I was just telling you about Wireshark. Using Wireshark it is not complicated. This great open source tool for monitoring, analyzing packets sent and received on a network. So, in this post, I will show you how to use Wireshark.
1. Install it
Of course, the first step to learning how to use Wireshark is to install it. Wireshark has the great advantage of being multiplatform, that is, you can install it on Windows, Linux or Mac OS. Besides, it is not complicated to do it.
2. What does Wireshark do?
The tool intercepts traffic and converts it into a human-readable format. This makes it easier to identify what traffic is crossing the network, how often and the latency between certain jumps.
Wireshark supports many protocols, but most are obsolete and few are used, so most packets are TCP, UPD, and ICMP.
3. Using Wireshark
Now it’s time to use Wireshark. First, run it from the main menu and you will see the following.
The first thing you need to do is select the network interface you want to inspect. In my case, the network interface is wlp5s0, which refers to the wireless network I’m using. If you want to know what the other interfaces are called you can use this command.
:~$ sudo ifconfig
So, click on the name of the network interface that you want to analyze and the capture of the traffic of that network will be incited.
The capture is done in real time, so the information that will be presented to you is very changeable. If you activate the promiscuous mode you will not only be able to see the packets that go to your network interface, but also to the rest of the network. This is useful especially when the interface is wireless.
To activate the Promiscuous Mode, go to Capture menu, Options.
This will work when you stop scanning over the network interface by pressing the red button.
When you want to stop the traffic monitoring on the network interface, you can press that button. This way you will have the captured packets and you will be able to work with them.
Colors in Wireshark
As you’ve noticed, the packages are shaded with different colors. These represent the various protocols that are supported by Wireshark. Of course, each of them has a representation that can be modified to your liking.
For color rules, go to View menu and select Coloring Rules option.
In this window, you will see how the protocols are identified. Generally, black is reserved for failed or incomplete packets. In addition to TCP and UDP with light colors.
Saving a network capture
If as in my case, after capturing the packets from the network, there is nothing interesting or simply do not want to analyze anything. You can save the capture of the interface and see it later.
To do this, go to the File menu and go to Save As option.
But that’s not all, the Wireshark wiki contains samples captures that you can use for learning. Then, open it from the File menu.
Filter captured packages
Wireshark can capture many packets in a very short time. For that reason, the program incorporates the option to filter them by protocols or by a keyword.
So, you just need to type in the keyword you want to filter. In my case, I wanted to filter all the requests made by the DNS protocol.
So, you will not miss anything in your network.
Using Wireshark to analyze a package
Now it’s time to analyze a package, to learn more about it. This is one of the basic functions of Wireshark and what it is made for. It’s really simple.
Select a package and at the bottom, you will see the details about it.
You can also create a filter from the selected package.
Or you can follow the TCP conversation between the client and the server. Select the package and go to Analyze menu, next go to Follow and finally click on TCP Stream option. You will see something like this.
So, that’s it.
Wireshark is a program with incredible power. This post will only introduce you to the world of network interface monitoring.
Please share this article with your friends.