How to Use Wireshark : Complete Tutorial

Wireshark Complete Tutorial

Wireshark is a free application that allows you to capture and view the data traveling back and forth on your network, providing the ability to drill down and read the contents of each packet – filtered to meet your specific needs. It is commonly utilized to troubleshoot network problems as well as to develop and test software. This open-source protocol analyzer is widely accepted as the industry standard, winning its fair share of awards over the years.
Originally known as Ethereal, Wireshark features a user-friendly interface that can display data from hundreds of different protocols on all major network types. These data packets can be viewed in real-time or analyzed offline, with dozens of capture/trace file formats supported including CAP and ERF. Integrated decryption tools allow you to view encrypted packets for several popular protocols such as WEP and WPA/WPA2.

Downloading and Installing Wireshark

Wireshark can be downloaded at no cost from the Wireshark Foundation website for both macOS and Windows operating systems. Unless you are an advanced user, it is recommended that you only download the latest stable release. During the setup process (Windows only) you should choose to also install WinPcap if prompted, as it includes a library required for live data capture.
The application is also available for Linux and most other UNIX-like platforms including Red Hat, Solaris, and FreeBSD. The binaries required for these operating systems can be found towards the bottom of the download page in the Third-Party Packages section.
You can also download Wireshark's source code from this page.

How to Capture Data Packets

Wireshark welcome screen

When you first launch Wireshark a welcome screen similar to the one shown above should be visible, containing a list of available network connections on your current device. In this example, you'll notice that the following connection types are shown: Bluetooth Network Connection, Ethernet, VirtualBox Host-Only Network, Wi-Fi. Displayed to the right of each is an EKG-style line graph that represents live traffic on that respective network.
To begin capturing packets, first select one or more of these networks by clicking on your choice(s) and using the Shift or Ctrl keys if you'd like to record data from multiple networks simultaneously. Once a connection type is selected for capturing purposes, its background will be shaded in either blue or gray. Click on Capture from the main menu, located towards the top of the Wireshark interface. When the drop-down menu appears, select the Start option.
You can also initiate packet capturing via one of the following shortcuts.

  • Keyboard: Press ​Ctrl + E
  • Mouse: To begin capturing packets from one particular network, simply double-click on its name
  • Toolbar: Click on the blue shark fin button, located on the far left-hand side of the Wireshark toolbar
The live capture process will now begin, with packet details displayed in the Wireshark window as they are recorded. Perform one of the actions below to stop capturing.
Keyboard: Press Ctrl + E
Toolbar: Click on the red stop button, located next to the shark fin on the Wireshark toolbar

Viewing and Analyzing Packet Contents

Wireshark captured data

Now that you've recorded some network data it's time to take a look at the captured packets. As shown in the screenshot above, the captured data interface contains three main sections: The packet list pane, the packet details pane, and the packet bytes pane.

Packet List

The packet list pane, located at the top of the window, shows all packets found in the active capture file. Each packet has its own row and corresponding number assigned to it, along with each of these data points.
Time: The timestamp of when the packet was captured is displayed in this column, with the default format being the number of seconds (or partial seconds) since this specific capture file was first created. To modify this format to something that may be a bit more useful, such as the actual time of day, select the Time Display Format option from Wireshark's View menu - located at the top of the main interface.
Source: This column contains the address (IP or other) where the packet originated.
Destination: This column contains the address that the packet is being sent to.
Protocol: The packet's protocol name (i.e., TCP) can be found in this column.
Length: The packet length, in bytes, is displayed in this column.
Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.
When a packet is selected in the top pane, you may notice one or more symbols appear in the first column. Open and/or closed brackets, as well as a straight horizontal line, can indicate whether or not a packet or group of packets are all part of the same back-and-forth conversation on the network. A broken horizontal line signifies that a packet is not part of said conversation.

Packet Details

The details pane, found in the middle, presents the protocols and protocol fields of the selected packet in a collapsible format. In addition to expanding each selection, you can also apply individual Wireshark filters based on specific details as well as follow streams of data based on protocol type via the details context menu – accessible by right-clicking your mouse on the desired item within this pane.

Packet Bytes

At the bottom is the packet bytes pane, which displays the raw data of the selected packet in a hexadecimal view. This hex dump contains 16 hexadecimal bytes and 16 ASCII bytes alongside the data offset.
Selecting a specific portion of this data automatically highlights its corresponding section in the packet details pane and vice versa. Any bytes that cannot be printed are instead represented by a period.
You can choose to show this data in bit format as opposed to hexadecimal by right-clicking anywhere within the pane and selecting the appropriate option from the context menu.

Using Wireshark Filters

Wireshark filters

One of the most important feature sets in Wireshark is its filter capabilities, especially when you're dealing with files that are significant in size. Capture filters can be set before the fact, instructing Wireshark to only record those packets that meet your specified criteria.
Filters can also be applied to a capture file that has already been created so that only certain packets are shown. These are referred to as display filters.
Wireshark provides a large number of predefined filters by default, letting you narrow down the number of visible packets with just a few keystrokes or mouse clicks. To use one of these existing filters, place its name in the Apply a display filter entry field (located directly below the Wireshark toolbar) or in the Enter a capture filter entry field (located in the center of the welcome screen).
There are multiple ways to achieve this. If you already know the name of your filter, simply type it into the appropriate field. For example, if you only wanted to display TCP packets you would type tcp. Wireshark's autocompleting feature will show suggested names as you begin typing, making it easier to find the correct moniker for the filter you're seeking.
Another way to choose a filter is to click on the bookmark-like icon positioned on the left-hand side of the entry field. This will present a menu containing some of the most commonly-used filters as well as an option to Manage Capture Filters or Manage Display Filters. If you choose to manage either type an interface will appear allowing you to add, remove or edit filters.
You can also access previously-used filters by selecting the down arrow, located on the right-hand side of the entry field, which displays a history drop-down list.
Once set, capture filters will be applied as soon as you begin recording network traffic. To apply a display filter, however, you'll need to click on the right arrow button found on the far-right hand side of the entry field.

Coloring Rules

Wireshark coloring rules

While Wireshark's capture and display filters allow you to limit which packets are recorded or shown on the screen, its colorization functionality takes things a step further by making it easy to distinguish between different packet types based on their individual hue. This handy feature lets you quickly locate certain packets within a saved set by their row's color scheme in the packet list pane.
Wireshark comes with about 20 default coloring rules built in; each which can be edited, disabled, or deleted if you wish. You can also add new shade-based filters through the coloring rules interface, accessible from the View menu. In addition to defining a name and filter criteria for each rule, you are also asked to associate both a background color and a text color.
Packet colorization can be toggled off and on via the Colorize Packet List option, also found within the View menu.


Wireshark statistics

In addition to the detailed information about your network's data shown in Wireshark's main window, several other useful metrics are available via the Statistics drop-down menu found towards the top of the screen. These include size and timing information about the capture file itself, along with dozens of charts and graphs ranging in topic from packet conversation breakdowns to load distribution of HTTP requests.
Display filters can be applied to many of these statistics via their individual interfaces, and the results can be exported to several common file formats including CSV, XML, and TXT.

Advanced Features

Lua WiresharkAlthough we have covered most of Wireshark's main functionality in this article, there is also a collection of additional features available in this powerful tool typically reserved for advanced users. This includes the ability to write your own protocol dissectors in the Lua programming language.

How to Use Wireshark : Complete Tutorial How to Use Wireshark : Complete Tutorial Reviewed by Technowap on October 11, 2018 Rating: 5

No comments :

Powered by Blogger.