Wireshark is the go to network traffic analyzer for enthusiasts, it is a robust program with a lot of options and settings available to the user, so it will be covered in a handful of lessons.
First, you can download it here.
https://www.wireshark.org
So after you fire up a capture you will get a screen full of packets pretty quickly. An intimidating amount of packets. So first we will talk about some ways to drill down this pile.
Handy Filters to begin with
The most important filter IMHO is
ip.addr == 0.0.0.0This filter will only show packets that have the provided IP address in either the source or the destination of the packet. This makes it easy to get a look at a single conversation.'
Sort by the port with this:
tcp.port == 443Looking at Logins
Now I did a log in on a site that does not have a certificate to show you how the log in information is sent in clear text across the Internet.
Above is a look at some of the packets.
But I know we captured a log in attempt, so lets try to find it.
Know this, you cannot create a filter based on the contents of the Info column.
If you want to search the Info column either CTRL+F or Edit->Find Packet...
Search in Packet Details or Packet Bytes.
This grabbed the packet that I already had highlighted above. We can pop it open and look inside.
Here we can see under the Form URL Encoded section is a nicely laid out section where my log in creds are displayed.
Here is what it what it would look like in a site that encrypts your creds.
You can see that this packet was sent as a TLS protocol, everything was encrypted, but I assume this is the log in information since it was the biggest packet coming from my source.
Look at the highlighted information above and notice how you cannot make out what the user name is. Thanks HTTPS.
Web Search Queries
Search queries are often not encrypted, Google does now encrypt by default, but Bing, Baidu, Naver, and Xu do not.
Packets carrying search queries look like this:
You can see the search query nested in the GET request highlighted below.
Some Background
Each packet is encapsulated inside of a frame that states the packet's destination your NIC (Network Interface Card) will read packets that comes across the line, and if it sees a packet is not intended for that particular NIC it will stop reading the packet and move on to the next.
This is the default setting for the sake of speed, so if you want your NIC to analyze the entire breadth of packets coming on the line you need to change the default setting of your NIC to promiscuous mode, this is done by default in Wireshark, you can see the setting under Capture Options:
