What is Wireshark?
Wireshark, formerly known as Ethereal, is a popular network packet analyzer tool which captures packets in real time. With the available filters, color-cording and other features, you can inspect individual packets. So, you can easily monitor what is going inside or outside of your network. This tool is basically used by Network security engineers and Network administrators to troubleshoot network problems and examine security-related issues.
Wireshark is available for Windows, Mac, and Unix platform. Most notable feature of the tool is that it can also open the file containing packet data captured by other tools. In this tutorial, we will how to WireShare to capture packets, filter them and inspect.
WireShare for Windows and Mac OS X can be downloaded from the official link. Download the latest version for your system. For users using Linux or another Unix, Distro will probably find the Wireshark in its package repositories or software center.
In this tutorial, I am using Wireshark 1.12.1 for Windows. Installation of this tool on Windows is very simple. You get easy to understand installer to install in on Windows.
Capturing Packets with WireShark
After installation, run WireShark. Click on the name of the interface under the Interface list at the left side of the WireShark Windows. I am using Wifi, so I will select the Wireless Network connection. Choose according to your system. If you are using LAN, you should select the Local Area Network.
I am using Wifi, so I will select the Wireless Network connection. Choose according to your system. If you are using LAN, you can select the Local Area Network. And it will start capturing the packets passing through this. You will also see realtime packets appearing on the tool.
At the top tool bar, you will see buttons to stop the packet sniffing, search packets and move to first or last packets and many other options.
Packet Color Coding
You will also notice that packets appear in different colors. Each packet is displayed in a specific color for a reason. Wireshark uses colors to let you easily identify he type of traffic. Green packets are for TCP traffic, Dark Blue means it is DNS packet, Black is for TCP packets with problems, Light Blue is for UDP traffic.
If you want to see all color rules, go to View Menu and then Coloring Rules. Here, you can also define your own coloring rules of edit the existing color rules as per your choice. To edit, select any existing rule and then select Edit button.
Working with Packets on WireShark
Every second, few more packets will appear and makes it difficult to work on a large number of packers. In few minutes, it can grow up to thousands of packets. So, you need to know how to filter packets and search for what you want to analyze.
If you want to see only TCP type and press enter. To find a packet based on certain criteria, press CTRL+F and then filter packets. Filter box gibes three options for finding packets.
- Display Filter: This option allows you to enter an expression-based filter, and it will find only those packets which match the criteria. (for example IP addr==192.168.0.1)
- Hex value: This option searches for packets with a hexadecimal value.
- String: This option searches for packets with a text string.
Chris Hoffman is Editor-in-Chief of How-To Geek. He’s written about technology for over a decade and was a PCWorld columnist for two years. Chris has written for The New York Times, been interviewed as a technology expert on TV stations like Miami’s NBC 6, and had his work covered by news outlets like the BBC. Since 2011, Chris has written over 2,000 articles that have been read nearly one billion times—and that’s just here at How-To Geek. Read more.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color coding, and other features that let you dig deep into network traffic and inspect individual packets.
This tutorial will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network, or troubleshoot network problems.
Getting Wireshark
You can download Wireshark for Windows or macOS from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading and installing Wireshark, you can launch it and double-click the name of a network interface under Capture to start capturing packets on that interface. For example, if you want to capture traffic on your wireless network, click your wireless interface. You can configure advanced features by clicking Capture > Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system.
If you have promiscuous mode enabled—it’s enabled by default—you’ll also see all the other packets on the network instead of only packets addressed to your network adapter. To check if promiscuous mode is enabled, click Capture > Options and verify the “Enable promiscuous mode on all interfaces” checkbox is activated at the bottom of this window.
Click the red “Stop” button near the top left corner of the window when you want to stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in a variety of different colors. Wireshark uses colors to help you identify the types of traffic at a glance. By default, light purple is TCP traffic, light blue is UDP traffic, and black identifies packets with errors—for example, they could have been delivered out of order.
To view exactly what the color codes mean, click View > Coloring Rules. You can also customize and modify the coloring rules from here, if you like.
Sample Captures
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect. Click File > Open in Wireshark and browse for your downloaded file to open one.
You can also save your own captures in Wireshark and open them later. Click File > Save to save your captured packets.
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
You can also click Analyze > Display Filters to choose a filter from among the default filters included in Wireshark. From here, you can add your own custom filters and save them to easily access them in the future.
For more information on Wireshark’s display filtering language, read the Building display filter expressions page in the official Wireshark documentation.
Another interesting thing you can do is right-click a packet and select Follow > TCP Stream.
You’ll see the full TCP conversation between the client and the server. You can also click other protocols in the Follow menu to see the full conversations for other protocols, if applicable.
Close the window and you’ll find a filter has been applied automatically. Wireshark is showing you the packets that make up the conversation.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to create a filter based on it.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.
You can find more detailed information in the official Wireshark User’s Guide and the other documentation pages on Wireshark’s website.
Wireshark’s motto is “Go Deep”. It is a network analysis tool and formerly known as Ethereal. It captures packets in real time and displays it in a human-readable format. Wireshark includes color coding, filters, and many other features which will help you dig deep into your network traffic and inspect the individual packets.
Today, we will teach you the basics of capturing packets, filtering them, and Inspecting them through this tutorial. Using Wireshark to inspect a suspicious program and its network traffic. Also analyzing the traffic flow of network, or troubleshooting network problems.
Downloading Wireshark
Wireshark can be downloaded for both Windows and MacOS from their official website. Linux and other UNIX system users can find Wireshark in its package repositories. Example – For Ubuntu user, you will find Wireshark in the Ubuntu Software Center.
A Fair Warning: Wireshark and tools like it are not allowed by many organizations. Using these tools without permission is not suggested.
Capturing Packets
Just download Wireshark and Install it. After the installation process launch it, double-clicking the name of the network interface it will start capturing the packets. Let us take an example. If we want to capture the network traffic on our wireless LAN. Click on the wireless network interface. Advanced options can be configured by going to Capture – Options, this is not required for now.
As soon as you single-click on your network interface’s name, you can see how the packets are working in real time. Wireshark will capture all the packets going in and out of our systems.
Promiscuous mode is the mode in which you can see all the packets from other systems on the network and not only the packets send or received from your network adapter. Promiscuous mode is enabled by default. To check if this mode is enabled, go to Capture and Select Options. Under this window check, if the checkbox is selected and activated at the bottom of the window. The checkbox says “Enable promiscuous mode on all interfaces”.
The red box button “STOP” on the top left side of the window can be clicked to stop the capturing of traffic on the network.
Color Coding
Different packets are seen highlighted in various different colors. This is Wireshark’s way of displaying traffic to help you easily identify the types of it. Default colors are:
- Light Purple color for TCP traffic
- Light Blue color for UDP traffic
- Black color identifies packets with errors – example these packets are delivered in an unordered manner.
To check the color coding rules click on View and select Coloring Rules. These color coding rules can be customized and modified to fit your needs.
Sample Captures
If you find nothing interesting on your own network to inspect. Wireshark’s wiki page has many samples for you. The wiki page has a lot of sample capture files under the page which can be loaded and inspected. To load the file. Click on File then Open in Wireshark. Browse for the downloaded file and select to open it.
Wireshark can also open your own saved captured file. To save your captures, Click on File then select Save.
Filtering Packets
You can inspect some specific data. Example – if you want to inspect traffic which a program sends when calling home. All the other applications using the network can be closed down so that we can specifically narrow the traffic down. Even after this a lot of packets can slip through. Here is when you can use Wireshark’s filters.
So basically, the filters can be applied by punching them in the filter box. Top of the window is where it is located. Once you enter the filer just click on Apply or press Enter. Example – Type “TCP” in the filter box and you will see only TCP packets. Wireshark helps you autocomplete the filter name when you type.
Just click on the Analyze tab and select Display Filters. Wireshark has default filters included which you can choose among from. Furthermore, custom filters of your own can be added and saved to increase the ease of access in future.
More info on Display Filtering Language of Wireshark can be found on their official documentation.
Another thing which might interest you is right-clicking on the packet. Select Follow and then TCP Stream.
As a result, you will see the whole TCP conversation between both the client and the server. Other protocols can also be viewed by clicking on them under the Follow menu. You can see the whole conversation for other protocols as well, if available.
In addition, closing the above window you will see the filter will be automatically applied. Hence, Wireshark is displaying the packets which are making up the conversation.
Inspecting Packets
First of all, click on a packet and select it. Now, you can scroll down to view all its details.
Filters can also be created from here. Right-click on one of any details. From the menu select Apply as Filter drop-down menu so filter based on it can be created.
Hence, Wireshark is a highly powerful tool. And here in this tutorial, we are just explaining some basic functionality of it. Network analyst and professionals use this tools. Since they examine network protocols, inspecting it and examining the security problems.
More information can be found on the official Wireshark User’s Guide. Please check the Wireshark’s website for it.
Wireshark is a popular network packet capture and analysis tool. It is previously named as Ethereal. Wireshark captures packets from a different type of interfaces and prints them as a floating list to the screen. It also provides detailed information about a specific packet. Wireshark can also read already captured packets in different formats like cap , pcap etc.
Wireshark is supported by a lot of platforms. Let’s install
Windows:
For Windows operating system we need to download the wireshark installation file from the official web site. The latest version of Wireshark can be downloaded from the following link.
Windows provides a different type of installers like 32 bit, 64 bit, portable. If we do not have required privileges to install application we can use portable Wireshark which do not needs installation.
Ubuntu, Debian, Mint:
Ubuntu, Debian, Mint and other deb based distributions provide Wireshark from their official repositories. Just issue the following command to install Wireshark.
Fedora, CentOS, RedHat:
Fedora, CentOS, and RedHat provide Wireshark package in their repositories too. In order to install Wireshark in Fedora, CentOS and RedHat issue following command.
One of the fundamental operation with Wireshark is selecting an interface to capture network packets. When we open Wireshark we will see the following screen. Available interfaces are listed with their name current network traffic on that interface is shown with a simple graph.
Here we will see that named Local Area Connection interface has some network traffic. By the way, Wireshark can listen to USB interfaces too.
We double click on and Local Area Connection this will start network capture on this interface and a new screen will be opened where the network packets flow.
Select Interface and Capture Packets
We generally look at some specific packets to analyze. We can locate the packet we want in a simple way from the right side of the packet flow list and click on the packet. This will show detailed packet information in the middle section where Frame, Ethernet, IP, TCP/UDP, and Application layer information provided. In the lowest and third section, we will see application layer data in hex format.
Show Specific Packet Details
In a busy network, there will be a lot of packets flying around. This will make to look some packets one by one very hard job. Wireshark has very powerful filtering features. We can filter captured packets according to a protocol like IP, TCP, UDP, IP address, Source address destination address, TCP port, mac address, DNS packet, SNMP packet etc. There are a lot of them. We will simply look most popular of them. We can get the whole list of supported filter expressions by clicking button Expression on the left up corner. We can see the filter textbox and button Expression .
Filter Captured Packets
List of supported expressions. As we can see there are a lot of protocols like.
In this example we will filter ARP packets and section or the packet list only provides ARP protocol packets. We will only use arp in the filter box.
Filter ARP Packets
Another popular usage is filtering packet those have specified destination IP address. In this example, we will filter and only show those packets which have a destination IP address is 192.168.122.ip.
We can also filter according to source IP address too. In this example, we will filter IP source address 192.168.122.1
Filter According To Source IP Address
We can filter DNS packets with keyword dnsserver like below.
During a regular web page load or request, there will be some round trip to download data. If we need to inspect the whole request and response traffic we need to filter multiple packets. We can accomplish this by filtering according to a TCP session or TCP stream. It is called Follow TCP Stream .
This will provide the following screen which provides the whole HTTP request and response session. We can also search these with bottom Find .
One of the best features is the packet statistics. We can get a lot of different type of statistics with the menu Statistics from up. We can get the following statistical information.
- Endpoints
- HTTP
- IP
- Ethernet
- PRotocol Hierarchy
Packet Statistics
We can stop capturing network packets with Wireshark with the red button in the toolbar menu.
We can save captured files. In order to save we firstly stop live packet capture. Then from the menu File and save or Save as menus.
Save Captured Packets
We can open already saved a different type of capture formats like cap, pcap ,ngcap etc. from File menu. We can also open recently opened capture files.
Open Capture Files Like Cap , Pcap
2 thoughts on “Wireshark – How To Capture, Filter , Inspect Network Packets?”
“How To Capture, Filter , Inspect Network Packets” is not a question. Please use the question mark when you’re posing a question.
Thanks for your suggestion. I have updated the headline.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.
This tutorial will get you up to speed with the basics of capturing packets, filtering them and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network or troubleshoot network problems.
Getting Wireshark
You can download Wireshark for Windows or Mac OS X from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
Click the stop capture button near the top left corner of the window when you want to stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in green, blue and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
Sample Captures
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect.
Opening a capture file is easy; just click Open on the main screen and browse for a file. You can also save your own captures in Wireshark and open them later.
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
You can also click the Analyze menu and select Display Filters to create a new filter.
Another interesting thing you can do is right-click a packet and select Follow TCP Stream.
You’ll see the full conversation between the client and the server.
Close the window and you’ll find a filter has been applied automatically — Wireshark is showing you the packets that make up the conversation.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to create a filter based on it.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color coding, and other features that let you dig deep into network traffic and inspect individual packets.
This tutorial will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network, or troubleshoot network problems.
Getting Wireshark
You can download Wireshark for Windows or macOS from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading and installing Wireshark, you can launch it and double-click the name of a network interface under Capture to start capturing packets on that interface. For example, if you want to capture traffic on your wireless network, click your wireless interface. You can configure advanced features by clicking Capture > Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system.
If you have promiscuous mode enabled—it’s enabled by default—you’ll also see all the other packets on the network instead of only packets addressed to your network adapter. To check if promiscuous mode is enabled, click Capture > Options and verify the “Enable promiscuous mode on all interfaces” checkbox is activated at the bottom of this window.
Click the red “Stop” button near the top left corner of the window when you want to stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in a variety of different colors. Wireshark uses colors to help you identify the types of traffic at a glance. By default, light purple is TCP traffic, light blue is UDP traffic, and black identifies packets with errors—for example, they could have been delivered out of order.
To view exactly what the color codes mean, click View > Coloring Rules. You can also customize and modify the coloring rules from here, if you like.
Sample Captures
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect. Click File > Open in Wireshark and browse for your downloaded file to open one.
You can also save your own captures in Wireshark and open them later. Click File > Save to save your captured packets
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
You can also click Analyze > Display Filters to choose a filter from among the default filters included in Wireshark. From here, you can add your own custom filters and save them to easily access them in the future.
For more information on Wireshark’s display filtering language, read the Building display filter expressions page in the official Wireshark documentation.
Another interesting thing you can do is right-click a packet and select Follow > TCP Stream.
You’ll see the full TCP conversation between the client and the server. You can also click other protocols in the Follow menu to see the full conversations for other protocols, if applicable.
Close the window and you’ll find a filter has been applied automatically. Wireshark is showing you the packets that make up the conversation.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to create a filter based on it.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.
You can find more detailed information in the official Wireshark User’s Guide and the other documentation pages on Wireshark’s website.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color coding, and other features that let you dig deep into network traffic and inspect individual packets.
This tutorial will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network, or troubleshoot network problems.
Getting Wireshark
You can download Wireshark for Windows or macOS from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading and installing Wireshark, you can launch it and double-click the name of a network interface under Capture to start capturing packets on that interface. For example, if you want to capture traffic on your wireless network, click your wireless interface. You can configure advanced features by clicking Capture > Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system.
If you have promiscuous mode enabled—it’s enabled by default—you’ll also see all the other packets on the network instead of only packets addressed to your network adapter. To check if promiscuous mode is enabled, click Capture > Options and verify the “Enable promiscuous mode on all interfaces” checkbox is activated at the bottom of this window.
Click the red “Stop” button near the top left corner of the window when you want to stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in a variety of different colors. Wireshark uses colors to help you identify the types of traffic at a glance. By default, light purple is TCP traffic, light blue is UDP traffic, and black identifies packets with errors—for example, they could have been delivered out of order.
To view exactly what the color codes mean, click View > Coloring Rules. You can also customize and modify the coloring rules from here, if you like.
Sample Captures
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect. Click File > Open in Wireshark and browse for your downloaded file to open one.
You can also save your own captures in Wireshark and open them later. Click File > Save to save your captured packets
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
You can also click Analyze > Display Filters to choose a filter from among the default filters included in Wireshark. From here, you can add your own custom filters and save them to easily access them in the future.
For more information on Wireshark’s display filtering language, read the Building display filter expressions page in the official Wireshark documentation.
Another interesting thing you can do is right-click a packet and select Follow > TCP Stream.
You’ll see the full TCP conversation between the client and the server. You can also click other protocols in the Follow menu to see the full conversations for other protocols, if applicable.
Close the window and you’ll find a filter has been applied automatically. Wireshark is showing you the packets that make up the conversation.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to create a filter based on it.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.
You can find more detailed information in the official Wireshark User’s Guide and the other documentation pages on Wireshark’s website.
Posted by: Mohammed Semari | Published: March 27, 2017| Updated: March 27, 2017
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.
This tutorial will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network, or troubleshoot network problems.
Getting Wireshark
You can download Wireshark for Windows or Mac OS X from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
Click the stop capture button near the top left corner of the window when you want to stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
Sample Captures
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect.
Opening a capture file is easy; just click Open on the main screen and browse for a file. You can also save your own captures in Wireshark and open them later.
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
You can also click the Analyze menu and select Display Filters to create a new filter.
Another interesting thing you can do is right-click a packet and select Follow TCP Stream.
You’ll see the full conversation between the client and the server.
Close the window and you’ll find a filter has been applied automatically — Wireshark is showing you the packets that make up the conversation.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to create a filter based on it.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.
When your computer is constantly connected to the Internet or to a network, it is vulnerable to attacks and malware infections. In addition to using a powerful and updated antivirus solution, you can also use a network analysis tool to identify the malicious packets and block them. Such an application is Wireshark and it comes with no price tag.
Wireshark is the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions.
- Deep inspection of hundreds of protocols, with more being added all the time
- Live capture and offline analysis
- Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
- Rich VoIP analysis
- Read/write many different capture file formats
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Coloring rules can be applied to the packet list for quick, intuitive analysis
- Output can be exported to XML, PostScript®, CSV, or plain text
Now lets start, Download and Install Wireshark.
Packet Capturing :- Launch your Wireshark utility and choose your network interface. it,s depend upon you what you want to capture like wireless network or wire network from the main window.
or click on the interface icon to see the details about your interfaces.
Now click on the Start, you will see the packets start appear in real time.
Now click on the Stop button on the left corner to stop the live capture.
In the capture menu it,s showing Source IP-address , Destination IP-address, Protocol Information about packet and some packet information.
it,s lots of data. Now you need to be find out the data your work like i want to see the HTTP packets passing from my network. So in the Filter menu i need to be write HTTP or click on the Filter option to find out the Filter option.
Select your packet and Right click on it and Select the option Follow TCP stream option.
it will show more awesome information about particular packet.
Color Coding :- By default, Green is TCP traffic, Dark blue is DNS traffic , Light blue is identified as UDP traffic and Black packet will be identified as a Bad packets.
But here you have the option to change the color option. Select the String and click on the Edit option.
Add own Column :- You can easily customize the filter menu of Wireshark display. Select the option that you want to add, Right click and select the Apply as Coulmn option.
403b4/w:300/h:292/q:90/id:832d42ca5d5e94198a074c995d337de9/ />Summary of All packets and captures :- You have option to see the summary of all the packets and captures from the summary option on the top most corner.
Enjoy the packet capturing with wireshark.
I will try to write more on the Wireshark in my upcoming post.
Hope you like my post. How to Use Wireshark to Capture, Filter and Inspect Packets. Please Share with others.
