Wireshark: How to use the best network sniffer

If you ever experience problems with your network connection and need a deeper analysis of what exactly is going on in your network, you should definitely use Wireshark. Wireshark is the de-facto application worldwide that one can use for the above purposes.

It is one . The solution, originally known as Ethereal, aims to capture and display packages in real time and in a format easily readable by its users. Includes filters, different color illustrations and other features that will help you delve deeper into your web environment and analyze individual packages.

Somewhere here we should also mention the existence of the tshark tool, that is, the version of Wireshark for terminals only. It is also used for capturing and parsing packages and is quite useful in cases where graphical interface (GUI) is unavailable. More information about tshark can be found at official page of Wireshark.

In this article we will look at some of the key features of this highly effective tool, from where to download it and how to use it.

How WIRESHARK works

As we have already said Wireshark is a packet detector and analyzer. That is, it captures the network traffic of the local network and then saves the data for later analysis. Can analyze packets from Ethernet, Bluetooth, 802.11 (Wireless), Token Ring and Frame Relay connections.

Wireshark allows you to use filters before, during or after packet capture to help users find what they're really looking for. For example, you can set a filter that allows you to see only the TCP connection between specific 2 IP addresses. Its specific feature, namely filters, made Wireshark perhaps the most useful package analysis tool.

How to install it

Wireshark is supported by Windows, Poppy and Linux Operating Systems. Installation is very easy and the basic version is free.

Windows 

Installing WIRESHARK in a Windows environment is very simple. First you need to know your system type (32-bit or 64-bit). Subsequently visit the official Wireshark homepage choose the appropriate installer, depending on your machine type. Download it locally to your computer and run it by selecting the desired installation folder. Installed already includes Npcap, the tool that will be responsible for capturing packages.

Poppy 

Wireshark is available through the package manager, Homebrew. To install Homebrew, run the following command in a terminal:

With Homebrew installed, you can access several open source computer programs Poppy. Install Wireshark by running the following command on a terminal:

Hombrew will also install all the dependencies on your computer to make Wireshark work properly.

Linux

Depending on your Linux distribution, installing Wireshark on your computer may vary. Run the following commands in a terminal:

Ubuntu

The above commands will download Wireshark, refresh it, and then grant user rights to use it.

Red Hat / Fedora

The above commands install the GUI and CLI (command / line version) versions of Wireshark while giving the necessary permissions to use it.

Time Linux

As you rightly expected, Wireshark is pre-installed on this Linux version. You can find it in the category “Sniffing & Spoofing"

How to use it

With Wireshark now installed on our PC, let's see how we can first capture packages and then analyze the web traffic.

Capture packages

Opening Wireshark, we will see a screen that contains a list of all the network connections we can track. We can also use the capture filter field to capture only the web traffic we are interested in.

By selecting the desired interface (eg Ethernet), the analysis can be started in one of the following ways:

• Clicking on the blue flap in the toolbar named “Start Capturing Packets”
• Clicking on the Capture menu and then Start
• Pressing the Control and E keys.
• Double-clicking on the interface we are interested in

We can now see in real time all the packages that Wireshark has captured for us.

To end packet capture, you can tap the red flap on the toolbar or browse through the menu, namely Capture and then Stop.

Package Analysis

Wireshark consists of three main analytics windows. If we select a particular package, we see that the 2 lower windows are configured to show us more information about this package. Let's look at the details for each column in the upper window:

• No.: The order in which the packets were captured. The bracket shows us that the package is part of a "conversation".
• T: Time elapsed between the start of captivity and the capture of this package
• source: the IP address of the system that sent the packet.
• Destination: the IP address of the system that received the packet.
• Protocol: The type of each package, e.g. TCP, DNS, DHCPv6, ARP, etc.
• Length: The package size in bytes.
• Info: More information on the contents of each package.

The middle pane called “Packet Details” shows us packet-related information in the most readable format possible. The bottom window, called "Packet Bytes" shows the package itself in hexadecimal format. In this window, if we look at a package that is part of a "discussion", we can right-click on it, select Follow, and only see the packages of that "discussion".

WIRESHARK filters

Two of the best features of Wireshark are: Wireshark Capture and Wireshark Display filters. Filters allow us to control the packages we have captured as we want and need to see them in order to better fix the network problem we may be facing.

Wireshark Capture Filters

This function is used to filter the packages we capture. Practically if the packages do not meet the conditions we set Wireshark it does not even store them. Some examples of filters we can use are:

• hostIP-address: Filter by IP address.
• net168.0.0 / 24: Filter all web traffic on the subnet.
• dsthostIP-address: Filter the packets sent to that host.
• Port 22: Traffic-based filtering on the 22 door.
• Portnot 22 andnot 22: Motion-based filtering and it is not shh and arp.

Wireshark Display Filters

The Wireshark Display Filter changes the image of motion we captured during the analysis. Once we have stopped packet capture we can use this feature to facilitate our analysis to fix the problem. Such filters can be the following:

• ip.src == IP-addressandip.dst == IP-address: This filter will show us packages starting from one computer and ending at the other.
• tcp.porteq 80: It will show us all the traffic on the 80 door.
• Icmp: This filter will only show us icmp traffic.
• ip.addr! = IP_address: It will show us all the traffic except the one starting at or intended for that particular computer.

More WIRESHARK tools

In addition to packet capture and filtering, there are many other tools at Wireshark that can make it much easier.

We can configure Wireshark so that my packages are captured according to the filters we have set. More examples of this can be seen here.

By default, Wireshark only captures packets that come from or are sent to the local computer. Going to the Capture menu option and then to Options, you can see the tick-box “enable promiscuous mode for all interfaces”. This option enables us to capture packets moving across the network we are connected to.

Wireshark also provides a Command Line Interface (CLI) to be able to use it on a non-graphical system.

In such an environment we could run the following commands:

• Wireshark: to start wireshark in a GUI environment
• Wireshark -h: to see all the available parameters that Wireshark can take.
• wireshark –aduration: 300 –ieth1 –wwireshark .: to capture Ethernet traffic for 5 minutes.

Also, for the purpose of our training we can download ready files provided by Wireshark itself and contain packets of different network drives. We can then load these files into the tool by selecting File, then Open and selecting the desired file for analysis.

Like, we said WIRESHARK is a very powerful tool and what we did in this article is to look at some of the possibilities it offers. Business professionals use it to analyze web protocol applications, address security issues, and improve visibility of their network traffic. More information on WIRESHARK can be found at its official user guide.

We look forward to your comments and impressions.