Wednesday, March 11, 2015
How to Use Wireshark to Capture, Filter and Inspect
Packets
Wireshark, a
network analysis tool formerly known as Ethereal, captures packets in real time
and display them in human-readable format. Wireshark includes filters,
color-coding and other features that let you dig deep into network traffic and
inspect individual packets.
This tutorial will
get you up to speed with the basics of capturing packets, filtering them, and
inspecting them. You can use Wireshark to inspect a suspicious program’s
network traffic, analyze the traffic flow on your network, or troubleshoot
network problems.
Getting Wireshark
You can download
Wireshark for Windows or Mac OS X from its official website.If you’re using Linux or another UNIX-like system, you’ll probably
find Wireshark in its package repositories. For example, if you’re using
Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
Just a quick
warning: Many organizations don’t allow Wireshark and similar tools on their
networks. Don’t use this tool at work unless you have permission.
Capturing Packets
After downloading
and installing Wireshark, you can launch it and click the name of an interface
under Interface List to start capturing packets on that interface. For example,
if you want to capture traffic on the wireless network, click your wireless
interface. You can configure advanced features by clicking Capture Options, but
this isn’t necessary for now.
As soon as you
click the interface’s name, you’ll see the packets start to appear in real
time. Wireshark captures each packet sent to or from your system. If you’re
capturing on a wireless interface and have promiscuous mode enabled in your
capture options, you’ll also see other the other packets on the network.
Click the stop
capture button near the top left corner of the window when you want to stop
capturing traffic.
Color Coding
You’ll probably see
packets highlighted in green, blue, and black. Wireshark uses colors to help
you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic, and black
identifies TCP packets with problems — for example, they could have been
delivered out-of-order.
Sample Captures
If there’s nothing
interesting on your own network to inspect, Wireshark’s wiki has you covered.
The wiki contains a page of sample capture files that you can load and inspect.
Opening a capture
file is easy; just click Open on the main screen and browse for a file. You can
also save your own captures in Wireshark and open them later.
Filtering Packets
If you’re trying to
inspect something specific, such as the traffic a program sends when phoning
home, it helps to close down all other applications using the network so you
can narrow down the traffic. Still, you’ll likely have a large amount of
packets to sift through. That’s where Wireshark’s filters come in.
The most basic way
to apply a filter is by typing it into the filter box at the top of the window
and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see
only DNS packets. When you start typing, Wireshark will help you autocomplete
your filter.
You can also click
the Analyze menu and select Display Filters to create a new filter.
Another interesting
thing you can do is right-click a packet and select Follow TCP Stream.
You’ll see the full
conversation between the client and the server.
Close the window
and you’ll find a filter has been applied automatically — Wireshark is showing
you the packets that make up the conversation.
Inspecting Packets
Click a packet to
select it and you can dig down to view its details.
You can also create
filters from here — just right-click one of the details and use the Apply as
Filter submenu to create a filter based on it.
Wireshark is an
extremely powerful tool, and this tutorial is just scratching the surface of
what you can do with it. Professionals use it to debug network
protocol implementations, examine security problems and inspect network
protocol internals.
