Open In App

Wireshark – Packet Capturing and Analyzing

Prerequisite: Introduction to Wireshark 

This article will introduce the methods of packet capturing and analyzing. It will also introduce some advanced tools that are used for increasing efficiency during capture and analysis. 



Why sniff around? 

If you have prior experience with securing systems, you can not emphasize enough the importance of reconnaissance. And if you are new, just know that it is very important. Packet sniffing is an essential form of network recon as well as monitoring. It’s equally useful for students and IT professionals. 



Wireshark captures the data coming or going through the NICs on its device by using an underlying packet capture library. By default, Wireshark captures on-device data only, but it can capture almost all the data on its LAN if run in promiscuous mode. Currently, Wireshark uses NMAP’s Packet Capture library(called npcap). 

Getting Up and Running: After installation launch Wireshark, approve the administrator or superuser privileges and you will be presented with a window that looks like this: 

 

This window shows the interfaces on your device. To start sniffing select one interface and click on the bluefin icon on the top left. The data capture screen has three panes. The top pane shows real-time traffic, the middle one shows information about the chosen packet and the bottom pane shows the raw packet data. The top pane shows source address(IPv4 or IPv6) destination address, source and destination ports, protocol to which the packet belongs to and additional information about the packet. 

 

Since there are a lot of packets going in and out every second, looking at all of them or searching for one type of packets will be tedious. This is why packet filters are provided. Packets can be filtered based on many parameters like IP address, port number or protocol at capture level or at display level. As obvious a display level filter will not affect the packets being captured. 

Some of the general capture filters are: 

 

There are some more basic filters and they can be combined very creatively. Another range of filters, display filters are used to create abstraction on captured data. These basic examples should provide a basic idea of their syntax: 
 

There is also a concept of coloring rules. Each protocol/port/other element is provided a unique color to make it easily visible for quick analysis. More details on coloring rules is here 

Plugins are extra pieces of codes that can be embedded into the native Wireshark. Plugins help in analysis by: 

 

With just the basic capability to see all the traffic going through your device or in your LAN and the tools and plugins to help you in analysis, you can do a great deal of things with your device. Like: 
 

 

Article Tags :