Saturday, February 20, 16:01
Home how To Wireshark: How to use the best network sniffer

Wireshark: How to use the best network sniffer

If you ever experience problems with your network connection and need a deeper analysis of what exactly is going on in your network, you should definitely use Wireshark. Wireshark is the de-facto application worldwide that one can use for the above purposes.

It is one . The solution, originally known as Ethereal, aims to capture and display packages in real time and in a format easily readable by its users. Includes filters, different color illustrations and other features that will help you delve deeper into your web environment and analyze individual packages.

Somewhere here we should also mention the existence of the tshark tool, that is, the version of Wireshark for terminals only. It is also used for capturing and parsing packages and is quite useful in cases where graphical interface (GUI) is unavailable. More information about tshark can be found at official page of Wireshark.

In this article we will look at some of the key features of this highly effective tool, from where to download it and how to use it.

How WIRESHARK works

As we have already said Wireshark is a packet detector and analyzer. That is, it captures the network traffic of the local network and then saves the data for later analysis. Can analyze packets from Ethernet, Bluetooth, 802.11 (Wireless), Token Ring and Frame Relay connections.

Wireshark allows you to use filters before, during or after packet capture to help users find what they're really looking for. For example, you can set a filter that allows you to see only the TCP connection between specific 2 IP addresses. Its specific feature, namely filters, made Wireshark perhaps the most useful package analysis tool.

How to install it

Wireshark is supported by Windows, Poppy and Linux Operating Systems. Installation is very easy and the basic version is free.

Windows 

Installing WIRESHARK in a Windows environment is very simple. First you need to know your system type (32-bit or 64-bit). Subsequently visit the official Wireshark homepage choose the appropriate installer, depending on your machine type. Download it locally to your computer and run it by selecting the desired installation folder. Installed already includes Npcap, the tool that will be responsible for capturing packages.

Poppy 

Wireshark is available through the package manager, Homebrew. To install Homebrew, run the following command in a terminal:

/ usr / bin / ruby ​​-e "$ (curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

With Homebrew installed, you can access several open source computer programs Poppy. Install Wireshark by running the following command on a terminal:

brew install wireshark

Hombrew will also install all the dependencies on your computer to make Wireshark work properly.

Linux

Depending on your Linux distribution, installing Wireshark on your computer may vary. Run the following commands in a terminal:

Ubuntu

sudo apt-get install wireshark
sudo dpkg-reconfigure wireshark-common
sudo adduser $ USER wireshark

The above commands will download Wireshark, refresh it, and then grant user rights to use it.

Red Hat / Fedora

sudo dnf install wireshark-qt
sudo usermod -a -G wireshark username

The above commands install the GUI and CLI (command / line version) versions of Wireshark while giving the necessary permissions to use it.

Time Linux

As you rightly expected, Wireshark is pre-installed on this Linux version. You can find it in the category “Sniffing & Spoofing"

How to use it

With Wireshark now installed on our PC, let's see how we can first capture packages and then analyze the web traffic.

Capture packages

Opening Wireshark, we will see a screen that contains a list of all the network connections we can track. We can also use the capture filter field to capture only the web traffic we are interested in.

By selecting the desired interface (eg Ethernet), the analysis can be started in one of the following ways:

  • Clicking on the blue flap in the toolbar named “Start Capturing Packets”
  • Clicking on the Capture menu and then Start
  • Pressing the Control and E keys.
  • Double-clicking on the interface we are interested in

We can now see in real time all the packages that Wireshark has captured for us.

To end packet capture, you can tap the red flap on the toolbar or browse through the menu, namely Capture and then Stop.

Wireshark

Package Analysis

Wireshark consists of three main analytics windows. If we select a particular package, we see that the 2 lower windows are configured to show us more information about this package. Let's look at the details for each column in the upper window:

  • No.: The order in which the packets were captured. The bracket shows us that the package is part of a "conversation".
  • T: Time elapsed between the start of captivity and the capture of this package
  • source: the IP address of the system that sent the packet.
  • Destination: the IP address of the system that received the packet.
  • Protocol: The type of each package, e.g. TCP, DNS, DHCPv6, ARP, etc.
  • Length: The package size in bytes.
  • Info: More information on the contents of each package.

The middle pane called “Packet Details” shows us packet-related information in the most readable format possible. The bottom window, called "Packet Bytes" shows the package itself in hexadecimal format. In this window, if we look at a package that is part of a "discussion", we can right-click on it, select Follow, and only see the packages of that "discussion".

WIRESHARK filters

Two of the best features of Wireshark are: Wireshark Capture and Wireshark Display filters. Filters allow us to control the packages we have captured as we want and need to see them in order to better fix the network problem we may be facing.

Wireshark Capture Filters

This function is used to filter the packages we capture. Practically if the packages do not meet the conditions we set Wireshark it does not even store them. Some examples of filters we can use are:

  • hostIP-address: Filter by IP address.
  • net168.0.0 / 24: Filter all web traffic on the subnet.
  • dsthostIP-address: Filter the packets sent to that host.
  • Port 22: Traffic-based filtering on the 22 door.
  • Portnot 22 andnot 22: Motion-based filtering and it is not shh and arp.

Wireshark Display Filters

The Wireshark Display Filter changes the image of motion we captured during the analysis. Once we have stopped packet capture we can use this feature to facilitate our analysis to fix the problem. Such filters can be the following:

  • ip.src == IP-addressandip.dst == IP-address: This filter will show us packages starting from one computer and ending at the other.
  • tcp.porteq 80: It will show us all the traffic on the 80 door.
  • Icmp: This filter will only show us icmp traffic.
  • ip.addr! = IP_address: It will show us all the traffic except the one starting at or intended for that particular computer.

More WIRESHARK tools

In addition to packet capture and filtering, there are many other tools at Wireshark that can make it much easier.

We can configure Wireshark so that my packages are captured according to the filters we have set. More examples of this can be seen here.

Wireshark

By default, Wireshark only captures packets that come from or are sent to the local computer. Going to the Capture menu option and then to Options, you can see the tick-box “enable promiscuous mode for all interfaces”. This option enables us to capture packets moving across the network we are connected to.

Wireshark also provides a Command Line Interface (CLI) to be able to use it on a non-graphical system.

Wireshark

In such an environment we could run the following commands:

  • Wireshark: to start wireshark in a GUI environment
  • Wireshark -h: to see all the available parameters that Wireshark can take.
  • wireshark –aduration: 300 –ieth1 –wwireshark .: to capture Ethernet traffic for 5 minutes.

Also, for the purpose of our training we can download ready files provided by Wireshark itself and contain packets of different network drives. We can then load these files into the tool by selecting File, then Open and selecting the desired file for analysis.

Like, we said WIRESHARK is a very powerful tool and what we did in this article is to look at some of the possibilities it offers. Business professionals use it to analyze web protocol applications, address security issues, and improve visibility of their network traffic. More information on WIRESHARK can be found at its official user guide.

 

We look forward to your comments and impressions.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

stormi
stormi
Here's the crazy ones, the misfits, the rebels, the troublemakers ...

LIVE NEWS

Google Assistant: How can you delete your recordings?

Google Assistant can make your daily life much easier. However, it also involves some privacy issues, as ...

Microsoft: Office 2021 / Office LTSC coming in the second half of 2021

Microsoft announced that the Microsoft Office Long Term Service Channel (LTSC) and Office 2021 will be released in 2021, for ...

How to quickly create QR codes with Bing

If you ever need to create a QR code, but you do not know how, Microsoft has an easy-to-use tool available in any program ...

Brave: Onion addresses leaked to DNS traffic

The Tor function included in the Brave web browser, allows users to access .onion dark web domains within ...

What are the 6 most known attacks on gaming companies?

A few days ago, the gaming company Big Huge Games informed the players that it was the victim of an attack, which affected its data ...

Xbox gift cards are sold at a 10% discount on Amazon

Xbox owners can save some money on games, add-ons, subscriptions and more if they buy Xbox gift cards at ...

Perseverance: NASA spacecraft lands on Mars!

The spacecraft "Perseverance" successfully landed yesterday, shortly before 11 pm Greek time on Mars. Aim of this mission of ...

YouTube: You can play 4K videos on devices with low resolution screens

Youtube application on Android allows you to play videos up to 4K resolution. All you need is a phone with ...

Top positions Software Engineering and coding skills for 2021

Due to COVID-19, recruitment efforts and employment opportunities fell sharply last year. However, the technology industry has proven to be more resilient ...
00:10:13

Phishing emails: How to recognize them and how to protect yourself?

https://www.youtube.com/watch?v=iME-CzlKVzc Το phishing είναι ίσως η μεγαλύτερη απειλή στον κυβερνοχώρο εδώ και περισσότερα από πέντε χρόνια. Γι΄...