The Wireshark protocol analyzer turned 20 this year. Since 1998, information security professionals -- as well...
as hackers of all stripes -- have been using Wireshark to monitor network traffic. This Wireshark tutorial for beginners, first published in 2008, has been updated to show how to use Wireshark to monitor network traffic.
While the look of the Wireshark interface has undergone significant updates, the basic functions -- from installing Wireshark to setting up a capture file and display filter -- remain largely the same. While the default Wireshark user interface has been upgraded, users wishing for a more old-school protocol sniffing experience can use the Wireshark Legacy interface, which can be installed optionally.
This updated Wireshark tutorial includes screenshots from the latest version of the Wireshark sniffer, version 2.6.3.
This Wireshark tutorial explains how to use Wireshark to monitor and analyze network traffic.
Wireshark, the protocol analyzer formerly known as Ethereal, continues to be one of the most powerful tools in a network security analyst's toolkit. As a network protocol analyzer, Wireshark can peer inside all kinds of network traffic and examine the details of wireless and wired network traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection allow the valuable tool to analyze security events and troubleshoot network security device issues.
As open source software, it's also priced right: free!
How to use Wireshark to sniff network traffic
The phrase sniff the network may conjure Orwellian visions of a Big Brother network administrator reading people's private email messages. And while Wireshark is an important tool for cybersecurity professionals, it may also be used by threat actors and others with malicious intent. Therefore, users should be sure to get permission to use Wireshark on anyone else's network.
Security professionals have two important reasons they might choose to sniff network traffic. First, examining the contents of network packets can prove invaluable when investigating a network attack and designing countermeasures.
For example, when harmful network traffic is detected, Wireshark can be used to determine whether the traffic is the result of an error or a malicious attack. If it is the latter, Wireshark can identify the specific type of attack, as well as the IP addresses of the targeted systems and the IP addresses from which the malicious packets originated. Defenders can then use Wireshark to craft upstream firewall rules to block the IP addresses from which the unwanted traffic originated.
The second important reason to use Wireshark to sniff networks is for security troubleshooting of network devices. In particular, I regularly use Wireshark to troubleshoot firewall rules. If systems running Wireshark are connected to either side of a firewall, it is easy to see which packets can successfully traverse the firewall. From there, it is easier to determine whether the firewall is causing connectivity problems.
That being said, it's important to remember that Wireshark can be used for good or for evil, as is the case with many security tools. In the hands of a network or security administrator, Wireshark can be a valuable troubleshooting tool. In the hands of someone with questionable ethics, however, Wireshark can be a powerful eavesdropping tool that gives attackers access to every packet that traverses the network.
Wireshark tutorial: Download Wireshark and installation
Installing Wireshark is simple: 32-bit and 64-bit Windows installers are available on the Wireshark website, as are versions for Windows available from PortableApps, an open source project and website that offers portable versions of Windows applications, and macOS. Wireshark is also available through the standard software distribution channels for most versions of Unix and Linux, and the source code can be downloaded from Wireshark to be compiled and installed on other operating systems.
The Wireshark wizard-based installer for Windows helps the user to walk through the installation, starting with acceptance of the GNU General Public License v2 and choosing from a panel which components to install -- including the Wireshark 1 classic user interface and various plug-ins, extensions and related tools. Choosing the default options should be suitable for most beginners.
The Wireshark development team built the Windows version on top of the WinPcap packet capture library. Those running Windows will be prompted to install WinPcap if it is not already installed on the system. One word of caution: If you're running an outdated version of WinPcap, you should remove it manually using the Windows control panel before running the Wireshark installer.
Wireshark tutorial: Running a simple packet capture
Once Wireshark is installed, start it up and you'll be presented with the screen shown below, which displays the different network interfaces on the system, as well as a graph that indicates network activity on each network interface. In this case, there are two network interfaces, a local Ethernet -- on which there is no activity -- and a Wi-Fi network -- on which there is activity.
Click on the network interface that connects to the network you want to scan and Wireshark will open a new window to show the packets being transmitted on the network. Wireshark offers many options for managing the display filters. In the example below, Wireshark displays all the network traffic on the local Wi-Fi network.
In the top pane, information from the headers of each packet is shown, including, by default, a time index showing the elapsed time between the start of the capture and when the packet was scanned. The time format can be adjusted and the timer data saved with the capture so you can recover the actual time a scanned packet was sent.
The packet's source and destination IP addresses, the protocol in use, the length of the packet and information about the packet are also displayed. You can drill down and obtain more information by clicking on a row to display details of the packet in question.
The middle pane contains drill-down details about the packet selected in the top frame. The > characters displayed on the left can be chosen to reveal varying levels of detail about each layer of information contained within the packet.
The middle pane shows details, in human-readable form, summarizing the protocols in use in the packet highlighted in the top frame. In this case, the packet is a TCP acknowledgment message sent as part of the TCP handshake protocol. It is probably being sent to initiate a request to a web server for an HTTPS connection because it is directed to port 443, the default port for HTTPS. Wireshark is highly adjustable, and it is possible to filter and scan just for a TCP stream between two specific hosts, for example.
Finally, the bottom pane is a hexadecimal display that shows the actual digital contents of the packet itself. Highlighting any of the data in that display will display the protocol details in the middle pane, as shown in the screenshot below.
In this case, the highlighted data is shown to be part of the TCP segment header -- segment is the protocol data unit for TCP data -- and shows the header details for the packet in the second screenshot above.
If you'd like to configure advanced options -- like capturing packets to a file, resolving MAC addresses and domain name system (DNS) names, or limiting the time or size of the capture -- choose the Capture menu, then Options. The Input panel provides options to choose which network interfaces to sniff.
The Output panel specifies the file to capture packets to and options for creating a sequence of files. The Options panel offers choices for how to display the packets, options for MAC and DNS name resolution, as well as a way to limit the size of packet captures.
Some of these options can help to improve the performance of Wireshark. For example, you can adjust the settings to prevent name resolution issues, as they will otherwise slow down your capture system and generate a large number of name queries. Time and size limits can also place limitations on unattended captures.
Otherwise, simply double-click the name of the interface on which you wish to capture traffic. A new Wireshark window will pop up and begin filling up with the traffic on the network interface, as shown in the second screenshot above.
Interpreting the results with Wireshark color codes
Color is your friend when analyzing packets with Wireshark. Each packet row is color-coded, with gray rows corresponding to TCP handshake protocol packets, light blue rows representing UDP traffic and light purple rows signifying TCP traffic. The Wireshark color-coding scheme -- which is customizable -- is shown in the screenshot below.
That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to become a Wireshark expert quickly is to get your hands dirty and start capturing network traffic. There's no doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting an intrusion. Remember, however, that you must always have permission from the network owner before capturing traffic on any network.