Saturday, July 11, 07:43
Home how To Wireshark: How to use the best network sniffer

Wireshark: How to use the best network sniffer

If you ever experience problems with your network connection and need a deeper analysis of what exactly is going on in your network, you should definitely use Wireshark. Wireshark is the de-facto application worldwide that one can use for the above purposes.

It is one . The solution, originally known as Ethereal, aims to capture and display packages in real time and in a format easily readable by its users. Includes filters, different color illustrations and other features that will help you delve deeper into your web environment and analyze individual packages.

Somewhere here we should also mention the existence of the tshark tool, that is, the version of Wireshark for terminals only. It is also used for capturing and parsing packages and is quite useful in cases where graphical interface (GUI) is unavailable. More information about tshark can be found at official page of Wireshark.

In this article we will look at some of the key features of this highly effective tool, from where to download it and how to use it.


As we have already said Wireshark is a packet detector and analyzer. That is, it captures the network traffic of the local network and then saves the data for later analysis. Can analyze packets from Ethernet, Bluetooth, 802.11 (Wireless), Token Ring and Frame Relay connections.

Wireshark allows you to use filters before, during or after packet capture to help users find what they're really looking for. For example, you can set a filter that allows you to see only the TCP connection between specific 2 IP addresses. Its specific feature, namely filters, made Wireshark perhaps the most useful package analysis tool.

How to install it

Wireshark is supported by Windows, Poppy and Linux Operating Systems. Installation is very easy and the basic version is free.


Installing WIRESHARK in a Windows environment is very simple. First you need to know your system type (32-bit or 64-bit). Subsequently visit the official Wireshark homepage choose the appropriate installer, depending on your machine type. Download it locally to your computer and run it by selecting the desired installation folder. Installed already includes Npcap, the tool that will be responsible for capturing packages.


Wireshark is available through the package manager, Homebrew. To install Homebrew, run the following command in a terminal:

/ usr / bin / ruby ​​-e "$ (curl -fsSL"

With Homebrew installed, you can access several open source computer programs Poppy. Install Wireshark by running the following command on a terminal:

brew install wireshark

Hombrew will also install all the dependencies on your computer to make Wireshark work properly.


Depending on your Linux distribution, installing Wireshark on your computer may vary. Run the following commands in a terminal:


sudo apt-get install wireshark
sudo dpkg-reconfigure wireshark-common
sudo adduser $ USER wireshark

The above commands will download Wireshark, refresh it, and then grant user rights to use it.

Red Hat / Fedora

sudo dnf install wireshark-qt
sudo usermod -a -G wireshark username

The above commands install the GUI and CLI (command / line version) versions of Wireshark while giving the necessary permissions to use it.

Time Linux

As you might expect, Wireshark is pre-installed on this Linux version. You can find it in the “Sniffing & Spoofing"

How to use it

With Wireshark now installed on our PC, let's see how we can first capture packages and then analyze the web traffic.

Capture packages

Opening Wireshark, we will see a screen that contains a list of all the network connections we can track. We can also use the capture filter field to capture only the web traffic we are interested in.

By selecting the desired interface (eg Ethernet), the analysis can be started in one of the following ways:

  • Clicking on the blue flap in the toolbar named “Start Capturing Packets”
  • Clicking on the Capture menu and then Start
  • Pressing the Control and E keys.
  • Double-clicking on the interface we are interested in

We can now see in real time all the packages that Wireshark has captured for us.

To end packet capture, you can tap the red flap on the toolbar or browse through the menu, namely Capture and then Stop.


Package Analysis

Wireshark consists of three main analytics windows. If we select a particular package, we see that the 2 lower windows are configured to show us more information about this package. Let's look at the details for each column in the upper window:

  • No.: The order in which the packets were captured. The bracket shows us that the package is part of a "conversation".
  • T: Time elapsed between the start of captivity and the capture of this package
  • source: the IP address of the system that sent the packet.
  • Destination: the IP address of the system that received the packet.
  • Protocol: The type of each package, e.g. TCP, DNS, DHCPv6, ARP, etc.
  • Length: The package size in bytes.
  • Info: More information on the contents of each package.

The middle pane called “Packet Details” shows us packet-related information in the most readable format possible. The bottom window, called "Packet Bytes" shows the package itself in hexadecimal format. In this window, if we look at a package that is part of a "discussion", we can right-click on it, select Follow, and only see the packages of that "discussion".


Two of the best features of Wireshark are: Wireshark Capture and Wireshark Display filters. Filters allow us to control the packages we have captured as we want and need to see them in order to better fix the network problem we may be facing.

Wireshark Capture Filters

This function is used to filter the packages we capture. Practically if the packages do not meet the conditions we set Wireshark it does not even store them. Some examples of filters we can use are:

  • hostIP-address: Filter by IP address.
  • net168.0.0 / 24: Filter all web traffic on the subnet.
  • dsthostIP-address: Filter the packets sent to that host.
  • Port 22: Traffic-based filtering on the 22 door.
  • Portnot 22 andnot 22: Motion-based filtering and it is not shh and arp.

Wireshark Display Filters

The Wireshark Display Filter changes the image of motion we captured during the analysis. Once we have stopped packet capture we can use this feature to facilitate our analysis to fix the problem. Such filters can be the following:

  • ip.src == IP-addressandip.dst == IP-address: This filter will show us packages starting from one computer and ending at the other.
  • tcp.porteq 80: It will show us all the traffic on the 80 door.
  • Icmp: This filter will only show us icmp traffic.
  • ip.addr! = IP_address: It will show us all the traffic except the one starting at or intended for that particular computer.

More WIRESHARK tools

In addition to packet capture and filtering, there are many other tools at Wireshark that can make it much easier.

We can configure Wireshark so that my packages are captured according to the filters we have set. More examples of this can be seen here.


By default, Wireshark only captures packets that come from or are sent to the local computer. Going to the Capture menu option and then to Options, you can see the tick-box “enable promiscuous mode for all interfaces”. This option enables us to capture packets moving across the network we are connected to.

Wireshark also provides a Command Line Interface (CLI) to be able to use it on a non-graphical system.


In such an environment we could run the following commands:

  • Wireshark: to start wireshark in a GUI environment
  • Wireshark -h: to see all the available parameters that Wireshark can take.
  • wireshark –aduration: 300 –ieth1 –wwireshark .: to capture Ethernet traffic for 5 minutes.

Also, for the purpose of our training we can download ready files provided by Wireshark itself and contain packets of different network drives. We can then load these files into the tool by selecting File, then Open and selecting the desired file for analysis.

Like, we said WIRESHARK is a very powerful tool and what we did in this article is to look at some of the possibilities it offers. Business professionals use it to analyze web protocol applications, address security issues, and improve visibility of their network traffic. More information on WIRESHARK can be found at its official user guide.

We look forward to your comments and impressions.


Please enter your comment!
Please enter your name here

Here's the crazy ones, the misfits, the rebels, the troublemakers ...


Sony: Invest $ 250 Million in Fortnite Epic Games!

Sony has made an investment of $ 250 million to acquire a 1,4% stake in Epic Games, ...

C-Data FTTH OLT devices contain backdoors

Serious vulnerabilities and backdoors were discovered by two security researchers in the firmware of 29 FTTH OLT devices, the popular equipment provider C-Data.

Spotify, Pinterest and Tinder are "crashing" because of D. Facebook

Popular applications and services, such as Spotify, Pinterest and Tinder, have cracked iOS devices ....

Technology and Teachers: What Do Experts Appreciate?

Too many educators around the world have struggled to adopt the technological tools in the midst of the pandemic to deliver lessons ...

COVID-19 apps: Virus detection applications violate privacy

COVID-19 apps: Beware, they violate private privacy Virus detection applications violate private privacy by recording more data than they need, setting ...

Debian 8 “Jessie”: Another version in End-of-life stage

After a long support of Debian 8 "Jessie", the development team of the operating system announced that it stops ...

Conti ransomware: Is it the successor to Ryuk ransomware?

Conti ransomware is a new threat targeting corporate networks. Its advanced capabilities allow it ...

Smartwatch tracker that helps vulnerable people can be hacked

Researchers have uncovered a number of serious security issues in a smartwatch tracker used in applications, including services designed for ...

WhatsApp: QR codes help you communicate with businesses

Facebook's messaging service, WhatsApp, has introduced two new features to help businesses ...

Zoom: Works to correct zero-day vulnerability

Zoom teleconferencing software works to fix a zero-day vulnerability revealed by the security company ...