Wireshark is a tool used to capture and analyze network traffic. Wireshark mainly used by network administrators and security professionals in order to inspect networks and find security vulnerabilities or malware behaviors.
Wireshark can capture network traffic of the given interface. Wireshark supports different interface types and protocols. Here is a list of interface types supported by Wireshark
- Wifi 802.11
Wireshark supports a lot of different protocols. But listing them here is unfeasible we will only list most popular of them.
- USB 2.0,3.0
Wireshark can capture the given traffic of the interface or protocol lively. We can filter and get detailed information about the given traffic or packet like below.
Wireshark is mainly designed to be a network capture or inspection tool. Inspection of features of the Wireshark is very advanced. We can list all captured data in a structured format like below. All captured packets are numbered and inspected one by one. We can see below Packet 1754 data and information provided in an easy to read way. We can get information about Frame, Ethernet, IP, UDP and DNS.
Filter Network Traffic
We can also filter given traffic according to our parameters. We can filter on according to the following parameters.
- Ethernet and options
- IP and options
- IP Address
- Source IP Address
- Destination IP Address
- TCP and options
- UDP and options
- TCP Session
We can filter by using the expression box with the related parameter. In the following screenshot, we will filter only DNS traffic for inspection. We will just put
dns to the expression box.
Network and Capture Statistics
During an end of the capture, we can get network and capture statistics. Statistics provides a lot of information for different protocols. We can use the
Statistics menu which provides End Point, PAckaet Length, Protocol Hierarchy, DNS, TCP, HTTP related statistics. Here we see the Conversation Statistics about protocols. We can see the IP source and destination endpoints with traffic size.
While analyzing packets we have to make the analyzing job easier with coloring. There will be a lot of packets where it will be very hard to read and track them one by one. We can colorize the packets according to their types of situations. Wireshark provides 20colors for different packet protocol and cases. New color rules can be added.
We can see that
Bad TCP or
OSP State Change packets are colored with a dark color like black. There is also some filter to match the given case.
Wireshark is a multi-platform application. We can install Wireshark to the following platform and use most of its features.
- Windows 32 and 64 Bit
- Windows Portable
VoIP is very popular in recent year. Wireshark provides support for VoIP traffic capture and analysis. We can access these features from the
Telephony menu like below. Following Protocols and Statistics are supported by Wireshark.
- VoIP Calls
- SIP Flows
- SIP Statistics
Support For A Lot Of Capture Formats
During live captures captured traffic will be stored in memory but If we want to inspect later or store we need to save it. There are different formats to store captured traffic supported by the Wireshark. Wireshark supports following capture formats.
Decryption Of Encryption Protocols Like SSL/TLS, WEP and WPA/WPA2
Some network protocol like SSL/TLS, WEP, WPA/WPA2 provides encryption for security reasons. In a security assessment or inspection, we may need to see this encrypted traffic in clear text format. We can use Wireshark to encrypt these encrypted traffics by providing the Key, Passphrase, Password or Certificate.
Wireshark has a very pretty and useful GUI to inspect a ton of captured traffic. We can also customize the given GUI from the
Preferences menu. This will provides us to set the location of the
Packet Bytes etc.
Command Line Support with tshark Tool
Wireshark provides its features with GUI but if we need command line support Wireshark provides
tshark command line tool. We can use all of the GUI features with this