Table of Contents
What is Wireshark?
Wireshark is an open-source network protocol analyzer that lets you see what’s happening on your network at a microscopic level. It captures network traffic and displays the packets in a human-readable format so you can analyze the data[1].
Some key things Wireshark can do:
- Live capture or analyze saved packet captures
- View summary and detailed information on thousands of network protocols
- Filter captures to only show traffic you’re interested in
- Reconstruct TCP sessions and application data streams
- Generate statistics and graphs for traffic analysis
- Export packet captures or analysis results
It’s used by network administrators, security analysts, developers, and others to analyze network issues, inspect malware activity, debug protocol implementations, and learn how networks function.
When Should You Use Wireshark?
You should use Wireshark any time you need to take a deeper look at the network traffic in your environment.
Some examples include:
- Troubleshooting network performance issues like high latency or packet loss
- Identifying security incidents like data exfiltration or hacking attempts
- Reverse engineering undocumented network protocols
- Inspecting malware network communications
- Debugging client/server communications
- Learning the intricacies of network protocols
Wireshark gives you an invaluable microscope to see your network traffic flows.
How to Download and Install Wireshark
Wireshark runs on Windows, Linux, and macOS. You can download the installer for your platform from the official website.
On Windows or macOS, run the installer and follow the setup wizard. On Linux use your package manager to install Wireshark.
For security best practices[2]:
- Don’t run Wireshark as an admin or root user
- Analyze captures in an isolated environment when possible
- Keep Wireshark updated to the latest version
How to Capture Network Traffic
To capture traffic with Wireshark, first launch the application.
Select Network Interface
In the welcome screen, click on “Capture” > “Options” to select which network interface you want to capture from. This could be your ethernet, wifi, VPN, etc.
Start Capturing Packets
Click the blue “Start” button to begin capturing packets. You’ll now see network traffic scrolling by in real-time!
Stop Capturing
Once you’ve captured the traffic you need, click the red “Stop” button. This saves your capture file for analysis.
Analyzing Captured Packets
Now let’s look at some ways to analyze the packets Wireshark captured:
Follow TCP Streams
Right-click on any TCP packet and select “Follow TCP Stream” to reconstruct and view the communication between the client and server.
Apply Display Filters
Use the filter bar to only show certain packets, like HTTP traffic. Filters help reduce noise.
View Packet Details
Click on any packet to view extremely detailed protocol information in the middle pane. You can inspect headers, payloads, errors, and more.
Export Data
Save packet captures or analysis results in various formats like plain text, JSON, CSV, XML, etc.
Real-World Wireshark Uses
Here are some examples of how Wireshark is commonly used by professionals:
Network Troubleshooting
Narrow down the source of problems like high latency, packet loss, connectivity issues, overloaded links, etc by inspecting traffic flows.
Security Analysis
Detect issues like data exfiltration, malware communications, unusual protocols, misconfigurations, etc by analyzing packets for anomalies.
Protocol Development
Understand the format and behavior of custom protocols by reverse engineering packet captures. Accelerate development and interoperability.
Forensic Investigation
Inspect historical traffic captures for evidence after a security incident has occurred.
Conclusion
Wireshark is an essential tool for any IT professional working with networks or security. It provides unparalleled visibility into network traffic, allowing you to solve problems quickly.
With its advanced filtering and analysis capabilities, Wireshark lets you inspect packets and protocols in intricate detail. Whether you’re performing network troubleshooting, security analysis, software debugging, or forensics investigations, Wireshark should be part of your toolkit.
References
[1] https://www.varonis.com/blog/how-to-use-wireshark
[2] https://wiki.wireshark.org/Security