Wireshark is an open-source packet analyzer that is free to use. It is used for network investigating, analysis, the creation of software and communications protocols, and teaching. Due to trademark difficulties, the project’s name was changed to Wireshark in May 2006.
Wireshark is cross-platform, implementing its user interface using the Qt widget toolkit in current versions and capturing packets with pcap; it operates on Linux, macOS, BSD, Solaris, some other Unix-like OS, and Microsoft Windows. TShark, a terminal-based (non-GUI) version, is also available. Wireshark and the additional programmes included with it, such as TShark, are free software licenced under the GNU General Public Licence version 2 or later.
Its statistical tools are one of Wireshark’s advantages. We may use a variety of tools with Wireshark, ranging from basic ones for presenting end-nodes and dialogues to more complex ones like flows and I/O graphs.
In this article, we’ll look at some of Wireshark’s fundamental capabilities that provide us information about the basic network statistics, such as who communicates with whom on the network, which devices are talkative, what packet sizes are sent across the network, and so on.
Conversations
Traffic between two particular endpoints is referred to as a network conversation. For instance, any traffic between two IP addresses is an IP conversation.
The endpoint Window and the dialogues window are comparable. The conversation window adds four columns in addition to addresses, packet counts, and byte counters: the start time (“Rel Start”) or “Abs Start,” the length of the discussion in seconds, and the average bits (not bytes) per second in each direction. Across the “Rel Start”/”Abs Start” and “Duration” columns, a timeline graph is also displayed.
Endpoints
The logical endpoint of distinct protocol traffic of a certain protocol layer is a network endpoint. A tab is displayed in this window for each protocol that is supported. The number of endpoints collected is indicated on each tab’s label (for example, the tab label “Ethernet 4” informs you that four ethernet endpoints have been recorded). The tab label will be greyed out if no endpoints of a certain protocol were recorded, but you can still pick the associated page.
Protocol Hierarchy
All the procedures in the capture are represented by this tree. The statistical values for one protocol are contained in each row. Percent Packets and Percent Bytes are two columns that also function as bar graphs. A display filter will be displayed at the bottom if one has been configured.
You may copy the contents of the window as CSV or YAML using the Copy button.
IO Graphs
This window provides several options for plotting packet and protocol data. this window has a chart-drawing area and a list of graphs that may be customised. Your current profile stores graphs. They are separated into time chunks that may be adjusted as shown below. The last packet of each interval may be seen by hovering over the graph, with the exceptions listed below. You may access the related packet in the packet list by clicking on the graph.
DHCP (BOOTP)
The Bootstrap Protocol (BOOTP) offers the Dynamic Host Configuration Protocol (DHCP). It provides a DHCP client with dynamically assigned IP addresses and other options. The DHCP (BOOTP) Statistics pane presents a table listing the frequency of each sort of DHCP communication. The data may be filtered, copied, or saved into a file by the user.
Service Response Time
This pane displays different response time data along with the number of transactions for each SMB2 opcode found in the capture file. You may apply or create filters for, look for, or colourize a certain opcode by right-clicking on a row. The reaction time data can also be saved in a number of formats or copied.
- Applying a display filter is an optional way to restrict the statistics to a certain subset of packets.
- You may accomplish the following using the main dialogue button row at the bottom:
- The reaction time data will be copied as text when you press the Copy button.
- The reaction time data will be saved in a variety of formats by choosing Save As.
- Clicking Close will end this dialogue.
NetPerfMeter
The NetPerfMeter Protocol (NPMP) is the data transmission and control protocol for NetPerfMeter, a tool for measuring the performance of transport protocols. With specified settings, including frame rate, frame size, saturation flows, etc., it sends data streams across TCP, SCTP, UDP, and DCCP. These statistics enable you to:
- Bytes and message counts for each message type were recorded.
- the proportion of each communication type’s messages and bytes.
- See each message type’s initial and final occurrences.
- If there are at least two messages of each kind, look at the time between the first and last instance of each message type.
- Check the message and byte rates throughout the interval for each type of message (if there are at least 2 of that type).
Conclusion
In conclusion, Wireshark’s Statistics menu offers a variety of tools that can be used to evaluate and comprehend network traffic that was recorded in a packet capture file. Each function offers various figures and data visualisations that can be used to pinpoint particular network traffic-related problems. Network managers and analysts can troubleshoot and fix network issues quickly and effectively by utilising these features.