Last updated: March 21, 2026

Wireshark is a graphical network protocol analyzer that lets you capture and inspect every packet flowing through your network interface. For privacy work, it answers questions that no other tool can: what is that app actually sending home, is my VPN leaking, which domains does my phone contact when I’m not touching it, and is this connection actually encrypted?

This guide covers the privacy-relevant use cases: finding unexpected connections, verifying encryption, and detecting data exfiltration.

Table of Contents

Installation

Linux

Debian/Ubuntu
sudo apt install wireshark

During installation, select "yes" to allow non-root users to capture
Then add your user to the wireshark group:
sudo usermod -aG wireshark $USER
Log out and back in for group changes to take effect

Fedora
sudo dnf install wireshark

Arch
sudo pacman -S wireshark-qt

macOS

brew install --cask wireshark

macOS requires granting Wireshark permission to capture packets. Wireshark will prompt you to install the ChmodBPF package on first launch.

Windows

Download the official installer from wireshark.org. It includes Npcap (the Windows packet capture driver).

Step 1 - Capture Traffic on Your Interface

Launch Wireshark. The opening screen shows all available network interfaces and a live preview of traffic on each.

Select your active interface (usually:

Click the shark fin button or double-click the interface to start capturing.

Stop the capture after 60 seconds. even idle systems generate a lot of traffic. Save the capture file (File → Save As → .pcapng) before analyzing.

Step 2 - Filter for Interesting Traffic

The display filter bar at the top is where Wireshark’s power lies. Filters narrow the captured packets to what you care about.

All DNS queries. see what domains your system is looking up
dns

All HTTP traffic (unencrypted. should be rare in 2026)
http

All HTTPS/TLS traffic
tls

Traffic to or from a specific IP
ip.addr == 93.184.216.34

Traffic to or from a specific domain (requires DNS resolution)
First find the IP via - host example.com
Then filter by IP

All outbound traffic from your machine (replace with your IP)
ip.src == 192.168.1.100

All traffic except local network
ip.dst != 192.168.0.0/16 && ip.src != 192.168.0.0/16

Packets with specific port
tcp.port == 443

Unencrypted HTTP POST requests (potential data exfiltration)
http.request.method == "POST"

Step 3 - Identify Unexpected Connections

This is the core privacy use case. After capturing 60 seconds of idle traffic, filter for outbound connections to external IPs:

ip.src == YOUR_LOCAL_IP && !ip.dst == 192.168.0.0/16 && !ip.dst == 10.0.0.0/8

For each destination IP, look it up:

Reverse DNS lookup
dig -x 93.184.216.34

WHOIS to identify the organization
whois 93.184.216.34

Or use a web service:
https://ipinfo.io/93.184.216.34

Common unexpected connections to investigate:

Step 4 - Verify VPN Tunnel Encryption

When connected to a VPN, all external traffic should appear encrypted and routed through the VPN endpoint.

Capture traffic while connected to a VPN, then apply this filter:

Show all traffic NOT going to your VPN endpoint
Replace 203.0.113.50 with your VPN server IP
ip.dst != 203.0.113.50 && ip.src != 203.0.113.50 && !ip.dst == 192.168.0.0/16

This filter should return no results if your VPN is working. Any external connections bypassing the VPN endpoint indicate a leak.

To check what protocol is protecting the VPN tunnel:

WireGuard uses UDP
udp.port == 51820

OpenVPN default
udp.port == 1194

Check for plaintext content in captured packets
Right-click any packet → Follow → TCP Stream
Look for readable text in the stream content

Step 5 - Detect Unencrypted Data Transmission

Any packet transmitted over HTTP (not HTTPS) carries its content in plaintext. In Wireshark, follow the TCP stream of any HTTP connection to see exactly what was transmitted:

  1. Filter: http
  2. Right-click a packet → Follow → HTTP Stream
  3. Red text is what your system sent; blue is the response

If you see readable personal data. usernames, form values, tracking identifiers. in HTTP traffic, that data is being transmitted without encryption.

To find POST requests with bodies (most likely to contain sensitive data):

http.request.method == "POST"

Follow the stream on each result to inspect the posted content.

Step 6 - Inspect TLS Certificates

For HTTPS connections, you can verify the certificate being used without decrypting the traffic:

Filter - tls.handshake.type == 2 (ServerHello messages)

Right-click a packet → Follow → TLS Stream. Scroll to find the certificate details.

Or use the more targeted approach:

Show all TLS Client Hello packets (your system initiating connections)
tls.handshake.type == 1

Expand the packet details → Transport Layer Security → TLSv1.3 Record Layer
→ Handshake Protocol: Client Hello → Extension: server_name
This shows the SNI (Server Name Indication). the domain being connected to,
visible even in encrypted TLS traffic

The SNI field reveals the hostname of every HTTPS connection, even though the content is encrypted. This is a known privacy limitation of TLS. only Encrypted Client Hello (ECH) hides the SNI.

Step 7 - Analyze a Mobile Device

To inspect traffic from a phone or other device on your network, you need to capture at the router level or use ARP spoofing to route the device’s traffic through your capture machine.

The simpler approach - set up your laptop as a Wi-Fi hotspot that the phone connects to, then capture on the hotspot interface.

Linux - create hotspot via nmcli
nmcli device wifi hotspot ifname wlan0 ssid CaptureHotspot password "testpass123"

Start Wireshark on the hotspot interface
(usually ap0 or a second wlan interface)

This routes all phone traffic through your laptop’s wlan interface, which you can capture without any additional configuration on the phone.

Using tshark for Command-Line Analysis

For automated analysis or remote servers without a GUI:

Capture 60 seconds of traffic to file
sudo tshark -i eth0 -a duration:60 -w capture.pcapng

Extract all unique destination IPs from a capture file
tshark -r capture.pcapng -T fields -e ip.dst | sort -u

Extract all DNS queries
tshark -r capture.pcapng -Y dns -T fields -e dns.qry.name | sort -u

Find HTTP POST requests
tshark -r capture.pcapng -Y "http.request.method == POST" -V | grep -A5 "Host:"

Related Articles

Frequently Asked Questions

Who is this article written for?

This article is written for developers, technical professionals, and power users who want practical guidance. Whether you are evaluating options or implementing a solution, the information here focuses on real-world applicability rather than theoretical overviews.

How current is the information in this article?

We update articles regularly to reflect the latest changes. However, tools and platforms evolve quickly. Always verify specific feature availability and pricing directly on the official website before making purchasing decisions.

Are there free alternatives available?

Free alternatives exist for most tool categories, though they typically come with limitations on features, usage volume, or support. Open-source options can fill some gaps if you are willing to handle setup and maintenance yourself. Evaluate whether the time savings from a paid tool justify the cost for your situation.

Can I trust these tools with sensitive data?

Review each tool’s privacy policy, data handling practices, and security certifications before using it with sensitive data. Look for SOC 2 compliance, encryption in transit and at rest, and clear data retention policies. Enterprise tiers often include stronger privacy guarantees.

What is the learning curve like?

Most tools discussed here can be used productively within a few hours. Mastering advanced features takes 1-2 weeks of regular use. Focus on the 20% of features that cover 80% of your needs first, then explore advanced capabilities as specific needs arise.