Wireshark Simulation - IP Based

Welcome to the packet capture simulation: monitor traffic, inspect packets, and learn how to respond to real-world threats.

Welcome to the packet capture Simulation

This platform introduces you to a simulation Wireshark, the world’s most popular network protocol analyzer. With Wireshark, you can capture, inspect, and understand data packets as they travel across a network.

Why Use This Simulation?

Safe Learning Environment: Practice packet capture and analysis without touching a real network.
Hands-On Experience: Simulate real-world traffic like TCP handshakes, DNS queries, and HTTP requests.
Interactive Workflows: Learn how professionals use Wireshark to troubleshoot performance issues or investigate security threats.
Step-by-Step Guidance: Each scenario includes explanations to help you connect theory with practice.

Learning Goals

By the end of this simulation, you will be able to:

Understand how packets flow between devices on a network.
Recognize different protocols (TCP, UDP, DNS, HTTP) and their role.
Apply filters to isolate relevant traffic.
Analyze suspicious traffic patterns for security awareness.

Client 🖥️

➡️

Router/Firewall 🌐

➡️

Server 🗄️

Packets flow from Client → Router → Server. Each color represents a protocol type, similar to what you’ll analyze in Wireshark.

TCP UDP HTTP DNS ICMP

What is Wireshark?

Wireshark is the world’s most widely used network protocol analyzer. Think of it as a microscope for your network traffic. It allows you to capture, inspect, and analyze data traveling across your network in real-time.

Originally developed in 1998 as Ethereal, Wireshark has become a critical tool for network administrators, cybersecurity professionals, and IT students to understand and troubleshoot networks. It works on multiple platforms including Windows, macOS, and Linux.

Monitor real-time network activity: Capture live traffic to see which devices are communicating, what protocols they use, and the data being transmitted.
Diagnose network issues: Identify slow connections, dropped packets, or misconfigured network devices that may be causing problems.
Investigate security incidents: Analyze suspicious traffic to detect attacks like phishing attempts, malware communication, DDoS, or unauthorized access.
Understand network protocols: Examine how protocols like TCP, UDP, HTTP, DNS, and ICMP operate and interact on the network.
Educational value: Wireshark is widely used in cybersecurity labs and courses to teach packet-level network analysis, protocol structure, and traffic patterns.
Filter and search: Use advanced filters to focus on specific hosts, protocols, or traffic types for in-depth investigation.
Analyze captured data: Inspect packet details, view protocol trees, decode payloads, and identify anomalies.

By mastering Wireshark, you gain the ability to visualize, understand, and troubleshoot complex networks, making it an essential skill for anyone working in IT, networking, or cybersecurity.

How Wireshark Works

Wireshark captures network traffic and breaks it down into understandable layers, helping you see exactly what is happening on your network. Each packet goes through several stages:

Capture: Wireshark collects packets from your network interface using libraries like libpcap (Linux/macOS) or WinPcap/Npcap (Windows). In our simulation, this is mimicked by generating packet events for each scenario.
Decode: Packets are dissected layer by layer:
- Ethernet / Data Link Layer: Shows the source and destination MAC addresses.
- IP / Network Layer: Displays the source and destination IP addresses and protocol (TCP, UDP, ICMP).
- Transport Layer: TCP or UDP details, including ports, flags, sequence numbers, and payload size.
- Application Layer: Data specific to the application protocol, such as HTTP requests, DNS queries, or TLS handshakes.
Display: Wireshark organizes information into three main panes:
- Packet List Pane: Shows a summary of each captured packet (time, source, destination, protocol, info).
- Packet Details Pane: Expands the selected packet layer-by-layer to show fields and flags.
- Packet Bytes Pane: Shows the raw bytes of the packet, useful for deep inspection.
In our simulation, this is represented by the Packet Table and Details Panel.
Filter: Wireshark allows you to apply display and capture filters:
- Display Filters: Focus on specific traffic already captured, e.g., tcp, ip.addr == 192.168.1.2, or dns.
- Capture Filters: Limit packets being captured in real-time to only those of interest, e.g., port 53 for DNS traffic.
Our simulation uses a simple input box to filter packets by protocol or IP.
Analyze: Wireshark lets you investigate trends and anomalies:
- Follow TCP streams to see a full conversation between two hosts.
- Inspect protocol errors or unusual flags (e.g., multiple SYNs without ACK = possible SYN flood).
- Check payloads for suspicious content (like DNS tunneling or HTTP exploits).
In our simulation, scenarios like TCP Handshake, DNS Query, and packet filtering demonstrate these concepts safely.

By understanding these stages, you can trace network problems, detect intrusions, and learn how different protocols interact in a live network. Our simulation provides a safe environment to practice these skills without capturing real network traffic.

Simulation Examples

Explore realistic network scenarios with our guided simulations. Each example helps you understand how network traffic behaves and how to analyze it like a professional using Wireshark:

TCP Handshake: Observe the three-way handshake between 192.168.1.2 and 172.217.0.14. Learn how SYN, SYN-ACK, and ACK packets establish a connection.
DNS Query: Track a DNS request from 192.168.1.2 to 192.168.1.1. See how the request resolves a domain name into an IP address.
Packet Filtering: Practice filtering network traffic by protocol or IP. Try filters like tcp, udp, or ip.addr == 192.168.1.105 to focus on specific packets.
HTTP Traffic Analysis: Inspect HTTP GET and POST requests to understand client-server communication.
ICMP Ping: Monitor ICMP Echo Request and Reply packets to visualize network reachability between hosts.
Port Scanning Detection: Simulate a network scan and learn how to spot unusual traffic patterns in the packet table.

The simulation interface mimics Wireshark’s layout, including:

Packet Table: Displays captured packets with details like timestamp, source/destination IP, protocol, and packet length.
Details Panel: Expand any packet to view its layers and headers for deeper analysis.
Statistics Charts: Visual graphs showing protocol distribution, packet counts, and traffic trends.
Network Topology View: Visual representation of hosts and connections to help you understand network structure.

Use these simulations to practice real-world network analysis techniques and improve your packet inspection skills in a safe, interactive environment.

Learn More

Official site: https://www.wireshark.org
User’s Guide: Wireshark Documentation

Filter Query Examples

Use these queries to practice filtering packets, similar to Wireshark.

1. Basic Free Text Search

http → matches any row containing “http”.
192.168.1.2 → matches any row with this IP.

2. Field Equality (==)

protocol==tcp → only TCP packets.
source==192.168.1.2 → packets from this IP.
dest==172.217.0.14 → packets to this IP.

3. Negation (!=)

protocol!=tcp → all non-TCP packets.
source!=192.168.1.2 → exclude this source.

4. Multiple Values

protocol==tcp,udp → match both TCP and UDP.
source==192.168.1.2,192.168.1.3 → packets from either IP.

5. OR Conditions

protocol==tcp|udp → matches TCP or UDP.
flags==syn|ack → match if packet has SYN or ACK.

6. Numeric Comparisons

length>60 → packets larger than 60 bytes.
length<=100 → packets 100 bytes or smaller.
destport==80 → packets going to port 80.

7. Flags (Array Field)

flags==syn → packets with SYN flag.
flags==syn,ack → packets with SYN or ACK.
flags!=fin,urg → exclude FIN and URG flags.

8. AND Conditions (space separated)

protocol==tcp source==192.168.1.2 → TCP packets from this IP.
protocol==udp length>50 → UDP packets larger than 50 bytes.

9. Grouping with Parentheses

(protocol==tcp|udp) flags==syn → TCP or UDP packets with SYN.
(source==192.168.1.2|192.168.1.3) protocol==tcp → TCP packets from either source.

10. Complex Queries

(protocol==tcp|udp flags==syn|ack) source==192.168.1.2 length>60 flags!=fin → TCP/UDP packets with SYN or ACK, from 192.168.1.2, length > 60, excluding FIN.

💡 Tip: Start simple (protocol==tcp) and gradually add conditions with spaces (AND) and pipes (OR).

Packet Analysis Exercises

Use the simulator to capture packets and answer the questions.

Wireshark Filter Cheat Sheet

Quick reference for all 50 exercises. Use these filters to practice queries.

1. protocol==TCP destport==80 → Find first HTTP GET source IP
2. protocol==TCP destport==80 info==Response → Destination IP of HTTP Response
3. protocol==TCP flags==SYN destport==80 → IPs sending SYN (TCP SYN Flood)
4. protocol==ARP info==Fake → Device sending fake ARP reply
5. protocol==UDP destport==53 info==Query → Count DNS queries
6. protocol==ICMP info==Request dest==8.8.8.8 → IP sending ping to 8.8.8.8
7. protocol==TCP destport==443 → TLS handshake count
8. protocol==IPv6 info==Echo Request → IPv6 Echo Request sender
9. protocol==TCP destport==22 → SSH connection attempt
10. protocol==TCP destport==25 → SMTP connection attempt
11. protocol==UDP destport==123 info==Request → NTP request source
12. protocol==UDP destport==1194 info==Handshake → OpenVPN handshake source
13. protocol==TCP destport==443 info==Camera → Smart Camera upload IP
14. protocol==TCP destport==3389 flags==SYN → RDP brute force IPs
15. protocol==TCP destport==445 length>150 → SMB EternalBlue packets
16. protocol==TCP source==192.168.1.2 → All TCP from 192.168.1.2
17. protocol==UDP destport==53 → DNS queries to servers
18. protocol==ARP info==Fake → ARP poisoning attacker
19. protocol==ICMP info==Reply → Count ICMP replies
20. protocol==TCP destport==443 info==Client Hello → TLS Client Hello source
21. protocol==TCP flags==SYN,ACK → TCP packets with SYN+ACK
22. protocol==TCP destport==445 info==Scan → SMB scanning IP
23. protocol==TCP flags>1 → Packets with multiple flags
24. dest==8.8.8.8 → IPs communicating with Google DNS
25. length>100 → Packets >100 bytes
26. protocol==TCP flags==SYN → SYN-only packets
27. source==192.168.1.50 destport==445 → SMB scan from .50
28. protocol==TCP flags==PSH,ACK → PSH+ACK packets
29. destport==443 → All HTTPS packets
30. protocol==TCP length==60 → TCP packets with length 60
36. protocol==TCP source==192.168.1.2 flags==SYN|ACK → TCP SYN/ACK from .2
37. destport==445 length>150 → Exploit packets
38. protocol==TCP destport==3389 flags==SYN → RDP brute force
39. length>59 length<=100 → Packets between 60–100 bytes
40. source==192.168.1.50 destport==445 → Internal SMB scanner
41. protocol==TCP flags==SYN dest!=192.168.1.2 → Multi-dest SYN packets
42. (source==192.168.1.2 length>60)|flags==SYN → Complex filter example
43. protocol==TCP destport==3389 source==192.168.1.2|192.168.1.200 → RDP from internals
44. flags==ACK → All packets with ACK
45. source==192.168.1.150|192.168.1.151 → Smart IoT devices
46. protocol==UDP info==Response → UDP responses
47. protocol==TCP destport==443 source==192.168.1.2|192.168.1.150|192.168.1.151 → HTTPS from internals
48. info==HTTP → All HTTP packets
49. source==192.168.1.120|192.168.1.121|192.168.1.200 → Hosts attempting SSH/SMTP/RDP
50. destport==3389|destport==445 length>150|info==EternalBlue → Suspicious activity

Packet Capture / Wireshark Terminology

Quick-reference glossary — expand any item to read the definition.

Frame — the physical/link-layer representation of network data as transmitted on a medium (Ethernet/Wi-Fi). It contains headers, trailers, and the payload (which may include an IP packet).

Encapsulation — wrapping data with protocol headers/metadata as it moves down the OSI/stack (e.g., HTTP → TCP segment → IP packet → Ethernet frame).

Payload — the actual data carried inside a packet (e.g., HTML body, DNS query string). Not the headers — the useful content.

Handshake — initial negotiation between endpoints before data exchange (e.g., TCP 3-way: SYN → SYN/ACK → ACK; TLS Client/Server Hello exchanges).

Retransmission — when a sender resends packets because they were lost or not acknowledged. Frequent retransmits indicate reliability/latency issues or packet loss.

Duplicate ACK — repeated ACK packets for the same sequence number. Often a sign of lost packets or reordering; used by TCP for fast retransmit detection.

Checksum — a calculated value to verify packet integrity. If corrupted in transit, checksums may fail and Wireshark can flag them (sometimes NIC offload will make checksums appear invalid in captures).

MTU — largest payload size that can traverse a link without fragmentation. Mismatched MTUs can cause fragmentation or dropped packets.

Promiscuous Mode — NIC setting that receives all traffic on a segment, not just frames addressed to the host. Useful for full-segment captures (may be limited on switched networks).

SPAN / Port Mirroring — switch feature that copies (mirrors) traffic from one or more ports to a monitoring port where you run the capture tool.

Capture filter — applied before data collection to limit what is saved (BPF syntax). Display filter — applied after capture to refine what you see (Wireshark display-filter syntax).

Expert Info — Wireshark feature that surfaces anomalies, errors, and warnings (e.g., malformed packets, retransmissions) to speed troubleshooting.

Follow TCP Stream — reconstructs an ordered TCP conversation (both directions) so you can view application data (e.g., full HTTP request/response) in one place.

Name Resolution — translating raw IP or port numbers into hostnames or service names (e.g., port 80 → HTTP). Handy for readability, but can be disabled if you need raw values.

RTT — time it takes for a packet to travel to a destination and back. Useful for latency analysis and performance tuning.

Malformed Packet — packet that violates protocol structure (headers missing/invalid). Could indicate capture corruption, misconfiguration, or malicious traffic.

Decryption in Wireshark — Wireshark can decrypt TLS/WPA2 captures if given the appropriate keys (pre-master secrets, PSKs). Useful to inspect encrypted payloads during debugging.

Coloring Rules — custom rules in Wireshark to highlight packets that match conditions (e.g., SYNs in red). Great for quickly spotting specific traffic patterns.

Scenario-Based Exercises

Capture Workspace

Controls

Network Topology

192.168.1.2

172.217.0.14

192.168.1.105

192.168.1.106

192.168.1.50

Router

Captured Packets

No.	Time	Source	Destination	Protocol	Length	Info

Packets: 0 Status: Stopped

Packet Details

Click on a packet to view details.

Traffic Statistics

Sart the simulation capture to see Stats.