How to Use Wireshark to Capture and Inspect Packets

How to use Wireshark to capture and inspect packets

Wireshark is a very effective and thorough packet analyzer that is particularly useful for capturing wireless network traffic. This tool’s competence is so widely admired that it has become a commonly used tool for hackers. The reputation of Wireshark is such that you shouldn’t attempt to use it on your workplace network without permission from the network manager. If you are the network manager, however, you will be very pleased with the information that you get out of this free tool.

Get and install Wireshark

Wireshark is available for Windows, Mac OS, Linux, and Unix. The code for Windows and Macs is available at the Wireshark website. Click on the Download button in the main page of the site to get to the Download page.

Wireshark download page

Click on the version that is suitable for your operating system to get the installer. Clicking on the downloaded file will get Wireshark installed on your computer. You will have to reboot in order to complete the installation.

If you have Kali Linux, you already have Wireshark built into the operating system. For Debian and Ubuntu owners, you can get the program from the system repository.

This guide will use the Windows version of Wireshark, release 2.6.2.

The Wireshark interface

When you open Wireshark, it will scan for all available networks. These networks are listed in the interface, with any activity shown alongside as a graph. Any network that shows a flat line has no activity. Only those networks that show activity are worth investigating. The interface has two menu ribbons. The top row of menu items is presented as text. Clicking on one of those items provokes a drop-down menu to appear.

Wireshark menu

The second menu ribbon contains items represented by icons, rather than text. The fourth item on this line is of particular interest. This looks like a black and white rosette and it leads to the Options screen of the tool. One of the key settings you need to look at is whether “promiscuous mode” is enabled. A checkbox at the bottom of the Options screen allows you to set promiscuous mode active for all networks. If this box is unchecked, you can set the mode on individually for each network adapter.

Wireshark Options

Your network card will only pick up messages intended for your computer if promiscuous mode is turned off. The Wireshark interface is only able to show the packets that your network card passes to it. With promiscuous mode turned on, the network card will pick up all traffic, so you will be able to see all network activity, not just the communications traveling to and from your computer.

Once you start capturing packets, the standard display is divided into three panels. The capture screen shows you a list of packets in the top window, the middle window shows details of a packet that has been selected from the top panel, including interpretations of the information in the header of the packet. The bottom frame in the interface shows the bytes contained in the selected packets.

If you click on the View menu option in the top menu ribbon of the interface, you can turn one of these panels off, giving more space to the remaining windows. If you find the space given to each type of data is too small for you to get a wide enough view of the data.

Wireshark display options

You can limit the panel display to just one of these three windows. You would then switch between data levels by returning to the View menu to turn one panel off and another one on. Another option is to just show the Packet List in the main screen and then select Show Packets in New Window from the View menu and then get the packet details and packet bytes panels in a separate window.

Wireshark secondary window

Be aware, though, that clicking on a new packet in the main window doesn’t replace the details in the secondary window. Instead, clicking on a new packet will open another details window. So, unless you remember to close them down, you will end up with a lot of open detail windows.

Capture packets

When you are ready to capture packets, select the network adapter that you want to eavesdrop on from the Welcome screen. Double click on that record to get through to the packet display screen. The layout of the packet screen is recalled from your last session, so if you narrowed down the view to just the Packet List, then that is all that you will see on entering the screen. The default layout for the screen is the three panel display, showing the Packet List, Packet Details, and Packet Bytes windows.

Explore the icon menu if you want to turn off scrolling to the latest packet or if you want to turn off color coding.

Wireshark Scroll and Color options

The scrolling and color coding buttons are highlighted in the image above.

Scrolling gives you a view of the latest packet, but that setting also results in the packet records constantly moving, making it very difficult to read any of the records.

Records are color coded by default. To find out what each color represents, click on the View menu item and then select Coloring Rules from the drop-down menu. You can alter these rules in the window that this menu option brings up, or just learn the significance of each color.

Wireshark Coloring Rules

In order to see the Packet Details and Packet Bytes display for a specific packet, you have to click on that record in the Packet List window.

All of the packets that you see on your screen include both ingoing and outgoing packets. That is packets going out of your computer onto the network are shown as well as packets traveling from and to other devices on the same network.

You probably won’t want to let the capture session to last forever. Press the red square button in the icon menu to stop the capture.

Wireshark capture stop

Alternatively, you can click on Capture in the top menu and select Stop from the drop-down menu.

You can save the session and all of the information on packets that passed by into a file. The session will already be written to a file during the session. You will see that file name on the bottom frame of the Wireshark window. However, that is just a temporary file. Click on File and then Save in order to save your session. The default file extension is pcapng.

Once you have a file of packets, you can open it later and read it into the Wireshark interface for further analysis.

Filter packets

Wireshark is a great tool for capturing packets, but it isn’t that great for analyzing them. The main analytical tool in the software is the ability to color code packets and filter packet records. The system offers two layers of filters. These are capture filters and display filters. It is better to set a capture filter before you start the packet capture process flowing, otherwise, you will end up with inconsistent records.

Click on the Capture menu option and then select Capture Filters from the drop-down menu. You will see a number of filters already in place. You can delete these filters or add new ones.

Wireshark capture filter

The display filters don’t change the underlying data, they just cut out a lot of records, so you can return to the underlying data at any time. You enter your display filter in the long strip at the top of the Packet List table. The example below shows a filter that narrows down the display to just show TCP packets.

Wireshark display filter

You can put in place some very sophisticated display filters using a query language. A popup window helps you to assemble these queries. You get to this helper by clicking on the Expressions button at the ender of the display filter field.

Wireshark assemble filter

You will probably find this filter query language difficult to master.

Improve analysis

The ability to save packets to a file opens up the option to import captured data into other tools for deeper analysis. Fortunately, there are some very good and easy to use tools available out there.

The SolarWinds Response Time Viewer for Wireshark is one option that you should try out. This is a free tool that is available for Windows.

SolarWinds Response Time Viewer

The SolarWinds tool will read in the pcap file that you saved in Wireshark and identify each of the applications that appeared in that data. It will display the network response time and the application response times derived from the pcap file. Pointing at one record gives you a pop-up window with details of that application’s performance on the network. This is just one example of the many packet analysis programs that are available to operate on Wireshark output.

Leave a Reply