Using Wireshark to analyze your network device

0
290

I was just telling you about Wireshark. Using Wireshark it is not complicated. This great open source tool for monitoring, analyzing packets sent and received on a network. So, in this post, I will show you how to use Wireshark.

1. Install it

Of course, the first step to learning how to use Wireshark is to install it. Wireshark has the great advantage of being multiplatform, that is, you can install it on Windows, Linux or Mac OS. Besides, it is not complicated to do it.

So, in this article I explain how to install it, using Ubuntu 18.04 as a base. Again, it is not easy and is available in the official repositories of most Linux distributions.

2. What does Wireshark do?

The tool intercepts traffic and converts it into a human-readable format. This makes it easier to identify what traffic is crossing the network, how often and the latency between certain jumps.

Wireshark supports many protocols, but most are obsolete and few are used, so most packets are TCP, UPD, and ICMP.

3. Using Wireshark

Now it’s time to use Wireshark. First, run it from the main menu and you will see the following.

1.- Wireshark
1.- Wireshark

The first thing you need to do is select the network interface you want to inspect. In my case, the network interface is wlp5s0, which refers to the wireless network I’m using. If you want to know what the other interfaces are called you can use this command.

:~$ sudo ifconfig
2.- Running ifconfig command
2.- Running the ifconfig command

So, click on the name of the network interface that you want to analyze and the capture of the traffic of that network will be incited.

3.- Capture the interface packages
3.- Capture the interface packages

The capture is done in real time, so the information that will be presented to you is very changeable. If you activate the promiscuous mode you will not only be able to see the packets that go to your network interface, but also to the rest of the network. This is useful especially when the interface is wireless.

To activate the Promiscuous Mode, go to Capture menu, Options.

4.- Activate the promiscuous mode
4.- Activate the promiscuous mode

This will work when you stop scanning over the network interface by pressing the red button.

5.- Wireshark GUI
5.- Using Wireshark GUI

When you want to stop the traffic monitoring on the network interface, you can press that button. This way you will have the captured packets and you will be able to work with them.

Colors in Wireshark

As you’ve noticed, the packages are shaded with different colors. These represent the various protocols that are supported by Wireshark. Of course, each of them has a representation that can be modified to your liking.

For color rules, go to View menu and select Coloring Rules option.

6.- Coloring Rules on Wireshark
6.- Coloring Rules on Wireshark

In this window, you will see how the protocols are identified. Generally, black is reserved for failed or incomplete packets. In addition to TCP and UDP with light colors.

Saving a network capture

If as in my case, after capturing the packets from the network, there is nothing interesting or simply do not want to analyze anything. You can save the capture of the interface and see it later.

To do this, go to the File menu and go to Save As option.

7.- Saving the capture
7.- Saving the capture

But that’s not all, the Wireshark wiki contains samples captures that you can use for learning. Then, open it from the File menu.

Filter captured packages

Wireshark can capture many packets in a very short time. For that reason, the program incorporates the option to filter them by protocols or by a keyword.

So, you just need to type in the keyword you want to filter. In my case, I wanted to filter all the requests made by the DNS protocol.

8.- Using the filters
8.- Using the filters

So, you will not miss anything in your network.

Using Wireshark to analyze a package

Now it’s time to analyze a package, to learn more about it. This is one of the basic functions of Wireshark and what it is made for. It’s really simple.

Select a package and at the bottom, you will see the details about it.

9.- See the package details
9.- See the package details

You can also create a filter from the selected package.

10.-  Applying a filter from a package
10.- Applying a filter from a package

Or you can follow the TCP conversation between the client and the server. Select the package and go to Analyze menu, next go to Follow and finally click on TCP Stream option. You will see something like this.

11.- Follow a TCP stream
11.- Follow a TCP stream

So, that’s it.

Conclusion

Wireshark is a program with incredible power. This post will only introduce you to the world of network interface monitoring.

Please share this article with your friends.

LEAVE A REPLY

Please enter your comment!
Please enter your name here