diff --git a/wireshark/README.md b/wireshark/README.md
index aa4968103e95d..2fb23d40383f2 100644
--- a/wireshark/README.md
+++ b/wireshark/README.md
@@ -19,6 +19,8 @@
 
 -->
 
+> **Note**: This Lua script may cause a crash in the newest version of Wireshark, see [#18439](https://github.com/apache/pulsar/issues/18439). Make sure the version of Wireshark is earlier than v4.0.0.
+
 # How to use 
 
 ## Step 1: prepare PulsarApi.proto file
@@ -30,6 +32,9 @@ You need to put PulsarApi.proto to a separate path.
 
 3. Add the path of PulsarApi.proto.
 
+4. Check `Dissect Protobuf fields as Wireshark fields` box. When this box is checked, 
+you can use `pbf.pulsar.proto` to visit fields in protobuf package.  
+
 ## Step 2: add pulsar.lua to plugins
 
 1. Open Wireshark.
@@ -40,6 +45,8 @@ You need to put PulsarApi.proto to a separate path.
 
 ## Step 3: start to use
 
-This plugin registers a Pulsar protocol automatically in 6650. You can use it to decode Pulsar messages now.
-
+This plugin registers a Pulsar protocol automatically in 6650. You can use this Wireshark filter string to find out Pulsar packages (ignore ping/pong):
 
+```
+tcp.port eq 6650 and pulsar and pbf.pulsar.proto.BaseCommand.type ne "ping" and pbf.pulsar.proto.BaseCommand.type ne "pong"
+```