Wireshark

Wireshark Network Analysis Tool

What is Wireshark?


Wireshark is a free Open Source Packet Analyser. Wireshark is generally used by administrators for analysing traffic on a network, troubleshooting network issues. Wireshark, formerly knowns as "Etherreal" was renamed to "Wireshark" in the year 2006. Wireshark is available for most distributions of Linux and can be installed normally from most repositories.

Debian Based systems can install Wireshark by issuing the following command from a terminal: sudo apt-get install wireshark

Red Hat Based distributions can install Wireshark by issuing the following command from a terminal: yum install wireshark

SLES/openSUSE distributions can install Wireshark by issuing the following command from a terminal: zypper install wireshark

Alternatively, you can download the packages and source code for wireshark from their main website:

Download Wireshark

Wireshark is a specialised tool that understands many network protocols and their structures. This enables Wireshark to easily display the structures of packets along with descriptions. Wireshark uses "pcap" to capture packets. (pcap - packet capture implemented in the libpcap library under Linux). Wireshark can read data from "Ethernet", "802.11", "PPP" and "loopback" networks. A command line version of Wireshark known as "Tshark" is also available for download. Wireshark uses a simple filter to remove unwanted data from its captures.



Basic wireshark Overview


The following screenshots have been taken from wireshark version running on a Ubuntu 12.04 installation. To start wireshark under Ubuntu, you must issue the command: gksudo wireshark from your terminal. You will be prompted for your root password.


Wireshark Home Page

Capturing Data


To start the capture process you first need to select an interface. If you are using a "wireless" adaptor, then select that interface. If you are using a wired connection, then you should select that interface. In the example above, I am connected via the interface "eth0". To select your chosen interface, simply click on its name under the "Interface List". One you have selected your interface, you should see traffic start to appear immediately within the output window. To stop the Live Capture process at any time simply click on the stop capture icon located on the upper toolbar



The Live Capture Data has been stored in a temporary file located in the "/tmp" area. These files normally have a name similar to "wireshark_eth0_20130428211412_AGOOT7". The file can be identified by its interface name and also by the time and data stamp applied. If you didn't want to keep this data, you can click on the cross (eighth icon across) and answer "Continue without Saving". Alternatively, If you decide to keep the data, you can click on the save icon (seventh icon across). You can then give your save file a custom name.


Wireshark Packet Capture

Wireshark - Colour Codes


As you can see from the above live capture image, wireshark colours each line with a specific colour. These colours correspond to various types of information. These colours are customizable, however, I would recommend using the default colour scheme.


Wireshark Colour Codes

The above is an example of the colours used from the standard default profile.



Filtering Packet Information


The output from Wireshark can be very verbose by nature, however, you can reduce the amount of information displayed to your screen by using the filter box located in the upper left of the screen. Here you can filter by protocol such as "http", "smb" or "dns". This can be very helpful if you are working on a particular issue. You can also use a "Capture Filter" from the pull down capture menu. Here you can be more specific about the data that is captured from your interface. You can filter by IP address, range of IP addresses, port numbers. A useful list of filters is available from the wiki wireshark page: Capture Filters. Another option is to use the filter option under the "Analyse" menu. Here you can create new display filters.


Follow TCP Stream


An extremely useful feature of Wireshark is its ability to select a specific stream or conversation for further analysis. To follow a conversation between the local machine and the remote server, simply "right click" one of the packets and select the option "Follow TCP Stream". You should now see a pop up box displaying the contents of the selected packet. The useful part is now when you close this pop up box, an automatic filter has been applied. Information now will only be displayed between your local machine and the remote server. You should also see a filter has been populated in the upper left hand filter box (see image below).


Wireshark Colour Codes

Online Manual - Wireshark Website


The best way to fully understand Wireshark and and all of its many features and functionality is to have a read of the excellent online manual that is available from the products main website:

Click to visit Online Manual: Wireshark Online Manual

If you are interested in packet analysis, you may also be interested in "tcpdump" which is capable of capturing data. It can also read captures taken from wireshark. For further information on tcpdump, follow our link: tcpdump command