How To Use Wireshark To Inspect Network Traffic

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software, and communications protocol development. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark is a cross-platform tool that runs on Linux, Microsoft Windows, macOS, BSD, Solaris, and other Unix-like operating systems.  

How To Install Wireshark In Linux?

To install Wireshark just enter the following command in your terminal – sudo apt-get install Wireshark Wireshark will then be installed and available for use. If you run Wireshark as a non-root user (which you should) at this stage you will encounter an error message which says.
“No interface can be used for capturing in this system with the current configuration”.The following steps will rectify this.
​
Create a Wireshark group.

sudo groupadd wireshark 

Add your username to the Wireshark group –

sudo usermod -a -G wireshark USERNAME 

Change the group  ownership of file dumpcap to wireshark –

sudo chgrp wireshark /usr/bin/dumpcap 

Change the mode of the file dumpcap to allow execution by the group wireshark –

sudo chmod 750 /usr/bin/dumpcap ​

Grant capabilities with setcap –

sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap 

Verify the change –

sudo getcap /usr/bin/dumpcap   

What Wireshark Is Used For?

Wireshark has quite an extensive application or use. Here are a few examples of what people use Wireshark for:

• Network administrators use it to troubleshoot network problems
• Network security engineers use it to examine security problems
• Developers use it to debug protocol implementations
• Others use it to learn network protocol internals

Features At A Glance

The following are some of the many features Wireshark provides:

• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Save packet data captured.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.

How To Use Wireshark To Inspect Network Packets In Linux?

Capturing Packets

After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options.

As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.

Color Coding

You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.

Conclusion

As I mentioned earlier, Wireshark is available on all platforms but none of these other platforms has the feature parity of Linux.

Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals. Check out this official DOCUMENTATION for more of what you can do with Wireshark.