Wireshark | Getting Started

Wireshark is an open source packet analyzer, software analysis, network troubleshooting tool.

  • What does it do?
    • Wireshark allows its user to view raw data that is being transmitted over a network. Its main purpose is to encapsulate network packets so they can be analyzed for troubleshooting an issue.
  • How is it different from TCPdump?
    • Wireshark is very similar to TCPdump with one major detail. It has a graphical user interface (GUI).. along with some integrated sorting and filtering options.
  •  Download and Install Wireshark
  1. Launch Wireshark
  2. Select the name of the network interface that you are going to use.

  3. After you select the interface, you will begin seeing packets in real time.
    • Wireshark captures packets being sent to and from your workstation in real time.
  4. Here is a break down of the UI, after you have selected:

    1. On the main UI, you see different options at the top. Their options allow you to utilize Wireshark in different ways.
      1. File –  Is the primary menu, It contains options to save, print, export files. It also contains options to open and merge capture files.
      2. Edit – This contains items to find a packet, time stamps or mark one/more packets, handle config profiles and set preferences.
      3. View – Contains controls for how to display captured packets and data. Here you can change the color code of packets, show content in a different window and adjust the font.
      4. Go – Allows a user to go to a specific packet
      5. Capture – Allows a user to start and stop capture sessions. A user can also edit a capture filters.
      6. Analyze – Here you can find tools to manipulate display filters, disable/enable dissection of protocols, follow a TCP stream and configure user specified decodes.
      7. Statistics – Displays statistic windows, which include a summary of packets that have been captured and display protocol hierarchies.
      8. Telephony – displays related statistic windows, including media analysis, flow diagrams, displays protocol hierarchies and more.
      9. Wireless – Shows Bluetooth and 802.11 wireless statistics
      10. Tools – Contains a number of tools available in Wireshark.
      11. Help – Contains items to help a user. basic information and manuals for command.
  5. As you can see, the UI is fairly straight forward. You have a number of controls that allow you to filter the incoming/outgoing packets in real time.
    1. Further more, a User is able to filter content (in the filter bar) or use expressions to give the user greater control when looking for a specific protocol or IP address.
      1. The following example is using the filter to only display packets being sent over “HTTP”
      2. Here you can analyze a packet for its information. Wireshark segregates the relevant data.
      3. Here you can see that the data is segregated following the TCP stack principles. Here is the break down:
        1. Frame: Tells us the user frame number, time relation information, frame length, protocols within the frame and the coloring rule.
        2. Ethernet II: Tells us the packet’s source and the destination indicated by “SRC” and “DST”.
        3. Internet Protocol: This tells us to source and destination information. But, it also tells us the version, header details and its lifetime.
        4. TCP: Captures information about the ports involved, and what sequence to look out for. It will also who you different “flags” along with their values.
        5. HTTP: This tells us about the HTTP version, server information, timeout value, connection status, content type and character set used in the communication
        6. Line-based text data: This contains HTML source code

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s