How to Use Wireshark to Capture, Filter and Inspect Network Packets
What is Wireshark?
Wireshark, formerly known as Ethereal, is a popular network packet analyzer tool which captures packets in real time. With the available filters, color-cording and other features, you can inspect individual packets. So, you can easily monitor what is going inside or outside of your network. This tool is basically used by Network security engineers and Network administrators to troubleshoot network problems and examine security-related issues.
Wireshark is available for Windows, Mac, and Unix platform. Most notable feature of the tool is that it can also open the file containing packet data captured by other tools. In this tutorial, we will how to WireShare to capture packets, filter them and inspect.
WireShare for Windows and Mac OS X can be downloaded from the official link. Download the latest version for your system. For users using Linux or another Unix, Distro will probably find the Wireshark in its package repositories or software center.
In this tutorial, I am using Wireshark 1.12.1 for Windows. Installation of this tool on Windows is very simple. You get easy to understand installer to install in on Windows.
Capturing Packets with WireShark
After installation, run WireShark. Click on the name of the interface under the Interface list at the left side of the WireShark Windows. I am using Wifi, so I will select the Wireless Network connection. Choose according to your system. If you are using LAN, you should select the Local Area Network.
I am using Wifi, so I will select the Wireless Network connection. Choose according to your system. If you are using LAN, you can select the Local Area Network. And it will start capturing the packets passing through this. You will also see realtime packets appearing on the tool.
At the top tool bar, you will see buttons to stop the packet sniffing, search packets and move to first or last packets and many other options.
Packet Color Coding
You will also notice that packets appear in different colors. Each packet is displayed in a specific color for a reason. Wireshark uses colors to let you easily identify he type of traffic. Green packets are for TCP traffic, Dark Blue means it is DNS packet, Black is for TCP packets with problems, Light Blue is for UDP traffic.
If you want to see all color rules, go to View Menu and then Coloring Rules. Here, you can also define your own coloring rules of edit the existing color rules as per your choice. To edit, select any existing rule and then select Edit button.
Working with Packets on WireShark
Every second, few more packets will appear and makes it difficult to work on a large number of packers. In few minutes, it can grow up to thousands of packets. So, you need to know how to filter packets and search for what you want to analyze.
If you want to see only TCP type and press enter. To find a packet based on certain criteria, press CTRL+F and then filter packets. Filter box gibes three options for finding packets.
- Display Filter: This option allows you to enter an expression-based filter, and it will find only those packets which match the criteria. (for example IP addr==192.168.0.1)
- Hex value: This option searches for packets with a hexadecimal value.
- String: This option searches for packets with a text string.