How to use Wireshark ? User Guide Documentation and explanation.

 


User Guide Documentation and Explanation.

What Is Wireshark?

Originally known as Ethereal, Wireshark displays data from hundreds of different protocols on all major network types. Data packets can be viewed in real-time or analyzed offline. Wireshark supports dozens of capture/trace file formats, including CAP and ERF. Integrated decryption tools display the encrypted packets for several common protocols, including WEP and WPA/WPA2.

How to Download and Install Wireshark

Wireshark can be downloaded at no cost from the Wireshark Foundation website for both macOS and Windows. You'll see the latest stable release and the current developmental release. Unless you're an advanced user, download the stable version.

You must be logged in to the device as an administrator to use Wireshark. In Windows 10, search for Wireshark and select Run as administrator. In macOS, right-click the app icon and select Get Info. In the Sharing & Permissions settings, give the admin Read & Write privileges.

The application is also available for Linux and other UNIX-like platforms including Red Hat, Solaris, and FreeBSD. The binaries required for these operating systems can be found toward the bottom of the Wireshark download page under the Third-Party Packages section. You can also download Wireshark's source code from this page.

How to View and Analyze Packet Contents

The captured data interface contains three main sections:

  • The packet list pane (the top section)
  • The packet details pane (the middle section)
  • The packet bytes pane (the bottom section)
The captured data interface contains three main sections: the packet list pane (the top section); the packet details pane (the middle section); and the packet bytes pane (the bottom section).

Packet List

The packet list pane, located at the top of the window, shows all packets found in the active capture file. Each packet has its own row and corresponding number assigned to it, along with each of these data points:

  • No: This field indicates which packets are part of the same conversation. It remains blank until you select a packet.
  • Time: The timestamp of when the packet was captured is displayed in this column. The default format is the number of seconds or partial seconds since this specific capture file was first created.
  • Source: This column contains the address (IP or other) where the packet originated.
  • Destination: This column contains the address that the packet is being sent to.
  • Protocol: The packet's protocol name, such as TCP, can be found in this column.
  • Length: The packet length, in bytes, is displayed in this column.
  • Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.

To change the time format to something more useful (such as the actual time of day), select View > Time Display Format.

A screenshot of Wireshark with the Time Display Format command and options highlighted

When a packet is selected in the top pane, you may notice one or more symbols appear in the No. column. Open or closed brackets and a straight horizontal line indicate whether a packet or group of packets are part of the same back-and-forth conversation on the network. A broken horizontal line signifies that a packet is not part of the conversation.

A screenshot of Wireshark with the packets pane highlighted

Packet Details

The details pane, found in the middle, presents the protocols and protocol fields of the selected packet in a collapsible format. In addition to expanding each selection, you can apply individual Wireshark filters based on specific details and follow streams of data based on protocol type by right-clicking the desired item.

A screenshot of Wireshark with the Packet Details pane highlighted

Packet Bytes

At the bottom is the packet bytes pane, which displays the raw data of the selected packet in a hexadecimal view. This hex dump contains 16 hexadecimal bytes and 16 ASCII bytes alongside the data offset.

Selecting a specific portion of this data automatically highlights its corresponding section in the packet details pane and vice versa. Any bytes that cannot be printed are represented by a period.

A screenshot of Wireshark with the Packet Bytes panel highlighted

To display this data in bit format as opposed to hexadecimal, right-click anywhere within the pane and select as bits.

A screenshot of Wireshark's Packet Bytes window with the "As bits" option highlighted

How to Use Wireshark Filters

Capture filters instruct Wireshark to only record packets that meet specified criteria. Filters can also be applied to a capture file that has been created so that only certain packets are shown. These are referred to as display filters.

Wireshark provides a large number of predefined filters by default. To use one of these existing filters, enter its name in the Apply a display filter entry field located below the Wireshark toolbar or in the Enter a capture filter field located in the center of the welcome screen.

For example, if you want to display TCP packets, type tcp. The Wireshark autocomplete feature shows suggested names as you begin typing, making it easier to find the correct moniker for the filter you're seeking.

A screenshot of Wireshark with the filters bar highlighted

Another way to choose a filter is to select the bookmark on the left side of the entry field. Choose Manage Filter Expressions or Manage Display Filters to add, remove, or edit filters.

A screenshot of Wireshark with the Manage Display Filters and Manage Filter Expressions commands highlgihted

You can also access previously used filters by selecting the down arrow on the right side of the entry field to display a history drop-down list.

A screenshot of Wireshark with the history arrow highlighted

Capture filters are applied as soon as you begin recording network traffic. To apply a display filter, select the right arrow on the right side of the entry field.

Wireshark Color Rules

While Wireshark's capture and display filters limit which packets are recorded or shown on the screen, its colorization function takes things a step further: It can distinguish between different packet types based on their individual hue. This quickly locates certain packets within a saved set by their row color in the packet list pane.

Wireshark coloring rules dialog opened in front of main Wireshark window

Wireshark comes with about 20 default coloring rules, each can be edited, disabled, or deleted. Select View > Coloring Rules for an overview of what each color means. You can also add your own color-based filters.

A screenshot of Wireshark's View menu with the Coloring Rules command highlighted

Select View > Colorize Packet List to toggle packet colorization on and off.

Statistics in Wireshark

Other useful metrics are available through the Statistics drop-down menu. These include size and timing information about the capture file, along with dozens of charts and graphs ranging in topic from packet conversation breakdowns to load distribution of HTTP requests.

Several other useful metrics are available via the Statistics drop-down menu found toward the top of the screen.

Display filters can be applied to many of these statistics via their interfaces, and the results can be exported to common file formats, including CSVXML, and TXT.

Wireshark Advanced Features

Wireshark also supports advanced features, including the ability to write protocol dissectors in the Lua programming language.


Wireshark Command Line:-

The following man pages are part of the Wireshark distribution. They are available via the command systems and HTML files via the "Start" menu on Windows systems.

androiddump - Provide interfaces to capture from Android devices

capinfos - Prints information about capture files

captype - Prints the types of capture files

ciscodump - Provide interfaces to capture from a remote Cisco router through SSH.

dftest - Shows display filter byte-code, for debugging dfilter routines.

dumpcap - Dump network traffic

editcap - Edit and/or translate the format of capture files

etwdump - Provide an interface to read ETW

extcap - The extcap interface

idl2wrs - CORBA IDL to Wireshark Plugin Generator

mergecap - Merges two or more capture files into one

mmdbresolve - Read IPv4 and IPv6 addresses and print their IP geolocation information.

randpkt - Random packet generator

randpktdump - Provide an interface to generate random captures using randpkt

rawshark - Dump and analyze raw pcap data

reordercap - Reorder input file by timestamp into output file

sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary.

text2pcap - Generate a capture file from an ASCII hexdump of packets

tshark - Dump and analyze network traffic

udpdump - Provide an UDP receiver that gets packets from network devices (like Aruba routers) and exports them in PCAP format.

wireshark-filter - Wireshark display filter syntax and reference

wireshark - Interactively dump and analyze network traffic

Capture filtering is handled by libpcap, and its documentation is part of the libpcap distribution.

pcap-filter - Capture filter syntax


Frequently Asked Questions

People are also reading: