Wireshark (formerly known as Ethereal) is a GUI-based tool that enables you to inspect network traffic and even individual packets.

[ Download: https[:]//www.wireshark.org/download.html ] 

Wireshark requires either Winpcap (Windows) or libpcap (Linux) library files. When Wireshark prompts you asking whether you want to install these, make certain to say “Yes”.

It is Important that you understand TCP/IP Connection, (Three way Handshakes) when using this tool, otherwise you will be looking at a lot of data that you do not understand.

  • TCP is a Connection based protocol (meaning connection between both ends of request must be made for it to work [No Data can be sent until “ACK” is acknowledged]) – with a 5 Layer Model, TCP protocol allows for the constant transmission of Segments of Data between both the Client and Server on the TCP Connection. (Other protocol used is UDP)
  • Five Main Layers of TCP/IP:
  1. Physical
  2. Network
  3. Internet
  4. Transport
  5. Application (API)
  • “SYN” is sent too server from client letting it know it wants to connect
  • “SYN/ACK” is sent back to the client from the server letting it know it acknowledges there request and approves it
  • Then the client will send the “ACK” back by itself showing that the connection was successful

[ Open Wireshark / Start Wireshark ]

After downloading and installing Wireshark, click on the Wireshark icon and start Wireshark. This screen enables you to select the network interface you want to capture the packets from. As you can see, Wireshark has detected 4 interfaces including;

(1) Ethernet, 

(2) Local Area Connection 2

(3) Bluetooth and 

(4) Wi-Fi  

[ Analysis Window ]

Wireshark has now began to capturing packets through the network it is watching, and packing them into [ .pcap ] format to be reviewed. This is the standard file format for ALL Packet capturing (All industries use this format as Standard)

You will see Three separate Analysis Windows in Wireshrark:

Top Panel: Packet List Pane 

You will see color coded packets moving in real time through the network.

Middle Panel: Packets Details Pane 

This panel provides header information from the selected packet in Top Panel

Bottom Panel: Packets Bytes Pane

Bottom panel provides payload information in both hexadecimal format to the left and ASCII format to the right.

[ Creating Filters ]

In general,  there will be too much information to do a useful analysis. Packets are flying by hundreds or thousands per minute which can often time be intimidating and confusing for first time users. In order to use Wireshark effectively we need to filter the traffic to see just those packets we are interested in. 

Wireshark has its own filtering language that you need to know in order to use it properly. The packets being captured and shown in Wireshark are of many different protocols. The first filter you usually want to apply is the Protocol Filter. ( Remember TCP/IP is a suite of protocol and we usually only want o focus our analysis to just a few not all of them )

In the Filter Bar ( On the top above Panel 1 ) try typing “tcp” . You will notice that it turns GREEN indicating that our syntax is Correct, then click the arrow at end to initiate the filter [ It will display Pink if Incorrect ]

Filter by IP address:

If we want to see traffic only from a particular IP address, we can create a filter that will only show traffic coming or going from that address. We can do by entering into the filter window:

ip.addr == <IP address>

Filtering by the Source of the IP address we are targeting. [ip.src] = For Source traffic | [ip.dst] = For Destination traffic

ip.src == <IP address>

ip.dst == <IP address>