What Is Wireshark? Deep Packet Inspection and PCAP Files

Introduction: The Microscope

If `tcpdump` is the matrix code, Wireshark is a graphical microscope for that code. It is the world's most famous network protocol analyzer. It captures raw IP traffic and breaks it down into beautiful, color-coded, incredibly detailed windows.

Analyzing the PCAP

Wireshark captures data into a `.pcap` (Packet Capture) file. You can open a PCAP and literally click on a single IP packet. Wireshark will neatly separate the OSI layers for you: it will show you the physical MAC address layer, the IP header layer, the TCP port layer, and then the actual text of the HTTP request. It is how malware is analyzed and complex bugs are caught.

Conclusion

Wireshark is the ultimate truth-teller in networking. If a computer sends data, Wireshark will find it and dissect it. See what active packets look like here.