Wireshark

Wireshark is the best network traffic analyzer and packet sniffer around. In this article, we will look at it in detail. Wireshark is a network analyzer that lets you see what’s happening on your network. It lets you dissect your network packets at a microscopic level, giving you in-depth. Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or a previously saved capture file. It enables you to see what's happening on your network at a microscopic level. Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark is a protocol analyzer used for software and protocol development, troubleshooting, analysis, and education. It helps users monitor their network traffic, find connection problems, and more.
Wireshark Definition. Wireshark is a multiplatform tool with a graphical interface for network analysis, a product of Ethereal’s evolution. It includes the Tshark tool in console mode for captures, network analysis, among other possibilities.

A network protocol analyzer is a combination of programming and hardware and in certain cases, a separate hardware device that can be installed in a network or computer in order to improve its security level against viruses and other types of malicious activities.

Choosing and implementing a network analyzer

When used as a corporate security tool, it's important to keep in mind that a NPA needs to be distributed since this is going to make it possible for it to cover all of the network's areas. On top of that, the NPA should also be capable of capturing and decoding all protocols from every type of media, including 802.11, WAN, Ethernet, etc) on which the corporate data flows.

It's essential that the NPA also supports flexible filtering that’s capable of allowing triggered notifications. After all, NPA will only be capable of capturing and decoding data it can actually understand. Therefore, if it's going to be used in a switched network environment, then it's only going to detect the traffic that’s local to the switch. A great network protocol analyzer to start with is WireShark.

Packet Sniffing Legalities

Packet sniffing, in the wrong context, is illegal and governed by multiple laws. For example, the Wiretap Act states, 'to intercept and monitor [communications] placed over their facilities in order to combat fraud and theft of service.'

Network Analyzers Reviews, Tips and Downloads

We offer reviews on the top software network analysis tools and services. Before purchasing or downloading any network analyzer or monitoring tool, we recommend an in-depth research for beginners that want to start learning about packet sniffing. Take the needed time to discover tools that are considered to be the foundation of network security utilities and our NPA FAQS section.

Learn to capture and interpret network information with Wireshark.

Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or a previously saved capture file. It enables you to see what's happening on your network at a microscopic level.

TShark is a terminal-oriented version of Wireshark designed to capture and display packets when an interactive user interface isn't necessary or available. It supports the same options as Wireshark. On its website, Wireshark describes its rich feature set as including the following:

Deep inspection of hundreds of protocols, with more being added all the time
Live capture and offline analysis
Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
The most powerful display filters in the industry
Rich VoIP analysis
Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Cisco Secure IDS iplog, Microsoft Network Monitor, and many others
Capture files compressed with gzip can be decompressed on the fly
Live data can be read from Ethernet, IEEE 802.11, Bluetooth, USB, and others (depending on your platform)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Coloring rules can be applied to the packet list for quick, intuitive analysis
Output can be exported to XML, PostScript, CSV, or plain text

More Linux resources

Installation

Wireshark can be installed with the standard simple commands.

On Red Hat Enterprise Linux (RHEL) 7:

On Red Hat Enterprise Linux (RHEL) 8:

Use cases

Without any options set, TShark works much like tcpdump. It uses the pcap library to capture traffic from the first available network interface and displays a summary line on each received packet's standard output.

Before we start any capture, we need define to which interfaces on our server TShark can use. You may need to use sudo or root access in this case.

[ You might also like: My 5 favorite Linux sysadmin tools ]

To get this information, you will need to run the command below:

A sample output is below:

If we wanted to capture traffic on eth0, we could call it with this command:

Sample output:

The packets above are denoted by numbers at the beginning of the line.

These lines include two IP addresses on either side of an arrow—these are the hosts that are exchanging the packet. The arrow's direction indicates which direction the packet is going. Therefore, 41.242.139.31 -> 207.180.200.5 means the packet originated at host 41.242.139.31, which is my computer, and is headed for destination 207.180.200.5, which is the remote server where TShark is installed. My computer is trying to connect to this server, so it's going through the TCP handshake.

Here is a basic explanation of how TShark works: It captures all traffic that is initiated to and from the server where it's installed. With the power of TShark's filtering, we can display the traffic we are interested in.

Analyze Lua With Wireshark

We can also limit the output of the capture to specific lines. For example, if we want to limit the output to 10 lines, we will use the command below:

Capture traffic to and from one host

We can filter out traffic coming from a specific host. For example, to find traffic coming from and going to 8.8.8.8, we use the command:

For traffic coming from 8.8.8.8:

For traffic going to 8.8.8.8:

Sample output:

In the above output, we see traffic coming from and going to 8.8.8.8. The host 8.8.8.8 is giving responses to the server 207.180.229.97 about queries it has initiated earlier.

Capture traffic to and from a network

We can also capture traffic to and a specific network. To do this, we use the command below:

We can also filter based on source or destination.

Based on the source (traffic coming from):

Based on the destination (traffic going to):

Capture traffic to and from port numbers

Here are many other variations.

Capture only DNS port 53 traffic:

For a specific host:

Capture only HTTPS traffic:

Capture all ports except port 80 and 25:

Wireshark Oui Lookup

Saving output to a file

We can save the output of our capture to a file to be read later. Later versions of Wireshark save the output in the pcapng by default. However, we can save in other formats as well. To check the supported format, run the command below:

Wireshark Ip

To save the output, we use the -w switch. Using the -w switch provides raw packet data, not text. If you want text output, you need to redirect stdout (e.g., using >). Don't use the -w option for this.

To save a capture to a file name http_capture.pcapng:

We can save in pcap format, which can be read by tcpdump and older versions of Wireshark:

[ Want to learn more about security? Check out the IT security and compliance checklist. ]

Wireshark Coloring Rules

Wrap up

Wireshark Mac

TShark is a comprehensive tool that sysadmins need to add to their toolset. This is part one of a two-part series. In part two, we will look at more advanced filters and how we can make the output more readable.