How to Use WireShark [Tutorial]

Published by on April 5, 2018 in Net Admin

Wireshark

Over the past few years, WireShark has developed a reputation as one of the most reliable network analyzers available on the market. Users across the globe have been using this open source application as a complete network analysis tool. Through Wireshark, users can troubleshoot network problems, examine security issues, debug protocols and learn network processes. In this article, we’ll show you how to use WireShark.

What is WireShark?

As mentioned above, WireShark is a network analysis tool. At its core, Wireshark was designed to break down packets of data being transferred across different networks. The user can search and filter for specific packets of data and analyze how they are transferred across their network. These packets can be used for analysis on a real-time or offline basis.

The user can use this information to generate statistics and graphs. WireShark was originally known as Ethereal but has since established itself as one of the key network analysis tools on the market. This is the go-to tool for users who want to view data generated by different networks and protocols.

WireShark is suitable for novice and expert users alike. The user interface is incredibly simple to use once you learn the initial steps to capture packets. More advanced users can use the platform’s decryption tools to break down encrypted packets as well. A wide community of supporting plugins and platforms can enhance WireShark’s capabilities.

For example, SolarWind’s Response Time Viewer for WireShark allows users to calculate their application and network response time. This can be used alongside WireShark to display data and transaction volume. This helps to assess network performance and identify possible improvements.

Below is a breakdown of WireShark’s core features:

  •  Capture live packet data
  •  Import packets from text files
  •  View packet data and protocol information
  •  Save captured packet data
  •  Display packets
  •  Filter packets
  •  Search packets
  •  Colorize packets
  •  Generate Statistics

Most users use WireShark in order to detect network problems and test their software. As an open source project, WireShark is maintained by a unique team keeping service standards high. In this guide, we break down how to use WireShark. Further information can be found on WireShark’s official user guide.

How to Download and Install WireShark

Before using WireShark, the first thing you need to do is download and install. You can download WireShark for free off of the company website. In order to have the smoothest running experience, it is advised that you download the latest version available on your platform from the “stable release” section.

Windows

Once you’ve downloaded the program you can start the setup process. During installation you may be prompted to install WinPcap. It’s important to install WinPcap as without it you will be unable to capture live network traffic. Without WinPcap you will only be able to open saved capture files. To install, simply check the Install WinPcap box.

Mac

In order to install WireShark on Mac you first need to download an installer. To do this, download an installer such as exquartz. Once you’ve done this, open the Terminal and input the following command:

<% /Applications/Wireshark.app/Contents/Mac0S/Wireshark>

Then wait for WireShark to start.

How to Capture Data Packets

  • One of the core functions of WireShark as a network analysis tool is to capture packets of data. Learning how to set up WireShark to capture packets is essential to conducting detailed network analysis. However it’s important to note that it can be difficult to capture packets when you’re new to WireShark.

    Before you start to capture packets, there are three things you need to do:
  • Make sure that you have the administrative privileges to start a live capture on your device
  • Choose the correct network interface to capture packet data from
  • Capture packet data from the correct location in your network

Once you’ve done these three things, you’re ready to start the capture process. When you use WireShark to capture packets, they are displayed in a human-readable format to make them legible to the user. You can also break packets down with filters and color-coding if you wish to see more specific information.

When you first open up WireShark, you’ll be met by the following launch screen:

 

Wireshark network analyzer

The first thing you need to do is look at the available interfaces to capture. To do this, select Capture > Options. The “Capture Interfaces” dialog box will then open as shown below:

capture interface

Check the box of the interface you want to capture, and press the Start button to start. You can select multiple interfaces if you want to capture data from multiple sources simultaneously.

On Unix or Linux, the dialog box is shown in a similar style like this:

unix / linux capture interface

You can also start WireShark by using the following command line:

<¢ wireshark -i   eth0 —k>

You can also use the shark fin button on the toolbar as a shortcut to initiate packet capturing. Once you click this button, Wireshark will start the live capture process.

If you want to stop capturing, click the red stop button next to the shark fin.

Promiscuous Mode

If you want to develop an overhead view of your network packet transfers, then you need to activate promiscuous mode. Promiscuous mode is an interface mode where WireShark details every packet it sees. When this mode is deactivated, you lose transparency over your network and only develop a limited snapshot of your network (this makes it more difficult to conduct any analysis).

To activate promiscuous mode, click on the Capture Options dialog box and click promiscuous mode. In theory this should show you all the traffic active on your network. The promiscuous mode box is shown below:

 

promiscuous mode

However, this often isn’t the case. Many network interfaces are resistant to promiscuous mode, so you need to check the WireShark website for information on your specific hardware.

On Windows, it’s useful to visit Device Manager and check whether you have your settings configured to reject promiscuous mode. For example:

 

device manager


(Simply click on network and then make sure that your premiscuous mode setting are set to
Allow All).

If you have your settings set to “reject” promiscuous mode, then you’re going to limit the amount of packets WireShark captures. So even if you have promiscuous mode enabled on WireShark check your Device Manager to make sure that your interface isn’t blocking any data from coming through. Taking the time to check through your network infrastructure will ensure WireShark receives all the necessary packets of data.

Analyzing Captured Packets

Once you’ve captured your network data, you’ll want to look at your captured packets. In the screenshot below you’ll see three panes: the packet list pane, packet bytes pane, and the packet details pane. If you want more information, click on any of the fields in each packet to see more. When you click on a packet ,you’re shown a breakdown of its internal bytes in the byte view section.

 

captured packets


Packet List

The packet list pane is shown at the top of the screenshot. Each piece is broken down to a number with time, source, destination, protocol and support information.

Packet Details

Packet details can be found in the middle, showing the protocols of the chosen packet. You can expand each section by clicking on the arrow next to your row of choice. You can also apply additional filters by right clicking on the chosen item.

Packet Bytes

The packet bytes pane is shown at the bottom of the page. This pane shows the internal data of your selected packet. If you highlight part of the data in this section, its corresponding information is also highlighted in the packet details pane. By default all data is shown in hexadecimal format. If you want to change it to bit format, right click the pane and select this option from the context menu.

Using Wireshark to Analyze Network Performance

If you want to use WireShark to inspect your network and analyze all active traffic, then you need to close down all active applications on your network. This will reduce traffic to a minimum so you can see what is happening on your network more clearly. However, even if you turn off all of your applications, you’ll still have a mass of packets being sent and received.

Using WireShark to filter these packets is the best way to take stock of your network data. When your connection is active, thousands of packets are transferring through your network every second. This means its vital that you filter out the information you don’t need in order to get a clear picture of what’s going on.

Capture Filters and Display Filters

Capture filters and display filters are two types of distinct filters that can be used on WireShark. Capture filters are used to reduce the size of incoming packet capture, essentially filtering out other packets during live packet capturing. As a result, capture filters are set before you begin the live capture process.

Capture filters can’t be modified once a capture has been started. On the other hand, display filters can be used to filter data that has already been recorded. Capture filters determine what data you capture from live network monitoring, and display filters dictate the data you see when looking through previously captured packets.

If you want to start filtering your data, one of the easiest ways to do this is to use the filter box below the toolbar. For example, if you type in HTTP in the filter box, you will be provided with a list of all HTTP packets captured. When you start typing, you’ll be met with an autocomplete field. The filter box is shown below:

Wireshark Filtering

You can use hundreds of different filters to break down your packet information, from 104apci to zvt. An extensive list can be found on the WireShark website here. You can also choose a filter by clicking on the bookmark icon to the left of the entry field. This will raise a menu of popular filters.

If you choose to set a capture filter, then your changes will come into effect once you start recording live traffic. To activate a display filter, simply click on the arrow to the right of the entry field. Alternatively, you can click Analyze > Display Filters and choose a filter from the list of defaults.

After choosing a filter, you can view the TCP conversation behind a packet. To do this, right click on the packet and click Follow > TCP stream. This will show you the TCP exchange between the client and server.

If you want more information about WireShark filtering, WireShark’s guide to display filters is a good point of reference.

Color Coding

In addition to filtering which packets are shown or recorded, WireShark’s color-coding facility makes it easier for the user to identify different packet types according to their color. For example TCP traffic is denoted by light purple and UDP traffic is denoted by light blue. It’s important to note that black is used to highlight packets with errors.

On WireShark’s default settings, there are around 20 colors you can choose from. You may edit, disable or delete these. If you want to turn off colorization, click on the View menu and click Colorize Packet List field to turn it off. If you’d like to view more information about the color-coding on WireShark, click View >Coloring Rules.

Statistics

In order to view more information on your network, the statistics drop-down menu is incredibly useful. The statistics menu can be located at the top of the screen and will provide you with a number of metrics from size and timing information to plotted charts and graphs. You can also apply display filters to these statistics in order to narrow down important information.

The WireShark statistics menu is shown below:

wireshark statistics


In this menu are a variety of options to help you break down your network information. Here are some of the core sections:

Protocol Hierarchy – The Protocol Hierarchy option raises a window with a complete table of all captured protocols. Active display filters are also displayed at the bottom.

Conversations – Reveals the network conversation between two endpoints (For example exchange of traffic from one IP address to another).

Endpoints – Displays a list of endpoints (a network endpoint is where protocol traffic of a specific protocol layer ends).

IO Graphs – Displays user specific graphs, visualizing the number of packets throughout the data exchange.

RTP_statistics – Allows the user to save the content of an RTP audio stream directly to an Au-file.

Service Response Time – Displays the response time between a request and the networks response.

TcpPduTime – Displays the time taken to transfer data from a Protocol Data Unit. Can be used to find TCP retransmissions.

VoIP_Calls – Shows VoIP calls obtained from live captures.

Multicast Stream – Detects multicast streams and measures the size of bursts and the output buffers of certain speeds.

Visualizing Your Packets With IO Graphs

If you want to create a visual representation of your data packets, then you need to open IO graphs. Simply click on the statistics menu and select IO graphs. You’ll then be met by a graph window:

Wireshark IO graphs

You can configure IO graphs with your own settings according to the data you want to display. By default only graph 1 is enabled, so if you want to activate 2-5 you need to click on them. Likewise, if you want to apply a display filter for a graph, click the filter icon next to the graph you want to interact with. The style column allows you to change how your graph is structured. You can choose between Line, FBar, Dot, or Impulse.

You can also interact with the X and Y axis metrics on your graph as well. On the X axis, the tick interval sections allows you to dictate how long the interval is, from minutes to seconds. You can also check the view as time of day box in order to change the time of the x axis.

Under the Y axis section, you can change the unit of measurement from any of the following options: Packets/Tick, Bytes/Tick, Bits/Tick, or Advanced. The scale allows you to choose the scale of measurement for the Y axis of the graph.

Once you press save the graph is then stored in a file format of your choice

Using Sample Captures

If you want to practice using WireShark but your own network is unavailable for whatever reason, using sample captures is a great alternative. Sample captures provide you with another network’s packet data. You can download a sample capture by going on the WireShark wiki website.

The WireShark wiki website features a variety of sample capture files that can be downloaded across the site. Once you’ve downloaded a sample capture you can use it by clicking File > Open and then clicking on your file.

Capture Files can also be found from the following sources below:

ICIR
OpenPacket
PacketLife

WireShark: Simple and Versatile

That concludes our breakdown of how to use WireShark. Whether you’re a new user or a WireShark veteran, this platform is an extremely versatile network analysis tool. If you’re looking to get the most out of WireShark, it is highly recommended that you do additional research on the WireShark website.

This is even more important if you’re looking to use more advanced features and create your own protocol dissectors. Wireshark’s official user guide offers the most comprehensive body of guidance on the subject.

Don’t forget to use external plugins and supporting programs from SolarWinds as they can dramatically increase the depth of your future analysis efforts. If you’d like more information about how to optimize your network, check out our in depth guide on network analyzers.

 

Leave a Reply

Your email address will not be published. Required fields are marked *