You are currently viewing A Beginner’s Guide to Wireshark Network Analysis

A Beginner’s Guide to Wireshark Network Analysis

Post Views: 10

Ever wondered what actually happens when you click on facebook.com?

While you see your feed, your browser exchanges data with Facebook’s servers. Everything from the initial connection through the HTTPS handshake to the encrypted page content is part of that process.

I analyzed 1,456 packets using Wireshark during a visit to Facebook to show exactly what your browser is doing. This article explains how to read that network exchange in plain terms and is suitable for learners and analysts.

What is Wireshark and Why Should You Care?

Wireshark listens to network traffic on an interface, captures packets, and displays details about each protocol involved. It helps to:

  • Troubleshoot connection or performance issues
  • Understand application network behavior
  • Identify security risks
  • Learn networking protocols in practice

In short, it shows the otherwise hidden details of internet traffic.

Your Packet Capture: The Numbers That Matter

During one visit to Facebook, the capture included:

  • 1,456 packets
  • 15+ seconds of activity
  • TLS 1.3 connection
  • IPv6
  • Port 443 (HTTPS)

A single visit can generate many packets. Each packet carries a small part of the conversation.

The TCP Three-Way Handshake: The Doorbell of the Internet

Connection setup follows a three-step TCP handshake.

Step 1: “Knock, Knock” (Packet 1)

Your computer sends a SYN to Facebook:

"Hello Facebook, can we talk?"

This includes a random source port (e.g., 59298) and the destination 443.

Step 2: “Come In!” (Packet 2)

Facebook replies with SYN-ACK:

"Yes, I'm ready to talk!"

Step 3: “Thanks!” (Packet 3)

Your computer sends the final ACK:

"Great, let's start!"

After this, the TCP connection is established.
Total time: about 0.03 seconds.

The TLS 1.3 Handshake: Encrypting the Connection

After TCP is up, the HTTPS handshake begins.

Client Hello: “Here’s What I Speak” (Packet 5)

Client Hello (SNI=www.facebook.com)
Supported cipher suites, client random, TLS 1.3 support

SNI identifies the intended hostname.

Server Hello: “Let’s Use This” (Packets 7–9)

Server Hello
Certificate
Change Cipher Spec message

The server selects ciphers, presents its certificate, and agrees on encryption parameters.

The Magic: Key Exchange (Packets 12–25)

Both sides derive shared encryption keys. Session traffic is then encrypted.

Encrypted Application Data: The Real Conversation

Post-handshake, everything is encrypted and appears as Application Data.

What’s Actually Being Transferred?

Client sends: HTTP requests for pages, assets, and API calls.
Server sends: HTML, CSS, JS, images, and JSON.

Understanding Packet Sizes

In this capture:

  • 86 bytes: ACKs
  • 150–300 bytes: small requests/responses
  • ~1466 bytes: large transfers

Why these sizes? The MTU is 1500 bytes; accounting for headers yields an MSS of around 1460.

The IP Addresses: Who’s Talking?

Your Device:
2003:c2:fYou:dvad:e579:scsd:eff7:fdfs

Facebook’s Server:
fYou:2880:f37a:1:face:b00c:0:25de

An IPv6 address uniquely identifies each device. The SNI www.facebook.com maps to the server’s IPv6 address.

TCP Window Management: The Traffic Controller

Window size controls how much data the server can send before waiting for an ACK.

Observable in the capture:

  • Updates to 131,072 bytes
  • Bursts followed by timely client ACKs
  • Larger windows supporting higher throughput

Flow control prevents sending faster than the receiver can process.

TCP Segmentation: Breaking Big Data into Small Pieces

TCP splits large payloads into segments up to the MSS:

Actual Data: 50,000 bytes
↓
TCP: "I'll send this as 34 packets!"
↓
Packets transmitted
↓
Your computer: "Thanks, I'll glue these back together!"

Wireshark often shows reassembly hints such as:

[TCP PDU reassembled in 5]

Performance: Speed Under the Microscope

This capture reflects solid performance:

  • Handshake: ~0.05 seconds
  • First data: ~0.67 seconds
  • Round trips: mostly under 50 ms

How it’s optimized:

  • Server packet bursts
  • Prompt client ACKs
  • Window scaling for throughput
  • Segmentation and reassembly

Security Analysis: Is Your Data Safe?

TLS 1.3 provides strong encryption, forward secrecy, fast key exchange, and authenticated handshakes.

Visible before encryption:

  • SNI (domain name)
  • Basic handshake structure

Protected after encryption:

  • Credentials
  • Post content
  • Private messages
  • API responses

Encryption is applied to all sensitive data.

Common Traffic Patterns in Web Browsing

The Initial Burst

Large transfers for HTML, CSS, and critical JS.

The Quiet Lull

Idle periods while the page renders.

The Keep-Alive Tap

Small packets keep the TCP connection alive.

The Constant Stream

Background requests for fresh content and analytics.

Key Takeaways: What Did We Learn?

Practical Networking Concepts

  • IPv6 addressing and routing
  • TCP reliability and flow control
  • TLS 1.3 handshake and encryption
  • How HTTP flows over TLS

Performance Insights

  • Timing and latency sources
  • Window scaling and segmentation effects

Security Fundamentals

  • What Wireshark can’t see after encryption
  • How TLS protects data in transit

Wireshark Analysis Tools You Should Know

  1. Protocol Hierarchy
  2. Flow Graph
  3. Conversations
  4. Expert Info

Troubleshooting Network Problems with Wireshark

High latency:

  • Inspect round-trip times
  • Check retransmissions

Connection failures:

  • Missing SYN-ACK → reachability/firewall issues
  • TLS alerts → certificate/config problems
  • Timeouts → filtering or path issues

Why This Matters: Real-World Applications

For learners:

  • See protocols in action
  • Build practical skills

For professionals:

  • Diagnose issues quickly
  • Analyze application behavior
  • Verify security
  • Improve performance

Conclusion

From a brief Wireshark capture of a Facebook visit, you can observe the TCP handshake, TLS 1.3 negotiation, application data transfer, and modern performance practices. These tools let you analyze, diagnose, and optimize how applications communicate.

Try it yourself: capture a session to a familiar website and inspect the protocols and performance patterns in action.

Frequently Asked Questions

What is Wireshark used for?

Packet capture, troubleshooting, performance diagnosis, security analysis, and protocol learning.

Is it legal to capture Facebook traffic?

Yes—on your own network with proper authorization.

Can I see passwords in Wireshark?

No. HTTPS encrypts credentials.

Why are there so many packets?

Modern pages load many resources (HTML, CSS, JS, images, JSON).

TLS 1.2 vs TLS 1.3?

TLS 1.3 is faster, simpler, and more secure.

Additional Resources

Learning Wireshark

  • Wireshark Official Documentation
  • Wireshark University

Protocol Specifications

  • TLS 1.3: RFC 8446
  • TCP: RFC 793
  • IPv6: RFC 2460

Recommended Reading

  • The TCP/IP Guide — Charles Kozierok
  • Wireshark Network Analysis — Laura Chappell
  • Facebook Engineering Blog

About the Capture

Capture Details

  • Total Packets: 1,456
  • Duration: ~15 seconds
  • Protocol: IPv6 over HTTPS (TLS 1.3)
  • Destination: www.facebook.com

Analyzed Date: Current date (update as needed)

How to Get Started with Wireshark

  1. Download and install from wireshark.org
  2. Capture on your main interface
  3. Browse to facebook.com
  4. Stop capture
  5. Filter with tcp.port == 443
  6. Explore protocols and statistics

Disclaimer: This analysis is for educational purposes. Always ensure you have proper authorization before capturing network traffic.

Tags: Wireshark, Network Analysis, TLS 1.3, HTTPS, Facebook, TCP/IP, IPv6
Categories: Networking, Security, Education, Technology
Author Bio: [Your name/bio here]
Publish Date: [Add date]
Last Updated: [Add date]

Click to rate this post!
Spread the love