wireshark

Overview of Wireshark: A Packet Analyzing Tool

410 VIEWS

· ·

Wireshark is open source packet analyzing software that allows you to examine packets moving through a network. The software was developed in 1998 under Ethereal by Gerald Combs. After Combs left his job, he unsuccessfully tried to reach an agreement with Ethereal to acquire the trademark. Instead, in 2006, Combs and a development team rebranded the project as Wireshark. Wireshark is now one of the most popular packet analyzers around. We will examine the benefits and uses of Wireshark, and provide a quick overview of the software’s UI layout.

Why Use Wireshark?

Wireshark is one of the more popular packet analyzers around, and for good reason:

  • It is open source, under GNU General Public License. This means you can access the source code should you choose to.
  • It supports Command Line Input (CLI), in addition to having a user-friendly GUI.
  • Wireshark supports all major operating systems.
  • There is active development of the tool.
  • Wireshark features live real-time traffic analysis and supports offline analysis.
  • Wireshark supports most major Internet transfer protocols.

Uses of Wireshark

There are several intended purposes for Wireshark. First, network administrators can troubleshoot network problems. Second, network security engineers can use it to examine security problems. Third, if you are a networking developer/engineer developing a network application, Wireshark is a great debugging tool. For instance, if information isn’t going where it should, you can track the packets to see which socket it’s going to (or not). And finally, for general developers, using Wireshark can help you gain a better understanding of how network programming works.

Getting Started

Download and Install Wireshark.

Breakdown of the User Interface

For this blog post, we will walk through the GUI for Wireshark. If you prefer to use the command line for Wireshark, please see the Wireshark CLI.

The examples used for the rest of this walkthrough are based on the http.cap file, which you can find in the Wireshark Sample Captures. Working with other capture files can be fun. Sometimes your network may not be that interesting, and you can download capture files from the wiki page to study more interesting packet traffic, such as “packets using simple password authentication” or “overlapping IP fragments in a Teardrop attack.”

The Display Filter

The display filter allows you to filter out certain packets. For instance, If I wanted to only look at HTTP protocols, I would type “http” into the display filter.

You may also click on Expression (on the right). There you will find a Display Filter Expression that allows you to see all the different display filter expressions available, and you can configure your filters using this option. (Please see Display Filter Resources for more information.)

The Packet List

  • No. The number of the packet in the capture file (this is organized in numerical order).
  • Time: The timestamp of the packet. The presentation format of this timestamp can be changed. See “Time display formats and time references.”
  • Source: The source of the packet
  • Destination: where the packet is going
  • Protocol: the protocol name
  • Length: the length of the packet
  • Info: more information about the packet’s content.

The Packet Details

This pane shows the protocols and protocol fields of the packet selected in the Packet List pane. The fields can be expanded or collapsed.

The Packet Bytes

This pane shows the byte details of the packet selected in the Packet List pane, and the highlighted blue text is based on the selection made in the Packet Details pane. The left side of the pane shows the hexadecimal representation of the bytes, and the right side is the ASCII representation. In the example below, the bytes transferred are based on the fourth packet in the Packet List pane, and the bytes highlighted in blue represent the Hypertext Transfer Protocol (HTTP) selected in the Packet Detail pane. Note that non-printable bytes are replaced with a period (‘.’) for the ASCII representation.

Wireshark is a really useful and fun tool, and this blog post provides a brief overview of this packet analyzer tool. I’d like to expand on this post and talk about real-world issues that you may encounter, such as troubleshooting a slow network or loss of Internet access. Stay tuned!

Books

Wireshark 101: Essential Skills for Network Analysis (Wireshark Solutions Series)

Resources

CLI for Wireshark

Comparison Of Packet Analyzers

Wireshark Documentation

Wireshark Wiki

Sample Captures

Display Filter Resources

Display Filter Documentation

Display Filter Cheatsheet

Do you think you can beat this Sweet post?

If so, you may have what it takes to become a Sweetcode contributor... Learn More.

Lisa Leung has experience as a technical consultant prior to becoming a full-stack engineer student at Holberton School in San Francisco. She enjoys coding, gaming, and reading.


Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Menu