The Wireshark protocol analyzer turned 21 this year. Since 1998, information security professionals -- as well...
as hackers of all stripes -- have been using Wireshark to monitor network traffic. This Wireshark tutorial for beginners, first published in 2008, has been repeatedly updated to show how to use new versions of Wireshark to monitor network traffic.
While the look of the Wireshark interface has undergone significant updates, the basic functions -- from installing Wireshark to setting up a capture file and display filter -- remain largely the same. While the default Wireshark UI has been upgraded, users who want a more old-school protocol sniffing experience can use the Wireshark Legacy interface, which can be installed optionally.
This updated Wireshark tutorial, which offers insights for beginners on how to monitor and analyze network traffic, includes screenshots from the latest version of the Wireshark sniffer, version 3.0.3.
Wireshark continues to be one of the most powerful tools in a network security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside all kinds of network traffic and examine the details of wireless and wired network traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection enable the valuable tool to analyze security events and troubleshoot network security device issues.
And, as open source software, it's free, so the price is right.
What is Wireshark used for?
- Security specialists use Wireshark to investigate potential security incidents.
- Networking teams use Wireshark to troubleshoot connectivity issues.
- Attackers use Wireshark to eavesdrop on sensitive communications.
The phrase sniff the network may conjure Orwellian visions of a Big Brother network administrator reading people's private email messages. And, while Wireshark is an important tool for cybersecurity professionals, it may also be used by threat actors and others with malicious intent. Therefore, users should be sure to get permission to use Wireshark on anyone else's network.
Security professionals have two important reasons they might choose to sniff network traffic. First, examining the contents of network packets can prove invaluable when investigating a network attack and designing countermeasures. For example, when harmful network traffic is detected, Wireshark can be used to determine whether the traffic is the result of an error or a malicious attack. If it is the latter, Wireshark can identify the specific type of attack, as well as the IP addresses of the targeted systems and the IP addresses from which the malicious packets originated. Defenders can then use Wireshark to craft upstream firewall rules to block the IP addresses from which the unwanted traffic originated.
The second important reason to use Wireshark to sniff networks is for security troubleshooting of network devices. In particular, I regularly use Wireshark to troubleshoot firewall rules. If systems running Wireshark are connected to either side of a firewall, it is easy to see which packets can successfully traverse the firewall. From there, it is easier to determine whether the firewall is causing connectivity problems.
That said, it's important to remember that Wireshark can be used for good or evil, as is the case with many security tools. In the hands of a network or security administrator, Wireshark can be a valuable troubleshooting tool. In the hands of someone with questionable ethics, however, Wireshark can be a powerful eavesdropping tool that gives attackers access to every packet that traverses the network.
1. Download and install Wireshark
There are three main ways to download Wireshark for network analysis:
- Download precompiled versions of Wireshark available for Windows or Mac.
- Build your own Wireshark executable from source for other OSes.
- Add a portable copy of Wireshark on a USB drive to your incident response toolkit.
Installing Wireshark is simple: 32-bit and 64-bit Windows installers are available on the Wireshark website, as are versions for Windows available from PortableApps, an open source project and website that offers portable versions of Windows applications, and macOS. Wireshark is also available through standard software distribution channels for most versions of Unix and Linux, and the source code can be downloaded from Wireshark to be compiled and installed on other OSes.
The Wireshark wizard-based installer for Windows walks users through the installation, starting with acceptance of the GNU General Public License v2 and choosing which components to install from a panel, including the Wireshark 1 classic UI and various plugins, extensions and related tools. Choosing the default options should be suitable for most beginners.
The Wireshark development team built the Windows version on top of the WinPcap packet capture library. Those running Windows will be prompted to install WinPcap if it is not already on the system. One word of caution: If you're running an outdated version of WinPcap, remove it manually using the Windows control panel before running the Wireshark installer.
2. Run a simple packet capture
Once Wireshark is installed, start it up, and you'll be presented with a screen displaying the different network interfaces on the system, as well as a graph that indicates network activity on each network interface. In the screenshot below, there are quite a few network interfaces shown. Many of these are wired and internal interfaces that have no activity, as indicated by the flat lines. The top network interface -- a Wi-Fi interface -- shows activity, as indicated by the squiggly line.
Double-click on the network interface that connects to the network you want to scan, and Wireshark will open a new window to show the packets being transmitted on the network. Wireshark offers many options for managing the display filters. In the example below, Wireshark displays all the network traffic on the local Wi-Fi network.
In the top pane, Wireshark shows information from the headers of each packet, including, by default, a time index showing the elapsed time between the start of the capture and when the packet was scanned. The time format can be adjusted and the timer data saved with the capture so you can recover the actual time a scanned packet was sent.
The packet's source and destination IP addresses, the protocol in use, the length of the packet and information about the packet are also displayed. You can drill down and obtain more information by clicking on a row to display details of the packet in question.
The middle pane contains drill-down details about the packet selected in the top frame. The > icons displayed on the left can be chosen to reveal varying levels of detail about each layer of information contained within the packet. For example, here is the Ethernet header for an individual packet:
This header tells us the source and destination MAC (Media Access Control) addresses, as well as the identity of the next protocol in the stack: IPv4. We can then drill into the IPv4 header:
Here, we find the source and destination IP addresses, as well as IP-specific information. This header also points us in the direction of the transport protocol in use, which, in this case, is the Transmission Control Protocol (TCP). We can find information about TCP in the packet's TCP header:
This header includes information about the source and destination TCP ports, the flags set on the packet and other helpful troubleshooting details.
Finally, the bottom pane is a hexadecimal display that shows the actual digital contents of the packet itself. Highlighting any of the data in that display will display the protocol details in the middle pane, as shown in the screenshot below.
Modifying capture options
While it is simple to run a basic packet capture in Wireshark, the tool also enables users to modify several options to adjust your capture. You can access these options by clicking the gear-shaped Capture Options icon, highlighted below.
Clicking this button will open the Capture Interfaces window, which has three panes. The first pane, Input, lets you modify Wireshark interfaces and enable promiscuous mode. This mode is what enables the interface to capture network traffic that is not directed specifically to your capture system.
The Output pane controls where Wireshark stores the packets that it captures. You can automatically store captured packets in a file and modify the format of that file, or you can create a new file based on the amount of data captured or the amount of time elapsed.
Finally, the Options pane offers choices for how to display the packets and options for MAC and DNS name resolution, as well as a way to limit the size of packet captures. Some of these options can help improve the performance of Wireshark. For example, you can adjust settings to prevent name resolution issues, as they will otherwise slow down your capture system and generate a large number of name queries. Time and size limits can also place limitations on unattended captures.
3. Interpret and analyze packet contents
Here's an example of capturing and analyzing a network packet. If you haven't yet, double-click the name of the interface on which you wish to capture traffic. A new Wireshark window will pop up and begin filling up with the traffic on the network interface. Once this happens, you can click once on a line in the top pane to inspect a single packet.
The middle pane provides, in human-readable form, a summary of the protocols in use in the packet highlighted in the top frame. In this case, the packet is a TCP SYN message sent as part of the TCP handshake protocol. It is probably being sent to initiate a request to a web server for an HTTPS connection because it is directed to port 443, the default port for HTTPS.
We can investigate this packet further by looking at the destination IP address: 220.127.116.11. Using Whois, we can determine that this IP address belongs to Google. Therefore, it is reasonable to conclude that someone on our network, using the IP address 192.168.1.30, accessed a Google website. The fact that this communication took place over TCP port 443 indicates that it was encrypted using HTTPS, so it is unlikely that we will be able to learn more about it.
Interpret results with Wireshark color codes
Color is your friend when analyzing packets with Wireshark. Each packet row is color-coded, with gray rows corresponding to TCP handshake protocol packets, light blue rows representing UDP (User Datagram Protocol) traffic and light purple rows signifying TCP traffic. The Wireshark color-coding scheme -- which is customizable -- is shown in the screenshot below.
That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to become a Wireshark expert quickly is to get your hands dirty and start capturing network traffic. There's no doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting an intrusion. Remember, however, that you must always have permission from the network owner before capturing traffic on any network.