Wireshark is an open-source network protocol analysis software started by Gerald Combs in 1998. Available on most operating systems, it is used to inspect and capture frames (which include packets) passing through a network interface in order to decode them for analysis.
A computer within a network can see traffic between two other computers with Wireshark. It is therefore a packet sniffer, useful to track and capture data passing through the TCP/IP layers in a LAN during transmission to troubleshoot issues or eavesdrop.
That data comes from or goes to your router or the internet (data in transit within a LAN // data coming from or going to the internet). It can be your browsing history, key logs from a session or even passwords in plain text from your account, etc.
That is why it is recommended to use a secure connections as well as a VPN.
Wireshark allows you to filter the log either before the capture or during analysis, so you can narrow down and zero into what you are looking for in the network trace. For example, you can set a filter to see TCP traffic between two IP addresses, or to only show the packets sent from one computer. The filters in Wireshark are one of the primary reasons it became the standard tool for packet analysis.
Welcome window
Upon launch, you have access to all available interfaces on your device to perform a capture.
Main window
Once an interface has been chosen you get the packet area (colored) that displays frames to capture, a line summary for each captured packet, the time at which it was captured, it’s source and destination addresses, the protocol type and specific information contained within the packet.
The listing can be sorted according to any of these categories by clicking on a column name. The protocol type field lists the highest level protocol that sent or received this packet.
Below you have the packet header details which provide information about a selected packet, including the Ethernet frame and IP datagram containing this packet.
Further information can be displayed by clicking the arrowhead to the left of the Ethernet frame or IP datagram line in the packet details window such as :
- The frame length as well as the capture length for comparison
- The date and time stamp
- Source and destination IPs and Mac addresses of devices exchanging information
- The protocol version used to carry the packet
- The source port used to transmit data and destination port to where the packet is being transmitted,
- The sequence number to ensure that no part of the stream is missing from the packet
- The acknowledgement number that is the sequence number for the following packet
- The header which is a portion of the packet that precedes its body and contains addressing and other data required for it to reach its intended destination ( packets consist of a header, a body, and a trailer)
- The cryptographic protocol, etc.
Command icons
- The aileron switches from blue to green once clicked
- The square is there to stop a capture
- The second aileron allows to relaunch a capture
- The spinning gear displays a new window to manage interfaces
The folder and file icons become active once the capture is halted for analysis so that you can save it to a file, open, close or relaunch a previously saved capture file.
Arrows helps you to navigate either to the first, the last, the previous, the following or a specific packet during live or within a frozen capture. The last two icons are to scroll automatically to the last packet during capture and to display packets using colouring rules.
Then you can enlarge, shrink, return to normal size, or resize packet list to fit contents of the main window.
Display filter
Underneath icons resides the display filter. Wireshark uses it for general packet selection. The filters field switches colour once you enter some text. It remains red until the right synthax is entered – it will then turn to green once it is correct.
To learn the right expressions, you can select the “expressions” tab at the right of the filter. A search field allows you to query a precise term, hitting ok will apply the right synthax in the filter. There are more expressions to explore on the synthax page.
Some expressions of specific filters
You will find a cheat seat list of capture and display filters there.
Below are some examples :
Restrict the view to a source IP only or destination IP only
ip.src == 192.168.1.10 or ip.dst == 192.168.1.10
Filter by protocol
http
Filter by port number : ‘tcp.port eq [port-no]’ tcp.port eq 465
Reject packet based on source or destination : ‘ip.src != [src_addr]’ or ‘ip.dst != [dst_add]’
ip.src != 192.168.1.10 or ip.dst != 192.168.1.10
Filtering packets that match multiple conditions, applying AND : protocol&&ip.src==IPadress // protocol&&ip.dst==IPadress http&&ip.src==192.168.1.10 or http&&ip.dst==192.168.1.10
Filtering the packets that match either one or the other condition, applying OR
http||arp