What Is Wireshark Network Traffic and Packet Analyzer? – POFTUT

What Is Wireshark Network Traffic and Packet Analyzer?

by

Wireshark is a tool used to capture and analyze network traffic. Wireshark mainly used by network administrators and security professionals in order to inspect networks and find security vulnerabilities or malware behaviors.

Live Capture

Wireshark can capture network traffic of the given interface. Wireshark supports different interface types and protocols. Here is a list of interface types supported by Wireshark

  • Ethernet
  • Wifi 802.11
  • USB
Wireshark Interfaces
Wireshark Interfaces

Wireshark supports a lot of different protocols. But listing them here is unfeasible we will only list most popular of them.

  • USB 2.0,3.0
  • Ethernet
  • WiFi
  • Wimax
  • IRDA

Wireshark can capture the given traffic of the interface or protocol lively. We can filter and get detailed information about the given traffic or packet like below.

Wireshark Protocols
Wireshark Protocols

Network Inspection

Wireshark is mainly designed to be a network capture or inspection tool. The inspection of features of the Wireshark is very advanced.  We can list all captured data in a structured format like below. All captured packets are numbered and inspected one by one. We can see below Packet 1754 data and information provided in an easy to read way. We can get information about Frame, Ethernet, IP, UDP, and DNS.

Network Inspection
Network Inspection

Filter Network Traffic

We can also filter given traffic according to our parameters. We can filter on according to the following parameters.

  • Ethernet and options
  • IP and options
  • IP Address
  • Source IP Address
  • Destination IP Address
  • TCP and options
  • UDP and options
  • TCP Session

We can filter by using the expression box with the related parameter. In the following screenshot, we will filter only DNS traffic for inspection. We will just put dns to the expression box.

Filter Wireshark
Filter Wireshark

Network and Capture Statistics

During the end of the capture, we can get a network and capture statistics. Statistics provide a lot of information for different protocols. We can use the Statistics menu which provides End Point, PAckaet Length, Protocol Hierarchy, DNS, TCP, HTTP related statistics. Here we see the Conversation Statistics about protocols. We can see the IP source and destination endpoints with traffic size.

Network and Capture Statistics
Network and Capture Statistics

Color Rules

While analyzing packets we have to make the analyzing job easier with coloring. There will be a lot of packets where it will be very hard to read and track them one by one. We can colorize the packets according to their types of situations. Wireshark provides 20colors for different packet protocols and cases. New color rules can be added.

Color Rules
Color Rules

We can see that Bad TCP or OSP State Change packets are colored with a dark color like black. There is also some filter to match the given case.

LEARN MORE  Tcpdump Tutorial With Examples

Multi-Platform

Wireshark is a multi-platform application. We can install Wireshark to the following platform and use most of its features.

  •  Windows 32 and 64 Bit
  • Windows Portable
  • MacOSX
  • Linux
  • FreeBSD
  • Unix
Multi-Platform
Multi-Platform

VoIP Analysis

VoIP is very popular in recent years. Wireshark provides support for VoIP traffic capture and analysis. We can access these features from the Telephony menu below. The following Protocols and Statistics are supported by Wireshark.

  • VoIP Calls
  • RTP
  • RTSP
  • SCTP
  • SIP Flows
  • SIP Statistics
VoIP Analysis
VoIP Analysis

Support For A Lot Of Capture Formats

During live captures captured traffic will be stored in memory but If we want to inspect later or store we need to save it. There are different formats to store captured traffic supported by the Wireshark. Wireshark supports the following capture formats.

  • cap
  • pcap
  • pcapng
  • dmp
  • bfr
  • snoop
  • trc

Decryption Of Encryption Protocols Like SSL/TLS, WEP and WPA/WPA2

Some network protocol like SSL/TLS, WEP, WPA/WPA2 provides encryption for security reasons. In a security assessment or inspection, we may need to see this encrypted traffic in clear text format. We can use Wireshark to encrypt these encrypted traffics by providing the Key, Passphrase, Password, or Certificate.

Pretty GUI

Wireshark has a very pretty and useful GUI to inspect a ton of captured traffic. We can also customize the given GUI from the Preferences menu. This will provides us to set the location of the Packet List, Packet Details, Packet Bytes etc.

Pretty GUI
Pretty GUI

Command Line Support with tshark Tool

Wireshark provides its features with GUI but if we need command line support Wireshark provides tshark command line tool. We can use all of the GUI features with this tshark command.

$ tshark
Command Line Support with tshark Tool
Command Line Support with tshark Tool

Leave a Comment