Wireshark is the most popular tool in order to capture network packets for different network protocols and different network interface types. The Wireshark project started with the name Etheral providing very basic features. With the help of the community and developers, it became a very professional tool for network administrators and pen-testers. In this tutorial, we provide information on how to use Wireshark from installation to start and using different features like packet information, capture filters, display filters, command-line interface, etc.
Install Wireshark for Windows
Windows Wireshark installation is very easy whereas Windows installers are provided via Wireshark’s official web portal. Just select the required version you want to use. 32-bit and 64-bit versions of the Wireshark installers are provided as well as the Windows Portable version.
https://www.wireshark.org/#download
Install Wireshark For Linux
Install Wireshark for Ubuntu, Mint, Debian
The following apt command can be used to install Wireshark for Ubuntu, Mint, and Debian.
$ sudo apt install wiresharkDuring the installation following question is asked in order to capture packets for the regular users. Just answer as Yes .
Install Wireshark for Fedora, CentOS, RHEL
For the Fedora, CentOS, and RHEL following command can be used to install Wireshark.
$ sudo dnf install wiresharkStart Wireshark
Wireshark can be started in different ways. For Linux distributions from the menu type wireshark .
The Wireshark can be also installed via the command-line interface using the Wireshark command like below.
$ wiresharkSelect Network Interface To Capture Packets
After the Wireshark is opened the following screen is displayed which lists network interfaces to capture. Just select the interface we want to capture and click on the shark icon.
Wireshark UI
Wireshark provides a very useful UI and it should be because there is a lot of network information that should be displayed on a single screen. By default, Wireshark UI consist of 3 panes called Packet List , Packet Details and Packet Bytes .
Packet Information
Wireshark provides all information about the captured packets. There are different network layers like ethernet (L2), IP (L3), TCP/UDP(L4), etc., and all this information is displayed in a human-readable format with extra information in different sections with related layers.
Display Filters
Display captures can be filtered by using the Display Filters . There are a lot of different display filters which can be used for different cases. In the following example we only display the UDP packets.
| Display Filter | Description |
|---|---|
| tcp | Only TCP Packets |
| udp | Only UDP Packets |
| ip.addr == 192.0.2.1 | IP Address |
| ipv6.addr == 2001:db8::1 | IPv6 Address |
| tcp.port == 80 | TCP Port |
| udp.port == 80 | UDP Port |
| tcp.port == 80 || udp.port == 80 | Mulitple Ports |