Wireshark 101: Essential Skills for Network Analysis (2nd Edition)

This book is based on the most common questions posed by Wireshark Users and over 20 years of experience analyzing networks and teaching analysis skills.

This 2nd Edition Wireshark version 2 functionality.

Check out the Table of Contents in the Preview Pages section to view the numerous skills and labs contained in this title. Jump directly to a skill you wish to master, or follow along from start to end to gradually enhance your Wireshark network analysis capabilities.

Who is this Book For?

This book is written for beginner analysts and includes 46 step-by-step labs to walk you through many of the essential skills contained herein. This book provides an ideal starting point whether you are interested in analyzing traffic to learn how an application works, you need to troubleshoot slow network performance, or determine whether a machine is infected with malware. Learning to capture and analyze communications with Wireshark will help you really understand how TCP/IP networks function.

As the most popular network analyzer tool in the world, the time you spend honing your skills with Wireshark will pay off when you read technical specs, marketing materials, security briefings, and more. This book can also be used by current analysts who need to practice the skills contained in this book. In essence, this book is for anyone who really wants to know what's happening on their network.

Book Details

Paperback ISBN: 978-1893939752
Page Count: 408

Teaching Wireshark? Learn about the Student Manual version
(see Teach Wireshark).

Purchasing Options

This book is available through Amazon and any bookstore that orders through the Ingram Book Distribution system. Since this Second Edition title is new, not all global Amazon sites may have the title available yet.

Bulk purchases (over 50 books) can be ordered directly from Chappell University. Email your bulk purchase quantity request to info@chappellU.com.


PAGE 155 (Thanks to Patrick for catching this one.)

On page 155 of this second edition, I addressed the dangers of using the http filter rather than tcp.port==80. The http filter won't show you the TCP handshake, ACKs, teardown, etc. I always want to see these things.

In the book, I referred to the different number of packets that you would see in these cases:

- TCP reassembly disabled: 12 packets match the http filter
- TCP reassembly enabled: 85 packets matche the http filter

The second result is now outdated as changes have been made to the HTTP dissector. Wireshark used to only show packets that contain an HTTP request or response code - it would ignore the data packets seen when an object is uploaded/downloaded. This is why we would only see 85 packets with the http filter. Now, Wireshark recognizes that when an object upload/download requires multiple packets, those packets can still be considered part of the HTTP communication and they are displayed with the http filter.

If you want to avoid this confusion completely, just use the tcp.port==x filter format for TCP-based applications.

Legal Stuff

You agree to indemnify and hold Protocol Analysis Institute and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand, including reasonable attorneys' fees, made by any third party due to or arising out of your use of the included trace files, your violation of the TOS, or your violation of any rights of another.


You may not reproduce, duplicate, copy, sell, trade, resell or exploit for any commercial purposes, any of the trace files available on this site.


All Access Pass (AAP)

Purchase a one-year subscription for online, on-demand training. You may access courses as many times as you like anytime, anywhere with an Internet connection. Train online on your own schedule.

All Access Pass members are invited to join Laura Chappell for special live online events, as well. These events highlight new products, tools and techniques in network analysis.

The AAP Portal offers a tracking and CPE credit system to indicate where you are in a course and the number of CPE credits achieved.

Purchase an AAP Subscription

Price: $699 single-seat license. For quantity discount pricing, visit Chappell University's Pricing Page (Online Option) or contact us.


Preview Pages

Table of Contents


Sort column contents for max/min/alpha values
[Page 62]

Sample lab focused on importing a custom profile
[Page 85]

Detect when Wireshark can't keep up during capture
[Page 120]

Quick Reference: Display Filter Aera
[Page 138]

Graph application bandwidth using tcp.port and udp.port
[Page 246]

Use Tshark to export field values and statistics from trace files
[Page 321]