Wireshark - Packet Capturing and Analyzing
Last Updated : 30 Sep, 2022
Prerequisite: Introduction to Wireshark
This article will introduce the methods of packet capturing and analyzing. It will also introduce some advanced tools that are used for increasing efficiency during capture and analysis.
Why sniff around?
If you have prior experience with securing systems, you can not emphasize enough the importance of reconnaissance. And if you are new, just know that it is very important. Packet sniffing is an essential form of network recon as well as monitoring. It's equally useful for students and IT professionals.
Wireshark captures the data coming or going through the NICs on its device by using an underlying packet capture library. By default, Wireshark captures on-device data only, but it can capture almost all the data on its LAN if run in promiscuous mode. Currently, Wireshark uses NMAP's Packet Capture library(called npcap).
Getting Up and Running: After installation launch Wireshark, approve the administrator or superuser privileges and you will be presented with a window that looks like this:
This window shows the interfaces on your device. To start sniffing select one interface and click on the bluefin icon on the top left. The data capture screen has three panes. The top pane shows real-time traffic, the middle one shows information about the chosen packet and the bottom pane shows the raw packet data. The top pane shows source address(IPv4 or IPv6) destination address, source and destination ports, protocol to which the packet belongs to and additional information about the packet.
Since there are a lot of packets going in and out every second, looking at all of them or searching for one type of packets will be tedious. This is why packet filters are provided. Packets can be filtered based on many parameters like IP address, port number or protocol at capture level or at display level. As obvious a display level filter will not affect the packets being captured.
Some of the general capture filters are:
- host (capture the traffic through a single target)
- net( capture the traffic through a network or sub-network). "net" can be prefixed with "src" or "dst" to indicate whether the data coming from or going to the target host(s).)
- port (capture the traffic through or from a port). "port" can be prefixed with "src" or "dst" to indicate whether the data coming from or going to the target port.
- "and", "not" and "or" logical connectives.(Used to combine multiple filters together).
There are some more basic filters and they can be combined very creatively. Another range of filters, display filters are used to create abstraction on captured data. These basic examples should provide a basic idea of their syntax:
- tcp.port==80/udp.port==X shows the tcp/udp traffic at port X.
- http.request.uri matches "parameter=value$" shows packets that are HTTP requests at the application layer level and their URI ends with a parameter with some value.
- The logical connective and or and not work here too.
- ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 will show traffic to and from workstations and servers.
There is also a concept of coloring rules. Each protocol/port/other element is provided a unique color to make it easily visible for quick analysis. More details on coloring rules is here
Plugins are extra pieces of codes that can be embedded into the native Wireshark. Plugins help in analysis by:
- Showing parameter specific statistics and insights.
- Handling capture files and issues related to their formats.
- Collaborating with other tools and frameworks to set up an all-in-one network monitoring solution.
With just the basic capability to see all the traffic going through your device or in your LAN and the tools and plugins to help you in analysis, you can do a great deal of things with your device. Like:
- Troubleshooting Internet connectivity problems with your device or WiFi.
- Monitoring your device for unwanted traffic that may be an indication of a malware infection.
- Testing the working of your application that involve networking.
- Using it to just understand how computer networks work.
Similar Reads
Introduction to Wireshark Wireshark is a software tool used to monitor the network traffic through a network interface. It is the most widely used network monitoring tool today. Wireshark is loved equally by system administrators, network engineers, network enthusiasts, network security professionals and black hat hackers.
4 min read
How to Install Wireshark on Windows? Wireshark is software that is widely used in the analysis of data packets in a network. Wireshark is completely free and open source. This packet analyzer is used for a variety of purposes like troubleshooting networks, understanding communication between two systems, developing new protocols, etc.
3 min read
Let's experiment with Networking Most of us have studied Computer Networks in a very abstract manner. In other words, not many of us know how the abstract concepts of layers and packets translate in real-life networks such as the Internet. Therefore, let us do an experiment and see whether these layers, packets, etc. exist in any r
5 min read
What is Packet Sniffing ? When any data has to be transmitted over the computer network, it is broken down into smaller units at the sender's node called data packets and reassembled at receiver's node in original format. It is the smallest unit of communication over a computer network. It is also called a block, a segment,
3 min read
Ethical Hacking - Sniffing Tools Packet Sniffing is the process of expanding monitors checks every packet that passes through any network. Packet Sniffers will give network administrators the to monitor their networks and get insights into that. Thus, you can detect the root cause of network issues, troubleshoot the networking issu
7 min read