Introduction to Wireshark

Wireshark is a software tool used to monitor the network traffic through a network interface. It is the most widely used network monitoring tool today. Wireshark is loved equally by system administrators, network engineers, network enthusiasts, network security professionals and black hat hackers. The extent of its popularity is such, that experience with Wireshark is considered as a valuable/essential trait in a computer networking related professional.
There are many reasons why Wireshark is so popular :

  1. It has a great GUI as well as a conventional CLI(T Shark).
  2. It offers network monitoring on almost all types of network standards (ethernet, wlan, Bluetooth etc)
  3. It is open source with a large community of backers and developers.
  4. All the necessary components for monitoring, analysing and documenting the network traffic are present.
    It is free to use.

History of Wireshark
Wireshark was started with the intention of developing a tool for closely analysing network packets. It was started by Gerald Combez in 1997. Its initial name was Ethereal. It was initially released in July 1998 as version 0.2.0. Due to the support it got from the developer community, it grew rapidly and was released as version 1.0 in 2008, almost two years after it was renamed to Wireshark.

Wireshark installation:
Windows :

  • You can do a proper installation or run Wireshark as a portable app on your windows system. To download the installation executable or the portable app go to Wireshark Downloads
  • Run the executable and follow on screen instructions to complete the installation.

On Linux:

  • Install using your package manager. See the manual for your package manager for correct syntax.
    Most Debian Linux OS have apt(advanced packaging tool) package manager pre-installed. Similarly Fedora family of OS have “yum” package manager pre-installed.
    The generic command is

    filter_none

    edit
    close

    play_arrow

    link
    brightness_4
    code

    <package-manager-name> install Wireshark 

    chevron_right

    
    

  • You can opt for a security based Linux OS that has Wireshark pre-installed, like Kali Linux.

On launching Wireshark, you will see a screen like this:
(insert a picture here)

The basic features of Wireshark are:

  1. Packet Monitor: This segment visually shows the packets flowing inside the network. There are colour codes for each type of packets. The packets are shown with following information :
    1. Source address
    2. Destination address
    3. Packet type
    4. Hex dump of the packet
    5. Contents of the packet in text
    6. Source port(if applicable)
    7. Destination port(if applicable)
  2. Import from a capture file:
    This feature lets you import packets dump from a capture file to analyse further. There are many formats supported by Wireshark, some of them are:

    • pcapng
    • libpcap
    • Oracle snoop and atmsnoop
    • Finisar (previously Shomiti) Surveyor captures
    • Microsoft Network Monitor captures
    • Novell LANalyzer captures
    • AIX iptrace captures
    • Cinco Networks NetXray captures
    • Network Associates Windows-based Sniffer and Sniffer Pro captures
    • Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
    • AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
    • RADCOM’s WAN/LAN Analyzer captures
    • Network Instruments Observer version 9 captures
    • Lucent/Ascend router debug output
    • HP-UX’s nettl
    • Toshiba’s ISDN routers dump output
    • ISDN4BSD i4btrace utility
    • Traces from the EyeSDN USB S0
    • IPLog format from the Cisco Secure Intrusion Detection System
    • pppd logs (pppdump format)

    • the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
    • the text output from the DBS Etherwatch VMS utility
    • Visual Networks’ Visual UpTime traffic capture
    • the output from CoSine L2 debug
    • the output from Accellent’s 5Views LAN agents
    • Endace Measurement Systems’ ERF format captures
    • Linux Bluez Bluetooth stack hcidump -w traces
    • Catapult DCT2000 .out files
    • Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
    • IBM Series (OS/400) Comm traces (ASCII & UNICODE)
    • Juniper Netscreen snoop captures
    • Symbian OS btsnoop captures
    • Tamosoft CommView captures
    • Textronix K12xx 32bit .rf5 format captures
    • Textronix K12 text file format captures
    • Apple PacketLogger captures
    • Captures from Aethra Telecommunications’ PC108 software
  3. Export to a capture file: Wireshark lets you save the results as a capture file to continue working on them at later point of time. The supported formats are:
    • pcapng (*.pcapng)
    • libpcap, tcpdump and various other tools using tcpdump’s capture format (*.pcap, *.cap, *.dmp)
    • Accellent 5Views (*.5vw)
    • HP-UX’s nettl (*.TRC0, *.TRC1)
    • Microsoft Network Monitor – NetMon (*.cap)
    • Network Associates Sniffer – DOS (*.cap, *.enc, *.trc, *fdc, *.syc)
    • Network Associates Sniffer – Windows (*.cap)
    • Network Instruments Observer version 9 (*.bfr)
    • Novell LANalyzer (*.tr1)
    • Oracle (previously Sun) snoop (*.snoop, *.cap)
    • Visual Networks Visual UpTime traffic (*.*).

As a beginner, you should focus only on familiarising yourself with the basics of Wireshark UI and other basics( the formats given here are for giving a glance, you don’t have to do anything with them at this time).

With these basics done you can now start playing around with the tool. Launch Wireshark, select an interface( select one that is currently communicating, which can be verified by the zigzag pattern in front of the name of the interface) and click on the fin icon to start capturing packets. Save the result as a capture file and exit after you are done seeing the traffic. This concludes the fundamentals.



My Personal Notes arrow_drop_up

https//wwwtechwormnet

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :

Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.