Wireshark for Beginners: Spotting Suspicious Network Traffic

Wireshark is free, open-source, and capable of showing you everything moving across your network interface in real time. Most people assume it’s a tool for specialists only — but with a basic understanding of what to look for, even a non-expert can spot traffic that shouldn’t be there.

What Wireshark Actually Does

Wireshark is a packet analyzer. It captures raw network packets as they arrive at or leave your machine’s network interface and decodes them into a human-readable format. Every packet shows you its source IP, destination IP, protocol, port, and payload — the last part depending on whether the traffic is encrypted. It doesn’t block or filter traffic in the way a firewall does; it just records and displays what’s happening.

When you open Wireshark and start a capture, you’re seeing the full conversation your machine is having with the network. This includes DNS queries, TCP handshakes, HTTP requests, TLS negotiations, and anything else that transits your interface. The sheer volume can be overwhelming at first, but that’s exactly why Wireshark includes a powerful display filter system. Filters let you narrow the view to only what’s relevant.

The most useful thing to understand early is the difference between a display filter and a capture filter. A capture filter restricts what Wireshark records in the first place, using Berkeley Packet Filter syntax — for example, port 53 to capture only DNS traffic. A display filter is applied after the fact to what’s already been captured, using Wireshark’s own syntax — for example, dns or ip.addr == 192.168.1.1. For exploratory investigation, it’s usually better to capture everything and filter the view afterward.

Installing Wireshark is straightforward on Windows, macOS, and Linux. On Linux, you may need to add your user to the wireshark group to capture packets without running as root: sudo usermod -aG wireshark $USER. On macOS, Wireshark installs a helper tool called ChmodBPF that grants capture permissions to the current user automatically.

Finding the Red Flags

Unusual DNS Activity

DNS is one of the first places to look when hunting for suspicious behavior. Malware frequently uses DNS to reach command-and-control infrastructure, and it often does so in ways that stand out. Apply the display filter dns and sort by the Info column. Look for queries to domains with long, randomized-looking names — strings like a1b2c3d4e5f6.example.com are characteristic of domain generation algorithms (DGAs), which malware uses to cycle through hundreds of potential C2 domains automatically.

Also watch for DNS queries going to unexpected servers. Your machine should be querying one or two DNS resolvers, typically provided by your router or your ISP. If you see DNS traffic going to an IP address you don’t recognize, that warrants investigation. The filter dns && !ip.dst == 192.168.1.1 (substituting your actual DNS server’s IP) will show any DNS queries bypassing your normal resolver. Some malware hard-codes a DNS server specifically to avoid your local filtering or monitoring.

Suspicious Outbound Connections

Apply the filter tcp.flags.syn == 1 && tcp.flags.ack == 0 to see all outbound connection attempts. This shows every SYN packet your machine sends — the first step in a TCP handshake. A clean machine will show connection attempts to IPs you recognize: your browser’s CDN endpoints, update servers, cloud sync services. What you don’t want to see is repeated SYN packets to the same unfamiliar IP on port 4444, 8080, or other ports commonly associated with reverse shells and remote access tools.

If something looks odd, right-click the packet in Wireshark and choose Follow > TCP Stream. This reconstructs the entire conversation between your machine and the remote host in plain text, making it far easier to see what was actually exchanged. If the stream shows structured data being sent outbound from your machine on a schedule — especially to a single IP — that’s worth investigating further. You can look up the destination IP in a threat intelligence database like VirusTotal or Shodan.

ARP Anomalies on Local Networks

On a local network, ARP (Address Resolution Protocol) is what maps IP addresses to MAC addresses. Wireshark can reveal ARP spoofing, a common technique used in man-in-the-middle attacks, where one machine on the network claims to be the gateway in order to intercept traffic. Apply the display filter arp and look for duplicate ARP replies — two different MAC addresses both claiming to own the same IP address. Wireshark will often flag these automatically with the label “duplicate use of IP address detected.”

Cleartext Credentials and Unencrypted Protocols

HTTPS has become the default for web traffic, but plenty of protocols still send data in the clear. FTP, Telnet, basic HTTP, and older versions of SMTP without STARTTLS all transmit usernames, passwords, and content as plaintext. Apply the filter ftp or http and use Follow > TCP Stream on any login-related packets. If you see USER and PASS commands in an FTP stream with actual credentials visible, that service needs to be replaced or secured. The same applies to any HTTP form submission your machine makes — the POST data is fully visible in the packet payload.

High-Volume Beaconing

Malware that has established a foothold often “beacons” — it sends small, regular packets to a C2 server to check for instructions. This looks different from normal browsing traffic because it’s periodic and consistent. In Wireshark, capture traffic for 10–15 minutes without doing anything on the machine. Then look at the Statistics > Conversations view, which shows the total bytes transferred between each pair of IPs. A conversation that accumulates traffic steadily over time, especially to an IP outside your country with no obvious business purpose, is a signal worth acting on.

Practical Starting Points

Before capturing traffic on any network you don’t own, confirm you have authorization to do so. Packet capture on a network without permission is illegal in most jurisdictions regardless of intent.

For a home investigation, start with a five-minute capture while the machine is idle — no browser open, no active downloads. An idle machine should be nearly silent. What you’ll typically see is a small amount of background DNS, some ARP traffic, and occasional keep-alive packets from existing connections. Anything else — new outbound SYN packets, DNS queries to unusual domains, data transfers — deserves attention. Wireshark’s Statistics > Protocol Hierarchy view gives you a quick breakdown of what percentage of your captured traffic belongs to each protocol, which can immediately reveal something unexpected, like a large proportion of traffic using an unfamiliar or uncommon protocol.

Wireshark won’t tell you definitively whether a piece of traffic is malicious. What it does is give you visibility you wouldn’t otherwise have. The decision about what to do with what you find — whether that’s blocking an IP in your firewall, removing a suspicious application, or escalating to a professional — is still yours to make. The tool’s filter ip.dst == <suspicious IP> || ip.src == <suspicious IP> lets you isolate all traffic related to a single address across an entire capture file, which is useful once you’ve identified something that needs closer scrutiny.

Wireshark saves captures in .pcap format, which is readable by most other security tools including tcpdump, Zeek, and Suricata. A saved capture file is evidence — treat it accordingly if you suspect a genuine compromise.