Wireshark – How To Capture, Filter , Inspect Network Packets? – POFTUT

Wireshark – How To Capture, Filter , Inspect Network Packets?

by

Wireshark is a popular network packet capture and analysis tool. It is previously named as Ethereal. Wireshark captures packets from a different type of interfaces and prints them as a floating list to the screen. It also provides detailed information about a specific packet. Wireshark can also read already captured packets in different formats like cap , pcap etc.

Download and Install

Wireshark is supported by a lot of platforms. Let’s install

Windows:

For Windows operating system we need to download the wireshark installation file from the official web site. The latest version of Wireshark can be downloaded from the following link.

https://www.wireshark.org/#download

Windows provides a different type of installers like 32 bit, 64 bit, portable. If we do not have required privileges to install application we can use portable Wireshark which do not needs installation.

Ubuntu, Debian, Mint:

Ubuntu, Debian, Mint and other deb based distributions provide Wireshark from their official repositories. Just issue the following command to install Wireshark.

$ sudo apt install wireshark-qt

Fedora, CentOS, RedHat:

Fedora, CentOS, and RedHat provide Wireshark package in their repositories too. In order to install Wireshark in Fedora, CentOS and RedHat issue following command.

$ sudo yum install wireshark-qt

Select Interface and Capture Packets

One of the fundamental operation with Wireshark is selecting an interface to capture network packets. When we open Wireshark we will see the following screen.  Available interfaces are listed with their name current network traffic on that interface is shown with a simple graph.

Select Interface and Capture Packets
Select Interface and Capture Packets

Here we will see that namedLocal Area Connection interface has some network traffic. By the way, Wireshark can listen to USB interfaces too.

LEARN MORE  Tcpdump Tutorial With Examples

We double click on andLocal Area Connection this will start network capture on this interface and a new screen will be opened where the network packets flow.

Select Interface and Capture Packets
Select Interface and Capture Packets

Show Specific Packet Details

We generally look at some specific packets to analyze. We can locate the packet we want in a simple way from the right side of the packet flow list and click on the packet. This will show detailed packet information in the middle section where Frame, Ethernet, IP, TCP/UDP, and Application layer information provided. In the lowest and third section, we will see application layer data in hex format.

Show Specific Packet Details
Show Specific Packet Details

Filter Captured Packets

In a busy network, there will be a lot of packets flying around. This will make to look some packets one by one very hard job. Wireshark has very powerful filtering features. We can filter captured packets according to a protocol like IP, TCP, UDP, IP address, Source address destination address, TCP port, mac address, DNS packet, SNMP packet etc. There are a lot of them. We will simply look most popular of them. We can get the whole list of supported filter expressions by clicking buttonExpression on the left up corner. We can see the filter textbox and buttonExpression.

Filter Captured Packets
Filter Captured Packets

List of supported expressions. As we can see there are a lot of protocols like.

Filter ARP Packets

In this example we will filter ARP packets and section or the packet list only provides ARP protocol packets. We will only use arp in the filter box.

arp
Filter ARP Packets
Filter ARP Packets

Filter According To Destination IP Address

Another popular usage is filtering packet those have specified destination IP address. In this example, we will filter and only show those packets which have a destination IP address is 192.168.122.ip.

ip.dst == 192.168.122.1
Filter According To Destination IP Address
Filter According To Destination IP Address

Filter According To Source IP Address

We can also filter according to source IP address too. In this example, we will filter IP source address 192.168.122.1

ip.src == 192.168.122.1
Filter According To Source IP Address
Filter According To Source IP Address

Filter DNS Packets

We can filter DNS packets with keyworddnsserver like below.

dnsserver
Filter DNS Packets
Filter DNS Packets

Follow TCP Stream

During a regular web page load or request, there will be some round trip to download data. If we need to inspect the whole request and response traffic we need to filter multiple packets. We can accomplish this by filtering according to a TCP session or TCP stream. It is called Follow TCP Stream .

LEARN MORE  Best Tools To Monitor Linux
Follow TCP Stream
Follow TCP Stream

This will provide the following screen which provides the whole HTTP request and response session. We can also search these with bottomFind.

Packet Statistics

One of the best features is the packet statistics. We can get a lot of different type of statistics with the menuStatistics from up. We can get the following statistical information.

  • Endpoints
  • HTTP
  • IP
  • Ethernet
  • PRotocol Hierarchy
Packet Statistics
Packet Statistics

Stop Capturing

We can stop capturing network packets with Wireshark with the red button in the toolbar menu.

Save Captured Packets

We can save captured files. In order to save we firstly stop live packet capture. Then from the menuFile and save or Save as menus.

Save Captured Packets
Save Captured Packets

Open Capture Files Like Cap , Pcap

We can open already saved a different type of capture formats like cap,  pcap ,ngcap etc. from File menu. We can also open recently opened capture files.

Open Capture Files Like Cap , Pcap
Open Capture Files Like Cap , Pcap

2 thoughts on “Wireshark – How To Capture, Filter , Inspect Network Packets?”

  1. “How To Capture, Filter , Inspect Network Packets” is not a question. Please use the question mark when you’re posing a question.

    Reply

Leave a Comment