Introduction to Wireshark
Wireshark is a software tool used to monitor the network traffic through a network interface. It is the most widely used network monitoring tool today. Wireshark is loved equally by system administrators, network engineers, network enthusiasts, network security professionals and black hat hackers. The extent of its popularity is such, that experience with Wireshark is considered as a valuable/essential trait in a computer networking related professional.
There are many reasons why Wireshark is so popular :
- It has a great GUI as well as a conventional CLI(T Shark).
- It offers network monitoring on almost all types of network standards (ethernet, wlan, Bluetooth etc)
- It is open source with a large community of backers and developers.
- All the necessary components for monitoring, analysing and documenting the network traffic are present.
It is free to use.
History of Wireshark
Wireshark was started with the intention of developing a tool for closely analysing network packets. It was started by Gerald Combez in 1997. Its initial name was Ethereal. It was initially released in July 1998 as version 0.2.0. Due to the support it got from the developer community, it grew rapidly and was released as version 1.0 in 2008, almost two years after it was renamed to Wireshark.
- You can do a proper installation or run Wireshark as a portable app on your windows system. To download the installation executable or the portable app go to Wireshark Downloads
- Run the executable and follow on screen instructions to complete the installation.
- Install using your package manager. See the manual for your package manager for correct syntax.
Most Debian Linux OS have apt(advanced packaging tool) package manager pre-installed. Similarly Fedora family of OS have “yum” package manager pre-installed.
The generic command is
> install Wireshark
- You can opt for a security based Linux OS that has Wireshark pre-installed, like Kali Linux.
On launching Wireshark, you will see a screen like this:
(insert a picture here)
The basic features of Wireshark are:
- Packet Monitor: This segment visually shows the packets flowing inside the network. There are colour codes for each type of packets. The packets are shown with following information :
1. Source address
2. Destination address
3. Packet type
4. Hex dump of the packet
5. Contents of the packet in text
6. Source port(if applicable)
7. Destination port(if applicable)
- Import from a capture file:
This feature lets you import packets dump from a capture file to analyse further. There are many formats supported by Wireshark, some of them are:
- Oracle snoop and atmsnoop
- Finisar (previously Shomiti) Surveyor captures
- Microsoft Network Monitor captures
- Novell LANalyzer captures
- AIX iptrace captures
- Cinco Networks NetXray captures
- Network Associates Windows-based Sniffer and Sniffer Pro captures
- Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
- AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
- RADCOM’s WAN/LAN Analyzer captures
- Network Instruments Observer version 9 captures
- Lucent/Ascend router debug output
- HP-UX’s nettl
- Toshiba’s ISDN routers dump output
- ISDN4BSD i4btrace utility
- Traces from the EyeSDN USB S0
- IPLog format from the Cisco Secure Intrusion Detection System
pppd logs (pppdump format)
- the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
- the text output from the DBS Etherwatch VMS utility
- Visual Networks’ Visual UpTime traffic capture
- the output from CoSine L2 debug
- the output from Accellent’s 5Views LAN agents
- Endace Measurement Systems’ ERF format captures
- Linux Bluez Bluetooth stack hcidump -w traces
- Catapult DCT2000 .out files
- Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
- IBM Series (OS/400) Comm traces (ASCII & UNICODE)
- Juniper Netscreen snoop captures
- Symbian OS btsnoop captures
- Tamosoft CommView captures
- Textronix K12xx 32bit .rf5 format captures
- Textronix K12 text file format captures
- Apple PacketLogger captures
- Captures from Aethra Telecommunications’ PC108 software
- Export to a capture file: Wireshark lets you save the results as a capture file to continue working on them at later point of time. The supported formats are:
- pcapng (*.pcapng)
- libpcap, tcpdump and various other tools using tcpdump’s capture format (*.pcap, *.cap, *.dmp)
- Accellent 5Views (*.5vw)
- HP-UX’s nettl (*.TRC0, *.TRC1)
- Microsoft Network Monitor – NetMon (*.cap)
- Network Associates Sniffer – DOS (*.cap, *.enc, *.trc, *fdc, *.syc)
- Network Associates Sniffer – Windows (*.cap)
- Network Instruments Observer version 9 (*.bfr)
- Novell LANalyzer (*.tr1)
- Oracle (previously Sun) snoop (*.snoop, *.cap)
- Visual Networks Visual UpTime traffic (*.*).
As a beginner, you should focus only on familiarising yourself with the basics of Wireshark UI and other basics( the formats given here are for giving a glance, you don’t have to do anything with them at this time).
With these basics done you can now start playing around with the tool. Launch Wireshark, select an interface( select one that is currently communicating, which can be verified by the zigzag pattern in front of the name of the interface) and click on the fin icon to start capturing packets. Save the result as a capture file and exit after you are done seeing the traffic. This concludes the fundamentals.