Wireshark is a popular network packet capture and analysis tool. It is previously named as Ethereal. Wireshark captures packets from a different type of interfaces and prints them as a floating list to the screen. It also provides detailed information about a specific packet. Wireshark can also read already captured packets in different formats like cap , pcap etc.
Download and Install
Wireshark is supported by a lot of platforms. Let’s install
Windows:
For Windows operating system we need to download the wireshark installation file from the official web site. The latest version of Wireshark can be downloaded from the following link.
https://www.wireshark.org/#download
Windows provides a different type of installers like 32 bit, 64 bit, portable. If we do not have required privileges to install application we can use portable Wireshark which do not needs installation.
Ubuntu, Debian, Mint:
Ubuntu, Debian, Mint and other deb based distributions provide Wireshark from their official repositories. Just issue the following command to install Wireshark.
$ sudo apt install wireshark-qt
Fedora, CentOS, RedHat:
Fedora, CentOS, and RedHat provide Wireshark package in their repositories too. In order to install Wireshark in Fedora, CentOS and RedHat issue following command.
$ sudo yum install wireshark-qt
Select Interface and Capture Packets
One of the fundamental operation with Wireshark is selecting an interface to capture network packets. When we open Wireshark we will see the following screen. Available interfaces are listed with their name current network traffic on that interface is shown with a simple graph.
Here we will see that namedLocal Area Connection interface has some network traffic. By the way, Wireshark can listen to USB interfaces too.
We double click on andLocal Area Connection this will start network capture on this interface and a new screen will be opened where the network packets flow.
Show Specific Packet Details
We generally look at some specific packets to analyze. We can locate the packet we want in a simple way from the right side of the packet flow list and click on the packet. This will show detailed packet information in the middle section where Frame, Ethernet, IP, TCP/UDP, and Application layer information provided. In the lowest and third section, we will see application layer data in hex format.
Filter Captured Packets
In a busy network, there will be a lot of packets flying around. This will make to look some packets one by one very hard job. Wireshark has very powerful filtering features. We can filter captured packets according to a protocol like IP, TCP, UDP, IP address, Source address destination address, TCP port, mac address, DNS packet, SNMP packet etc. There are a lot of them. We will simply look most popular of them. We can get the whole list of supported filter expressions by clicking buttonExpression on the left up corner. We can see the filter textbox and buttonExpression.
List of supported expressions. As we can see there are a lot of protocols like.
Filter ARP Packets
In this example we will filter ARP packets and section or the packet list only provides ARP protocol packets. We will only use arp in the filter box.
arp
Filter According To Destination IP Address
Another popular usage is filtering packet those have specified destination IP address. In this example, we will filter and only show those packets which have a destination IP address is 192.168.122.ip.
ip.dst == 192.168.122.1
Filter According To Source IP Address
We can also filter according to source IP address too. In this example, we will filter IP source address 192.168.122.1
ip.src == 192.168.122.1
Filter DNS Packets
We can filter DNS packets with keyworddnsserver like below.
dnsserver
Follow TCP Stream
During a regular web page load or request, there will be some round trip to download data. If we need to inspect the whole request and response traffic we need to filter multiple packets. We can accomplish this by filtering according to a TCP session or TCP stream. It is called Follow TCP Stream .
This will provide the following screen which provides the whole HTTP request and response session. We can also search these with bottomFind.
Packet Statistics
One of the best features is the packet statistics. We can get a lot of different type of statistics with the menuStatistics from up. We can get the following statistical information.
- Endpoints
- HTTP
- IP
- Ethernet
- PRotocol Hierarchy
Stop Capturing
We can stop capturing network packets with Wireshark with the red button in the toolbar menu.
Save Captured Packets
We can save captured files. In order to save we firstly stop live packet capture. Then from the menuFile and save or Save as menus.
Open Capture Files Like Cap , Pcap
We can open already saved a different type of capture formats like cap, pcap ,ngcap etc. from File menu. We can also open recently opened capture files.
“How To Capture, Filter , Inspect Network Packets” is not a question. Please use the question mark when you’re posing a question.
Hi,
Thanks for your suggestion. I have updated the headline.
Have a nice day.