Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto standard across many commercial and non-profit enterprises, government agencies, and educational institutions. This article is a tutorial, in other words, a step by step practical guide to install and use Wireshark. Follow the information in this article below to use Wireshark on a Linux system (Ubuntu used for writing this article).
Install Wireshark
Open a terminal and type the following command to install Wireshark:
sudo apt update
sudo apt install wireshark
Press ‘y’ when prompted to occupy additional space. During installation, Wireshark configuration screen will ask “Should non super users be able to capture the packets?”. For security pupose, it is not advisable to allow non super users to access Wireshark. Or, you may create a new group of users for accessing Wireshark. As of now, continue by pressing ‘No’. Wireshark installation will continue and successfully install it on your system.
Open Wireshark
Type the following command to open Wireshark:
sudo wireshark
The Wireshark application will be visible as below:
Wireshark may display an error as you have opened it as superuser. Ignore it as now and press ‘OK’ to continue.
Wireshark settings before packet capture:
Go to Capture → Options. It will disaplay how many interfaces your system have? For example, this System has Nine Interfaces:
Identify the IP address of “lo” interface:
The IP address of loopback “lo” interface is: 127.0.0.1 as visible in above image. Now follow next two instructions below:
1. Click on Manage Interfaces
2. Check “enp0s3” interface and uncheck all other interfaces, then press ‘OK’.
3. Uncheck “Enable promiscuous mode on all interfaces”.
What is promiscuous mode of operation in wireshark?
In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes useful for a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage).
In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be receive and read by a network adapter. Promiscuous mode is useful to monitor network activity.
4. Press “Close” to close options window. It will return back to main window of Wireshark with single interface as visible in below image. The only available interface is the main Ethernet interface of your system.
Packet capturing in Wireshark
Start packet capturing by clicking “Capture” → “Start” button.
Wireshark will start capturing network packets and display a table.
Browse one or more websites.
After a while (15 to 20 seconds), stop capturing (“Capture” → “Stop”).
You can now observe few things. There are several packets captured by your system. Each packet associates with a protocol. Few of them are as follows:
i. DNS – Domain Name System
ii. TCP – Transmission Control Protocol
iii. HTTP – Hypertext Transfer Protocol
iv. TLSv1.2 – Transport Layer Security Version 1.2
v. OCSP – Online Certificate Status Protocol
Filters in Wireshark
The table displays a comprehensive list of packets that Wireshark has captured. There are two types of filters in Wireshark i.e. display filters and capture filters.
Display Filters
Display Filters can be used on already captured packets. Let us check out some examples of display filters by specifying any items in the display filter and press arrow key to apply filter as given below:
a. TCP:
Observations: It displays only the packets that relates to TCP and associated protocols i.e. TCP, HTTP, TLSV1.2, OCSP. It hodes other packets.
b. UDP:
Observations: Wireshark will display only the packets that relates to UDP protocols. For example, DNS. It hides other packets.
It is noteworthy that Wireshark filters the packets in display only. The captured packets are still available.
Capture filters:
You can use Capture Filters to restrict the type of packets to capture. You shall use these filters before starting packet capture. Capture filters can be applied by typing in “Capture … using this filter” input box. The same is visible in below image as an illustration:
Let us check out some examples of capture filters. For each of the following filters, type them in the text space for Capture Filter and start a new capture:
a. TCP:
Write ‘tcp’in capture filter box and start packet capture.
Observations: Only Packets that use underlying TCP protocol are captured.
b. UDP
Write ‘udp’ in capture filter textbox and start packet capture.
Observations: Only Packets that use underlying UDP protocol are captured.
c. TCP Port 22
Write ‘tcp port 22’ and start packet capture.
Observations: No Packets are captured (port 22 is for SSH and it’s not used in this case).
Note: Coloring rules – Depending on the protocol (IP, TCP, ARP, etc.) the color of a packet is different. These rules can be changed accordingly from View → Coloring Rules:
Now, identify IP addresess by observing the packets in Wireshark, identify your own IP address and the IP address of the website you visited:
My Machine IP Address is 10.0.2.15 and Yahoo.com’ IP Address is 106.10.178.36
Save the output after stopping the capture with File → Save As:
Close the file and try to open the pcap file.
The pcap file will open in wireshark:
More display filter examples
a. ip.addr == Your IP address
Observations: Only the packets which have the ip address = 10.0.2.15 as either source address or destination address only are displayed.
b. ip.src == Your IP address
Observations: Only the packets which have the ip address = 10.0.2.15 as source address only are displayed.
c. ip.dst == Your IP address
Observations: Only the packets which have the ip address = 10.0.2.15 as destination address only are displayed.
d. dns and http
Observations: No packet is captured because each packet has only one associated protocol UDP or TCP. DNS uses UDP whereas HTTP uses TCP.
e. tcp.port == 443
Observations: Only packets which have protocol = tcp AND port = 443 associated with them are captured.
f. tcp.analysis.flags
g. !(arp or dns or icmp)
Observations: All packets except ARP or DNS or ICMP are displayed.
h. tcp contains facebook
Observations: All TCP traffic packets which contains the word “facebook” will be displayed.
i. udp contains facebook
Observations: All UDP packets which contains the word “facebook” will be displayed.
j. http.request
Observations: All packets from the PC with http request will be displayed.
k. http.response.code == 200
Observations: The packets which contains successful request fulfilment by servers but not any content will be displayed.
l. tcp.flags.syn == 1
Observations: Displays all TCP packets with SYN flag = true m. tcp.flags.reset == 1
Observations: Displays all TCP packets with RST flag = true.
n. sip && rtp
Observations: No packets displayed. As a packet could either be associated with Session Initiation Protocol (SIP) or RTP Real Time Transport Protocol. First session is initiated by SIP then data is transmitted by RTP.
Statistics in Wireshark
1. Start a new capture in Wireshark.
2. Browse a couple of websites.
3. Stop the capture after a while (30 to 40 seconds).
4. Explore Statistics -> Endpoints to identify entities involved in capture.
Let’s answer a few questions from above observations.
a. How many ethernet endpoints are visible?
Two Ethernet Points are available.
Is your PC’s MAC address part of the ethernet endpoints?
Yes Mac Addresses are part of ethernet end points.
b. How many IP address are visible? There are total 30 IP addresses visible.
Is your PC’s IP address part of the IPv4 endpoints?
Yes my PCs IP Address is part of the IPV4 end points.
5. Explore Statistics → Conversations to cover flows (pair of end points).
a. Sort on different columns in TCP –e.g. Duration, Packets, Address A, Rel Start etc.
b. Experiment with “Follow Stream” button on the popup dialog which adds a Display filter.
6. Explore Statistics -> Flow Graph to understand sequence of events for the filtered capture.
7. Explore Statistics → Packet Lengths to get a list of different packet size ranges and its statistics.
8. Explore Statistics → IO Graph for complete communication, and after filtering for TCP communication.
a. Compare two TCP flows – e.g. stream 6 and 4 below.
b. Observe the time slider below the graph.
We hope the above information was useful for you. Alas! Information keeps on updating. Follow us on social media, subscribe to our blog or subscribe our YouTube Channel to receive latest updates.
1 Trackback / Pingback