Wireshark – How To Capture, Filter , Inspect Network Packets?
Wireshark is a popular network packet capture and analysis tool. It is previously named as Ethereal. Wireshark captures packets from a different type of interfaces and prints them as a floating list to the screen. It also provides detailed information about a specific packet. Wireshark can also read already captured packets in different formats like
Download and Install
Wireshark is supported by a lot of platforms. Let’s install
For Windows operating system we need to download the wireshark installation file from the official web site. The latest version of Wireshark can be downloaded from the following link.
Windows provides a different type of installers like 32 bit, 64 bit, portable. If we do not have required privileges to install application we can use portable Wireshark which do not needs installation.
Ubuntu, Debian, Mint:
Ubuntu, Debian, Mint and other deb based distributions provide Wireshark from their official repositories. Just issue the following command to install Wireshark.
$ sudo apt install wireshark-qt
Fedora, CentOS, RedHat:
Fedora, CentOS, and RedHat provide Wireshark package in their repositories too. In order to install Wireshark in Fedora, CentOS and RedHat issue following command.
$ sudo yum install wireshark-qt
Select Interface and Capture Packets
One of the fundamental operation with Wireshark is selecting an interface to capture network packets. When we open Wireshark we will see the following screen. Available interfaces are listed with their name current network traffic on that interface is shown with a simple graph.
Here we will see that named
Local Area Connection interface has some network traffic. By the way, Wireshark can listen to USB interfaces too.
We double click on and
Local Area Connection this will start network capture on this interface and a new screen will be opened where the network packets flow.
Show Specific Packet Details
We generally look at some specific packets to analyze. We can locate the packet we want in a simple way from the right side of the packet flow list and click on the packet. This will show detailed packet information in the middle section where Frame, Ethernet, IP, TCP/UDP, and Application layer information provided. In the lowest and third section, we will see application layer data in hex format.
Filter Captured Packets
In a busy network, there will be a lot of packets flying around. This will make to look some packets one by one very hard job. Wireshark has very powerful filtering features. We can filter captured packets according to a protocol like IP, TCP, UDP, IP address, Source address destination address, TCP port, mac address, DNS packet, SNMP packet etc. There are a lot of them. We will simply look most popular of them. We can get the whole list of supported filter expressions by clicking button
Expression on the left up corner. We can see the filter textbox and button
List of supported expressions. As we can see there are a lot of protocols like.
Filter ARP Packets
In this example we will filter ARP packets and section or the packet list only provides ARP protocol packets. We will only use
arp in the filter box.
Filter According To Destination IP Address
Another popular usage is filtering packet those have specified destination IP address. In this example, we will filter and only show those packets which have a destination IP address is
ip.dst == 192.168.122.1
Filter According To Source IP Address
We can also filter according to source IP address too. In this example, we will filter IP source address 192.168.122.1
ip.src == 192.168.122.1
Filter DNS Packets
We can filter DNS packets with keyword
dnsserver like below.
Follow TCP Stream
During a regular web page load or request, there will be some round trip to download data. If we need to inspect the whole request and response traffic we need to filter multiple packets. We can accomplish this by filtering according to a TCP session or TCP stream. It is called
Follow TCP Stream .
This will provide the following screen which provides the whole HTTP request and response session. We can also search these with bottom
One of the best features is the packet statistics. We can get a lot of different type of statistics with the menu
Statistics from up. We can get the following statistical information.
- PRotocol Hierarchy
We can stop capturing network packets with Wireshark with the red button in the toolbar menu.
Save Captured Packets
We can save captured files. In order to save we firstly stop live packet capture. Then from the menu
Save as menus.
Open Capture Files Like Cap , Pcap
We can open already saved a different type of capture formats like cap, pcap ,ngcap etc. from
File menu. We can also open recently opened capture files.