Wireshark – How To Capture, Filter , Inspect Network Packets?

RSS
EMAIL
FACEBOOK
FACEBOOK
GOOGLE
GOOGLE
https://www.poftut.com/wireshark-capture-filter-inspect-network-packets/
PINTEREST
PINTEREST
INSTAGRAM

Wireshark is a popular network packet capture and analysis tool. It is previous name was Ethereal. Wireshark captures packets from different type of interfaces and prints them as a floating list to the screen. It also provides detailed information about specific packet. Wireshark can also read already captured packets in different formats like cap , pcap etc.

Download and Install

Wireshark is supported by a lot of platforms. Let’s install wireshark.

Windows:

For Windows operating system we need to download wireshark installation file from official web site. Latest version of wireshark can be downloaded from following link.

https://www.wireshark.org/#download

Windows provides different type of installers like 32 bit , 64 bit, portable. If we do not have required privileges to install application we can use portable wireshark which do not needs installation.

Ubuntu, Debian, Mint:

Ubuntu, Debian, Mint and other deb based distributions provides Wireshark from their official repositories. Just issue following command to install Wireshark.

Fedora, CentOS, RedHat:

Fedora, CentOS and RedHat provides Wireshark package in their repositories too. In order to install Wireshark in Fedora, CentOS and RedHat issue following command.

Select Interface and Capture Packets

One of the fundamental operation with Wireshark is selecting an interface to capture network packets. When we open wireshark we will see following screen .  Available interfaces are listed with their name current network traffic on that interface is shown with a simple graph.

Here we will will see that Local Area Connection named interface has some network traffic. By the way wireshark can listen USB interfaces too.

LEARN MORE  How To Specify Host, Port and Protocol For Tcpdump?

We double click on Local Area Connection and this will start network capture on this interface and new screen will be opened where the network packets flow.

Show Specific Packet Details

We generally look some specific packets to analyze. We can locate the packet we want in a simple way from the right side of packet flow list and click on the packet. This will show detailed packet information in the middle section where Frame, Ethernet, IP , TCP/UDP and Application layer information provided. In the lowest and third section we will see application layer data in hex format.

Show Specific Packet Details

Show Specific Packet Details

Filter Captured Packets

In a busy network there will be a lot of packets flying around. This will make to look some packets one by one very hard job. Wireshark have very powerful filtering features. We can filter captured packets according to protocol like IP, TCP, UDP , IP address , Source address destination address, TCP port, mac address, Dns packet, Snmp packet etc. There are a lot of them. We will simple look most popular of them. We can get whole list of supported filter expressions by clicking Expression button on the left up corner. We can see filter textbox and Expression button.

Filter Captured Packets

Filter Captured Packets

List of supported expressions.

Filter ARP Packets

In this example we will filter ARP packets and section or the packet list only provides ARP protocol packets. We will only use arp in the filter box.

Filter ARP Packets

Filter ARP Packets

Filter According To Destination IP Address

Another popular usage is filtering packet those have specified destination IP address. In this example we will filter and only show those packets which have destination IP address is 192.168.122.ip.

Filter According To Destination IP Address

Filter According To Destination IP Address

Filter According To Source IP Address

We can also filter according to source ip address too. In this example we will filter IP source address 192.168.122.1

LEARN MORE  Best Tools To Monitor Linux

Filter According To Source IP Address

Filter According To Source IP Address

Filter DNS Packets

We can filter DNS packets with dnsserver keyword like below.

Filter DNS Packets

Filter DNS Packets

Follow TCP Stream

During a regular web page load or request there will be some round trip to download data. If we need to inspect the whole request and response traffic we need to filter multiple packets. We can accomplish this by filtering according to TCP session or TCP stream. It is called Follow TCP Stream .

Follow TCP Stream

Follow TCP Stream

This will provide following screen which provides the whole HTTP request and response session. We can also search these with Find bottom.

Packet Statistics

One of the best feature is the packet statistics. We can get a lot of different type of statistics with the Statistics menu from up. We can get following statistical information.

  • Endpoints
  • HTTP
  • IP
  • Ethernet
  • PRotocol Hierarchy
Packet Statistics

Packet Statistics

Stop Capturing

We can stop capturing network packets with wireshark with the red button in the toolbar menu.

Save Captured Packets

We can save captured files. In order to save we firstly stop live packet capture. Then from the File menu and save or Save as menus.

Save Captured Packets

Save Captured Packets

Open Capture Files Like Cap , Pcap

We can open already saved different type of capture formats like cap,  pcap ,ngcap etc. from File menu. We can also open recently opened capture files.

Open Capture Files Like Cap , Pcap

Open Capture Files Like Cap , Pcap

RSS
EMAIL
FACEBOOK
FACEBOOK
GOOGLE
GOOGLE
https://www.poftut.com/wireshark-capture-filter-inspect-network-packets/
PINTEREST
PINTEREST
INSTAGRAM

You may also like...

Leave a Reply

Your email address will not be published.

Enjoy this blog? Please spread the word :)