Wireshark is the most popular tool in order to capture network packets for different network protocols and different network interface types. The Wireshark project started with the name
Etheral providing very basic features. With the help of the community and developers, it became a very professional tool for network administrators and pen-testers. In this tutorial, we provide information on how to use Wireshark from installation to start and using different features like packet information, capture filters, display filters, command-line interface, etc.
Install Wireshark for Windows
Windows Wireshark installation is very easy whereas Windows installers are provided via Wireshark’s official web portal. Just select the required version you want to use. 32-bit and 64-bit versions of the Wireshark installers are provided as well as the Windows Portable version.
Install Wireshark For Linux
Install Wireshark for Ubuntu, Mint, Debian
The following apt command can be used to install Wireshark for Ubuntu, Mint, and Debian.
$ sudo apt install wireshark
During the installation following question is asked in order to capture packets for the regular users. Just answer as
Install Wireshark for Fedora, CentOS, RHEL
For the Fedora, CentOS, and RHEL following command can be used to install Wireshark.
$ sudo dnf install wireshark
Wireshark can be started in different ways. For Linux distributions from the menu type
The Wireshark can be also installed via the command-line interface using the Wireshark command like below.
Select Network Interface To Capture Packets
After the Wireshark is opened the following screen is displayed which lists network interfaces to capture. Just select the interface we want to capture and click on the shark icon.
Wireshark provides a very useful UI and it should be because there is a lot of network information that should be displayed on a single screen. By default, Wireshark UI consist of 3 panes called
Packet List ,
Packet Details and
Packet Bytes .
Wireshark provides all information about the captured packets. There are different network layers like ethernet (L2), IP (L3), TCP/UDP(L4), etc., and all this information is displayed in a human-readable format with extra information in different sections with related layers.
Display captures can be filtered by using the
Display Filters . There are a lot of different display filters which can be used for different cases. In the following example we only display the UDP packets.
|tcp||Only TCP Packets|
|udp||Only UDP Packets|
|ip.addr == 192.0.2.1||IP Address|
|ipv6.addr == 2001:db8::1||IPv6 Address|
|tcp.port == 80||TCP Port|
|udp.port == 80||UDP Port|
|tcp.port == 80 || udp.port == 80||Mulitple Ports|