is a free and open-source packet analyzer
. It is used for network troubleshooting, analysis, software and communications protocol development. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark is a cross-platform tool that runs on Linux
, Microsoft Windows, MacOS, BSD, Solaris, and other Unix-like operating systems.
To install Wireshark just enter the following command in your terminal –
Wireshark will then be installed and available for use.If you run Wireshark as a non-root user (which you should) at this stage you will encounter an error message which says.
“No interface can be used for capturing in this system with the current configuration”.The following steps will rectify this.
Create the Wireshark group.
Add your username to the Wireshark group –
Change the group ownership of file dumpcap to wireshark –
Change the mode of the file dumpcap to allow execution by the group wireshark –
Grant capabilities with setcap –
Verify the change –
Wireshark has quite an extensive application or use. Here are a few examples of what people use Wireshark for:
- Network administrators use it to troubleshoot network problems
- Network security engineers use it to examine security problems
- Developers use it to debug protocol implementations
- Others use it to learn network protocol internals
The following are some of the many features Wireshark provides:
- Capture live packet data from a network interface.
- Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
- Import packets from text files containing hex dumps of packet data.
- Display packets with very detailed protocol information.
- Save packet data captured.
- Export some or all packets in a number of capture file formats.
- Filter packets on many criteria.
- Search for packets on many criteria.
- Colorize packet display based on filters.
- Create various statistics.
After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
As I mentioned earlier, Wireshark is available on all platforms but none of these other platforms has the feature parity of Linux.
Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals. Check out this official DOCUMENTATION for more of what you can do with Wireshark.