened it I had no idea what I was looking at. But once you learn basic filters and understand the packet list layout, it becomes indispensable for network debugging.
The stuff that used to take hours - staring at logs, guessing where the bottleneck is, trying random fixes - now takes minutes with Wireshark. Worth the time to learn.