Wireshark – How To Capture, Filter , Inspect Network Packets?
Wireshark is a popular network packet capture and analysis tool. It is previous name was Ethereal. Wireshark captures packets from different type of interfaces and prints them as a floating list to the screen. It also provides detailed information about specific packet. Wireshark can also read already captured packets in different formats like
Download and Install
Wireshark is supported by a lot of platforms. Let’s install wireshark.
For Windows operating system we need to download wireshark installation file from official web site. Latest version of wireshark can be downloaded from following link.
Windows provides different type of installers like 32 bit , 64 bit, portable. If we do not have required privileges to install application we can use portable wireshark which do not needs installation.
Ubuntu, Debian, Mint:
Ubuntu, Debian, Mint and other deb based distributions provides Wireshark from their official repositories. Just issue following command to install Wireshark.
$ sudo apt install wireshark-qt
Fedora, CentOS, RedHat:
Fedora, CentOS and RedHat provides Wireshark package in their repositories too. In order to install Wireshark in Fedora, CentOS and RedHat issue following command.
$ sudo yum install wireshark-qt
Select Interface and Capture Packets
One of the fundamental operation with Wireshark is selecting an interface to capture network packets. When we open wireshark we will see following screen . Available interfaces are listed with their name current network traffic on that interface is shown with a simple graph.
Here we will will see that
Local Area Connection named interface has some network traffic. By the way wireshark can listen USB interfaces too.
We double click on
Local Area Connection and this will start network capture on this interface and new screen will be opened where the network packets flow.
Show Specific Packet Details
We generally look some specific packets to analyze. We can locate the packet we want in a simple way from the right side of packet flow list and click on the packet. This will show detailed packet information in the middle section where Frame, Ethernet, IP , TCP/UDP and Application layer information provided. In the lowest and third section we will see application layer data in hex format.
Filter Captured Packets
In a busy network there will be a lot of packets flying around. This will make to look some packets one by one very hard job. Wireshark have very powerful filtering features. We can filter captured packets according to protocol like IP, TCP, UDP , IP address , Source address destination address, TCP port, mac address, Dns packet, Snmp packet etc. There are a lot of them. We will simple look most popular of them. We can get whole list of supported filter expressions by clicking
Expression button on the left up corner. We can see filter textbox and
List of supported expressions.
Filter ARP Packets
In this example we will filter ARP packets and section or the packet list only provides ARP protocol packets. We will only use
arp in the filter box.
Filter According To Destination IP Address
Another popular usage is filtering packet those have specified destination IP address. In this example we will filter and only show those packets which have destination IP address is
ip.dst == 192.168.122.1
Filter According To Source IP Address
We can also filter according to source ip address too. In this example we will filter IP source address 192.168.122.1
ip.src == 192.168.122.1
Filter DNS Packets
We can filter DNS packets with
dnsserver keyword like below.
Follow TCP Stream
During a regular web page load or request there will be some round trip to download data. If we need to inspect the whole request and response traffic we need to filter multiple packets. We can accomplish this by filtering according to TCP session or TCP stream. It is called
Follow TCP Stream .
This will provide following screen which provides the whole HTTP request and response session. We can also search these with
One of the best feature is the packet statistics. We can get a lot of different type of statistics with the
Statistics menu from up. We can get following statistical information.
- PRotocol Hierarchy
We can stop capturing network packets with wireshark with the red button in the toolbar menu.
Save Captured Packets
We can save captured files. In order to save we firstly stop live packet capture. Then from the
File menu and
Save as menus.
Open Capture Files Like Cap , Pcap
We can open already saved different type of capture formats like cap, pcap ,ngcap etc. from
File menu. We can also open recently opened capture files.