While tapping into a LAN with the NIC in promiscuous mode, the adapter captures the traffic and sends the packets up through the Enhanced Packet Analyzer (EPAN) for dissection and decoding, and then on to the Wireshark interface.

You'll then see the packets filling the screen. If you are on an end device and communicating with another host, you will most likely see three types of packets, namely, broadcast, multicast, and unicast:

• Broadcast: Packets are sent from one to everyone on a network—that is, ARP broadcast.
• Multicast: Packets are sent from one to many—that is, routing protocol EIGRP (short for Enhanced Interior Gateway Routing Protocol) multicasts.
• Unicast: This sends packets from one to one—that is, from your computer to a web server.

In a normal conversation with another host, once you have a connection, the operating system creates a socket, which consists of an IP address and a port. During a capture, Wireshark will keep track of all of the connections or streams, which you can examine.

This next section explains how you can take a look at the conversations and endpoints in a capture.