If you find yourself troubleshooting network issues, and you need to inspect individual packets, you need to use Wireshark. Wireshark is the real, go-to, you know how to use, application for capturing and examining network traffic.
Since Wireshark is the complete tool for this task, let’s go over some basics – like where to download, how to capture network packets, how to use Wireshark filters, and more.
- Wireshark is an open-source application that captures and displays data traveling back and forth on a network.
- Because it can drill down and read the contents of each packet, it’s used to troubleshoot network problems and test software.
What is Wireshark?
Wireshark is an open-source network protocol analysis software program launched by Gerald Combs in 1998. Wireshark, a global organization of network experts and software developers, supports and continues to update for new network technologies and encryption methods.
Wireshark is absolutely safe to use. Government agencies, corporations, non-profits and educational institutions use Wireshark for troubleshooting and educational purposes. There’s no better way to learn networking than by looking at traffic under a Wireshark microscope.
There are questions about the validity of Wireshark as it is a powerful packet tracer. The lighter side of the force says that you should only use Wireshark on networks where you are allowed to inspect network packets. Using Wireshark to view unapproved packets is the way to the dark side.
Originally known as Ethereal, Wireshark displays data from hundreds of different protocols on all major network types. Data packets can be viewed in real-time or analyzed offline. Wireshark supports dozens of capture/trace file formats, including CAP and ERF. Integrated decryption tools display the encrypted packets for several common protocols, including WEP and WPA/WPA2.
How does Wireshark work?
Wireshark is a packet sniffer and analysis tool. It captures network traffic on the local network and stores that data for offline analysis. Wireshark captures network traffic from Ethernet, Bluetooth, Wireless (IEEE.802.11), Token Ring, Frame Relay connections, and more.
Ed. Note: A “packet” is a single message from any network protocol (i.e., TCP, DNS, etc.)
Ed. Note 2: LAN traffic is in broadcast mode, meaning a single computer with Wireshark can see traffic between two other computers. If you want to see traffic to an external site, you need to capture the packets on the local computer.
Wireshark allows you to filter the log either before the capture starts or during analysis, so you can narrow down and zero into what you are looking for in the network trace. For example, you can set a filter to see TCP traffic between two IP addresses. You can set it only to show you the packets sent from one computer. The filters in Wireshark are one of the primary reasons it became the standard tool for packet analysis.
How to Download and Install Wireshark
Wireshark can be downloaded at no cost from the Wireshark Foundation website for both macOS and Windows. You’ll see the latest stable release and the current developmental release. Unless you’re an advanced user, download the stable version.
During the Windows setup process, choose to install WinPcap or Npcap if prompted as these include libraries required for live data capture.
You must be logged in to the device as an administrator to use Wireshark. In Windows 10, search for Wireshark and select Run as administrator. In macOS, right-click the app icon and select Get Info. In the Sharing & Permissions settings, give the admin Read & Write privileges.
The application is also available for Linux and other UNIX-like platforms including Red Hat, Solaris, and FreeBSD. The binaries required for these operating systems can be found toward the bottom of the Wireshark download page under the Third-Party Packages section. You can also download Wireshark’s source code from this page.
Downloading and installing Wireshark is easy. Step one is to check the official Wireshark Download page for the operating system you need. The basic version of Wireshark is free.
Wireshark for Windows
Wireshark comes in two flavors for Windows, 32 bit and 64 bit. Pick the correct version for your OS. The current release is 3.0.3 as of this writing. The installation is simple and shouldn’t cause any issues.
Wireshark for Mac
To install Homebrew, you need to run this command at your Terminal prompt:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”
Once you have the Homebrew system in place, you can access several open-source projects for your Mac. To install Wireshark run this command from the Terminal:
brew install wireshark
Homebrew will download and install Wireshark and any dependencies so it will run correctly.
Wireshark for Linux
Installing Wireshark on Linux can be a little different depending on the Linux distribution. If you aren’t running one of the following distros, please double-check the commands.
From a terminal prompt, run these commands:
sudo apt-get install wireshark
sudo dpkg-reconfigure wireshark-common
sudo adduser $USER wireshark
Those commands download the package, update the package, and add user privileges to run Wireshark.
Red Hat Fedora
From a terminal prompt, run these commands:
sudo dnf install wireshark-qt
sudo usermod -a -G wireshark username
The first command installs the GUI and CLI version of Wireshark, and the second adds permissions to use Wireshark.
Wireshark is probably already installed! It’s part of the basic package. Check your menu to verify. It’s under the menu option “Sniffing & Spoofing.”
How to Capture Data Packets With Wireshark | Data Packets on Wireshark
Now that we have Wireshark installed let’s go over how to enable the Wireshark packet sniffer and then analyze the network traffic.
Capturing Data Packets on Wireshark
When you open Wireshark, you see a screen that shows you a list of all of the network connections you can monitor. You also have a capture filter field, so you only capture the network traffic you want to see.
When you launch Wireshark, a welcome screen lists the available network connections on your current device. Displayed to the right of each is an EKG-style line graph that represents live traffic on that network.
To begin capturing packets with Wireshark:
Select one or more of networks, go to the menu bar, then select Capture.
To select multiple networks, hold the Shift key as you make your selection.
You can select one or more of the network interfaces using “shift left-click.” Once you have the network interface selected, you can start the capture, and there are several ways to do that.
Click the first button on the toolbar, titled “Start Capturing Packets.”
In the Wireshark Capture Interfaces window, select Start.
There are other ways to initiate packet capturing. Select the shark fin on the left side of the Wireshark toolbar, press Ctrl+E, or double-click the network.
Select File > Save As or choose an Export option to record the capture.
To stop capturing, press Ctrl+E. Or, go to the Wireshark toolbar and select the red Stop button that’s located next to the shark fin.
How to View and Analyze Packet Contents
Wireshark shows you three different panes for inspecting packet data. The Packet List, the top pane, is a list of all the packets in the capture. When you click on a packet, the other two panes change to show you the details about the selected packet. You can also tell if the packet is part of a conversation. Here are some details about each column in the top pane:
- No.: This is the number order of the packet that got captured. The bracket indicates that this packet is part of a conversation.
- Time: This column shows you how long after you started the capture that this packet got captured. You can change this value in the Settings menu if you need something different displayed.
- Source: This is the address of the system that sent the packet.
- Destination: This is the address of the destination of that packet.
- Protocol: This is the type of packet, for example, TCP, DNS, DHCPv6, or ARP.
- Length: This column shows you the length of the packet in bytes.
- Info: This column shows you more information about the packet contents, and will vary depending on what kind of packet it is.
Packet Details, the middle pane, shows you as much readable information about the packet as possible, depending on what kind of packet it is. You can right-click and create filters based on the highlighted text in this field.
The bottom pane, Packet Bytes, displays the packet exactly as it got captured in hexadecimal.
When you are looking at a packet that is part of a conversation, you can right-click the packet and select Follow to see only the packets that are part of that conversation.
The captured data interface contains three main sections:
- The packet list pane (the top section)
- The packet details pane (the middle section)
- The packet bytes pane (the bottom section)
The packet list pane, located at the top of the window, shows all packets found in the active capture file. Each packet has its own row and corresponding number assigned to it, along with each of these data points:
- No: This field indicates which packets are part of the same conversation. It remains blank until you select a packet.
- Time: The timestamp of when the packet was captured is displayed in this column. The default format is the number of seconds or partial seconds since this specific capture file was first created.
- Source: This column contains the address (IP or other) where the packet originated.
- Destination: This column contains the address that the packet is being sent to.
- Protocol: The packet’s protocol name, such as TCP, can be found in this column.
- Length: The packet length, in bytes, is displayed in this column.
- Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.
To change the time format to something more useful (such as the actual time of day), select View > Time Display Format.
When a packet is selected in the top pane, you may notice one or more symbols appear in the No. column. Open or closed brackets and a straight horizontal line indicate whether a packet or group of packets are part of the same back-and-forth conversation on the network. A broken horizontal line signifies that a packet is not part of the conversation.
The details pane, found in the middle, presents the protocols and protocol fields of the selected packet in a collapsible format. In addition to expanding each selection, you can apply individual Wireshark filters based on specific details and follow streams of data based on protocol type by right-clicking the desired item.
At the bottom is the packet bytes pane, which displays the raw data of the selected packet in a hexadecimal view. This hex dump contains 16 hexadecimal bytes and 16 ASCII bytes alongside the data offset.
Selecting a specific portion of this data automatically highlights its corresponding section in the packet details pane and vice versa. Any bytes that cannot be printed are represented by a period.
To display this data in bit format as opposed to hexadecimal, right-click anywhere within the pane and select as bits.
How to Use Wireshark Filters
Capture filters instruct Wireshark to only record packets that meet specified criteria. Filters can also be applied to a capture file that has been created so that only certain packets are shown. These are referred to as display filters.
One of the best features of Wireshark is the Wireshark Capture Filters and Wireshark Display Filters. Filters allow you to view the capture the way you need to see it so you can troubleshoot the issues at hand. Here are several filters to get you started.
Wireshark Capture Filters
Capture filters limit the captured packets by the filter. Meaning if the packets don’t match the filter, Wireshark won’t save them. Here are some examples of capture filters:
host IP-address: this filter limits the capture to traffic to and from the IP address
net 192.168.0.0/24: this filter captures all traffic on the subnet.
dst host IP-address: capture packets sent to the specified host.
port 53: capture traffic on port 53 only.
port not 53 and not arp: capture all traffic except DNS and ARP traffic
Wireshark Display Filters
Wireshark Display Filters change the view of the capture during analysis. After you have stopped the packet capture, you use display filters to narrow down the packets in the Packet List so you can troubleshoot your issue.
The most useful (in my experience) display filter is:
ip.src==IP-address and ip.dst==IP-address
This filter shows you packets from one computer (ip.src) to another (ip.dst). You can also use ip.addr to show you packets to and from that IP. Here are some others:
tcp.port eq 25: This filter will show you all traffic on port 25, which is usually SMTP traffic.
icmp: This filter will show you only ICMP traffic in the capture, most likely they are pings.
ip.addr != IP_address: This filter shows you all traffic except the traffic to or from the specified computer.
Analysts even build filters to detect specific attacks, like this filter to detect the Sasser worm:
Wireshark provides a large number of predefined filters by default. To use one of these existing filters, enter its name in the Apply a display filter entry field located below the Wireshark toolbar or in the Enter a capture filter field located in the center of the welcome screen.
For example, if you want to display TCP packets, type tcp. The Wireshark autocomplete feature shows suggested names as you begin typing, making it easier to find the correct moniker for the filter you’re seeking.
Another way to choose a filter is to select the bookmark on the left side of the entry field. Choose Manage Filter Expressions or Manage Display Filters to add, remove, or edit filters.
You can also access previously used filters by selecting the down arrow on the right side of the entry field to display a history drop-down list.
Capture filters are applied as soon as you begin recording network traffic. To apply a display filter, select the right arrow on the right side of the entry field.
Wireshark Color Rules
While Wireshark’s capture and display filters limit which packets are recorded or shown on the screen, its colorization function takes things a step further: It can distinguish between different packet types based on their individual hue. This quickly locates certain packets within a saved set by their row color in the packet list pane.
You can setup Wireshark so it colors your packets in the Packet List according to the display filter, which allows you to emphasize the packets you want to highlight. Check out some examples here.
Wireshark comes with about 20 default coloring rules, each can be edited, disabled, or deleted. Select View > Coloring Rules for an overview of what each color means. You can also add your own color-based filters.
Select View > Colorize Packet List to toggle packet colorization on and off.
Statistics in Wireshark
Other useful metrics are available through the Statistics drop-down menu. These include size and timing information about the capture file, along with dozens of charts and graphs ranging in topic from packet conversation breakdowns to load distribution of HTTP requests.
Display filters can be applied to many of these statistics via their interfaces, and the results can be exported to common file formats, including CSV, XML, and TXT.
Wireshark Advanced Features
Wireshark Promiscuous Mode
By default, Wireshark only captures packets going to and from the computer where it runs. By checking the box to run Wireshark in Promiscuous Mode in the Capture Settings, you can capture most of the traffic on the LAN.
Wireshark Command Line
Wireshark does provide a Command Line Interface (CLI) if you operate a system without a GUI. Best practice would be to use the CLI to capture and save a log so you can review the log with the GUI.
- wireshark : run Wireshark in GUI mode
- wireshark –h : show available command line parameters for Wireshark
- wireshark –a duration:300 –i eth1 –w wireshark. : capture traffic on the Ethernet interface 1 for 5 minutes. –a means automatically stop the capture, -i specifics which interface to capture
Metrics and Statistics
Under the Statistics menu item, you will find a plethora of options to show details about your capture.
Wireshark also supports advanced features, including the ability to write protocol dissectors in the Lua programming language.
Additional Wireshark Resources and Tutorials
There are many tutorials and videos around that you show you how to use Wireshark for specific purposes. You should start on the main Wireshark website and move forward from there. You can find the official documentation and Wiki on that site.
Wireshark is a great network sniffer and analysis tool – however, in my opinion, it’s best used once you know what you are looking for. You aren’t going to use Wireshark to find a new problem. There is too much noise on the network. You need something like itjd with Edge to make sense of the overall situation for you and point you to a threat to investigate, and then you use Wireshark to dig in deeper to understand exactly what is in the packets that are dangerous.
For example, when itjd Security Researchers discovered the norman cryptominer, they received an alert from itjd pointing to suspicious network and file activity from several machines. During the analysis of the cryptominer, itjd researchers used Wireshark to inspect network activities for some of the machines that were misbehaving. Wireshark showed the research team that a new cyptominer, norman, was actively communicating to command and control (C&C) servers using DuckDNS. The itjd team was able to see all the IP addresses of the C&C servers the attackers used with Wireshark so the company could shut off communication and stopping the attack.
To see the itjd team in action, sign up for a Live Cyber Attack Demo. Pick any time that works for you!