Security

How to Use Wireshark to Capture, Filter and Inspect Network Packets

Advertisement

What is Wireshark?

Wireshark, formerly known as Ethereal, is a popular network packet analyzer tool which captures packets in real time. With the available filters, color-cording and other features, you can inspect individual packets. So, you can easily monitor what is going inside or outside of your network. This tool is basically used by Network security engineers and Network administrators to troubleshoot network problems and examine security-related issues.

Wireshark is available for Windows, Mac, and Unix platform. Most notable feature of the tool is that it can also open the file containing packet data captured by other tools. In this tutorial, we will how to WireShare to capture packets, filter them and inspect.

WireShare for Windows and Mac OS X can be downloaded from the official link. Download the latest version for your system. For users using Linux or another Unix, Distro will probably find the Wireshark in its package repositories or software center.

Download WireShare

Advertisement

In this tutorial, I am using Wireshark 1.12.1 for Windows. Installation of this tool on Windows is very simple. You get easy to understand installer to install in on Windows.

Capturing Packets with WireShark

After installation, run WireShark. Click on the name of the interface under the Interface list at the left side of the WireShark Windows. I am using Wifi, so I will select the Wireless Network connection. Choose according to your system. If you are using LAN, you should select the Local Area Network.

I am using Wifi, so I will select the Wireless Network connection. Choose according to your system. If you are using LAN, you can select the Local Area Network. And it will start capturing the packets passing through this. You will also see realtime packets appearing on the tool.

Wireshark Live Packets

At the top tool bar, you will see buttons to stop the packet sniffing, search packets and move to first or last packets and many other options.

Packet Color Coding

You will also notice that packets appear in different colors. Each packet is displayed in a specific color for a reason. Wireshark uses colors to let you easily identify he type of traffic. Green packets are for TCP traffic, Dark Blue means it is DNS packet, Black is for TCP packets with problems, Light Blue is for UDP traffic.

If you want to see all color rules, go to View Menu and then Coloring Rules. Here, you can also define your own coloring rules of edit the existing color rules as per your choice. To edit, select any existing rule and then select Edit button.

Wireshark Coloring rules

Working with Packets on WireShark

Every second, few more packets will appear and makes it difficult to work on a large number of packers. In few minutes, it can grow up to thousands of packets. So, you need to know how to filter packets and search for what you want to analyze.

If you want to see only TCP type and press enter.  To find a packet based on certain criteria, press CTRL+F and then filter packets. Filter box gibes three options for finding packets.

Wireshark packet filters

 

  1. Display Filter: This option allows you to enter an expression-based filter, and it will find only those packets which match the criteria. (for example IP addr==192.168.0.1)
  2. Hex value: This option searches for packets with a hexadecimal value.
  3. String: This option searches for packets with a text string.
Most basic way to filter is to use the filter box above. This performs Display filters by default. When you start typing in this text box, auto complete will help you in suggesting filters. To display filters, click on Analyze menu at the top and then select “Display filters”.
Wireshark display filters
Select any packet, right-click on it and select Follow TCP/UDP/SSL Stream option to see all packets of the conversation between client and the server. It will show the full stream of packets.
Follow stream Wireshark
It will automatically apply this filter to the parent window and will start showing packets only of this conversations.
Double clicking on any packet stream will open the details of the packet where you can dig more details about that specific packet.
Wireshark is a very powerful tool and in this tutorial, I only tried to discuss very basic things. Professionals use it for inspecting protocols and security problems on the network.

Advertisement

Comments

UseThisTip is one of the best tech blogs that try to solve your computer and internet related problems. You can find best how to technology articles here. We post best computer tricks and internet tricks along with website review and mobile app reviews. We also do software reviews and also try to give you list of best alternative software and apps so that you do not need to buy paid software or app.

Facebook

Copyright © 2017 UseThisTip

To Top