Skip to main content
Wireshark Basics – Complete Beginner to Advanced Guide
CHAPTER 05 Beginner

Capturing Network Traffic

Updated: May 16, 2026
20 min read

# CHAPTER 5

Capturing Network Traffic

1. Introduction

You understand the theory of packets, and you know how to navigate the interface. Now it is time to perform the core function of Wireshark: Capturing Live Traffic. The act of capturing traffic is simple—a single click of a button—but doing it *correctly* requires intention. If you capture on the wrong interface, you will see nothing. If you let a capture run all day, you will crash your hard drive. In this chapter, we will walk through the exact workflow of selecting interfaces, initiating live captures, safely halting the process, and saving your forensic evidence into industry-standard PCAP files.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Identify and select the correct network interface for packet capture.
  • Start and stop a live packet capture session.
  • Understand the dangers of unbounded, long-term packet captures.
  • Save captured data into a .pcapng format for later analysis.
  • Execute a controlled capture of specific application traffic (e.g., a web browser).

3. Step 1: Selecting the Interface

When you open Wireshark, the Welcome Screen lists all the network cards (Interfaces) inside your computer. Your laptop might have several:
  • Wi-Fi / wlan0: Your wireless connection to the internet.
  • Ethernet / eth0: Your hardwired copper connection.
  • Loopback / lo0: A fake, internal network card used for your computer to talk to itself (used heavily by software developers).
  • VirtualBox/VMware Adapters: Virtual network cards for virtual machines.

*How to choose:* Look at the "sparkline" graph next to the interface names. The one with the active, jagged line moving up and down is your active connection. Click on it to highlight it in blue.

4. Step 2: Starting and Stopping the Capture

To Start: With your active interface highlighted, click the blue Shark Fin icon in the top left toolbar (or double-click the interface name). Instantly, the screen will switch to the Three-Pane view, and lines of data will begin rapidly scrolling down the screen. You are now actively wiretapping your own network!

To Stop: As soon as you have captured the specific event you are investigating (e.g., you clicked "Login" on a broken website and got the error), immediately click the Red Square icon in the top toolbar to Stop the capture.

5. The Danger of Long Captures

Wireshark captures *everything*. A busy enterprise network can push Gigabytes of data per minute. If you start a capture on a busy server, walk away to get lunch, and come back an hour later, two things will likely happen:
  1. 1. Wireshark will consume 100% of the server's RAM trying to hold the packets in memory, crashing the server.
  1. 2. The capture file will be 50 GB in size, making it impossible to open or analyze.
*Rule of Thumb:* Live captures should be treated like sniper shots. Start the capture -> Replicate the exact error -> Stop the capture immediately.

6. Step 3: Saving the Capture (PCAP)

Once you hit stop, the data is currently residing in your computer's temporary memory (RAM). If you close Wireshark, it is gone forever. To save it for analysis or to email it to a senior engineer:
  1. 1. Click File -> Save As...
  1. 2. Save it as a Wireshark/tcpdump/... - pcapng file.

What is a PCAP? PCAP stands for "Packet Capture." It is the universal file format for network traffic. A .pcap file saved from Wireshark on Windows can be emailed to a colleague and opened perfectly in tcpdump on a Linux server. The newer .pcapng (Next Generation) format includes extra metadata like comments and interface names.

7. Command Examples

If you are working on a headless Linux server with no GUI, you cannot use the Wireshark application. You must use the command line tool tshark (Wireshark's terminal sibling) or tcpdump.
bash
1234 
# Capture traffic on the eth0 interface and save it to a file named 'evidence.pcap'
sudo tcpdump -i eth0 -w evidence.pcap

# (To stop the capture, press Ctrl+C)

You can then securely download evidence.pcap to your laptop and open it in the Wireshark GUI for easy viewing!

8. Best Practices

  • Close Background Apps: If you are trying to capture traffic to troubleshoot a specific website, close Spotify, close Discord, and close your email client before hitting Start. If you don't, your capture file will be polluted with thousands of irrelevant music streaming packets, making it much harder to find the web traffic you actually care about.

9. Common Mistakes

  • Capturing on the Loopback Interface by Mistake: A beginner selects the "Loopback Interface" (often labeled Adapter for loopback traffic capture on Windows). They start the capture, open Google Chrome, and browse the web. The capture screen remains completely blank. The loopback interface *only* captures traffic sent from your computer, addressed back to your own computer. It will never see traffic bound for the internet.

10. Mini Project: Capture Your First Browser Traffic

Let's capture a real, live interaction.
  1. 1. Close all unnecessary apps on your computer.
  1. 2. Open Wireshark, select your active Wi-Fi/Ethernet interface, and click the blue Shark Fin to Start.
  1. 3. Open a web browser and go to http://neverssl.com (a safe, unencrypted website built for testing).
  1. 4. As soon as the page loads, go back to Wireshark and click the Red Square to Stop.
  1. 5. Scroll through the Packet List. You will see a massive burst of traffic (DNS lookups, TCP handshakes, and HTTP data). You have successfully captured real internet infrastructure at work!

11. Practice Exercises

  1. 1. Explain the operational difference between the .pcap file format and a standard text document. Why is PCAP considered a universal networking standard?
  1. 2. Why is leaving a live Wireshark capture running indefinitely on a high-traffic server considered a dangerous operational practice?

12. MCQs with Answers

Question 1

Which file format is the industry standard for saving captured network traffic, allowing it to be shared and opened by various protocol analyzers?

Question 2

When preparing to capture internet-bound traffic to troubleshoot a web application, which interface should you explicitly AVOID selecting?

13. Interview Questions

  • Q: Walk me through the exact workflow of executing a targeted packet capture to troubleshoot a reported application error. When do you start and stop the capture?
  • Q: You are tasked with analyzing traffic on a remote Linux web server that has no graphical desktop environment installed. How do you obtain the packet capture, and how do you analyze it?
  • Q: Explain the purpose of the "Promiscuous Mode" checkbox found in the Wireshark Capture Options menu.

14. FAQs

Q: Can I capture traffic from other computers on my Wi-Fi network? A: Technically, yes, if your Wi-Fi card supports "Monitor Mode." However, capturing wireless traffic not explicitly addressed to your computer requires advanced configuration, specialized Wi-Fi adapters, and the decryption of WPA2/WPA3 keys. By default, Wireshark will only reliably capture traffic entering and leaving your specific machine.

15. Summary

In Chapter 5, we moved from observation to execution. We navigated the interface selection process, identifying active network links using sparkline graphs and avoiding the isolation of the loopback adapter. We established a strict, disciplined workflow for capturing traffic: isolate background noise, initiate the capture, replicate the error, and halt immediately to prevent memory exhaustion. Finally, we learned to preserve our forensic evidence using the universal .pcapng file format, ensuring our captured data can be analyzed, archived, and shared across the industry.

16. Next Chapter Recommendation

You have captured a mountain of data. The first layer you see is Layer 2. Let's learn how to read it. Proceed to Chapter 6: Understanding Ethernet Traffic.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Wireshark Interface Overview
Next Chapter Understanding Ethernet Traffic

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

🎥 Related Videos 1