Wireshark can capture almost any data that travels across a network interface. If it’s sent over the wire or through the air (Wi-Fi), Wireshark can "see" it.
Specifically, it captures packets, which contain:
1. Protocol Information
It identifies the "language" being spoken between computers, such as:
- Web Traffic: HTTP / HTTPS
- File Transfers: FTP / SMB
- Email: SMTP / IMAP
- Core Internet Tasks: DNS (looking up names), ICMP (ping), and DHCP (getting an IP address).
2. Addressing Data
For every single packet, Wireshark shows you:
- Source and Destination IP Addresses: Who is talking to whom.
- MAC Addresses: The physical hardware IDs of the devices.
- Port Numbers: Which specific application is involved (e.g., Port 80 for web, Port 53 for DNS).
3. The "Payload" (The actual content)
This is the data inside the packet. Depending on the level of security, you might see:
- Plaintext: If a website uses
http://(unencrypted), you can see the actual HTML, text in forms, or even passwords being sent. - Encrypted Data: If a site uses
https://(encrypted), Wireshark still captures the data, but it will look like gibberish or random characters because it is protected by encryption. You can see that a connection exists, but not what is being said inside it.
4. Metadata and Timing
- Timestamps: Exactly when a packet arrived (down to the microsecond).
- Errors: If a packet was lost or sent out of order.
A Simple Analogy:
If the network is a highway, Wireshark is like a High-Definition camera. It records every car (packet), their license plates (IP addresses), the type of car (Protocol), and if the windows are clear, it can even see what’s inside the trunk (Payload)!
In the next steps of your lab, you'll actually see some of this data appearing in the Packet List pane!
