The following tutorial is intended as a brief introduction to the most famous packet sniffer in the world, Wireshark. The most complete guide you can find, is the user-guide-wireshark.pdf, that counts 192 pages. Anyway if you don’t want to read all those pages, you can find few easier tutorials on the web. This is one of them, and it will guide you from the theoretical basis to a “hands-on” approach for the graphical interface.
The data that you send and receive with your computer, are encapsulated following the ISO/OSI model or the TCP/IP architecture. In the following images you can see how the ISO/OSI model and the TCP/IP architecture are built and how they deal with each other.
Starting from the application level, data are encapsulated through 7 different levels. Every level adds a header. Look at the following image; when it comes to transport level, we refer to data as “segments”, when it comes to network level we say “packets”, speaking of data-link level we say “frames” and referring to physical level, “bits”.
Wireshark is a powerful (efficient) packet sniffer. Although we say packet sniffer, Wireshark captures frames at the data-link layer. Wireshark is passive. It does not send frames, nor it receives them. Wireshark receives a copy of all the frames exchanged between two machines, then, sniffing at the data-link level, it is able to read information at all the higher levels (network, transport, session, presentation, application), storing the data and displaying the various protocol fields and their content.
Wireshark is essentially composed of two parts: the packet-capturing library that allows Wireshark to sniff the packets and the packet-analyzer that allows Wireshark to distinguish, for example, an HTTP POST method from an HTTP GET method.
A Simple Graphical Interface
The graphical interface of Wireshark shows the subsequent parts:
- command menus
- packet display filter field
- packet-listing window
- packet-header details window
- packet-contents window
- The File Menu allows us to import capture files, export them, save the capture and exit from Wireshark.
- The Edit Menu helps us to search a particular packet between the multitude of the packets captured.
- The Capture Menu permits us to start or stop a capture and to refine the capture options. It also presents a list of preconfigured research filters.
- The Analyze Menu shows other filters’ options.
The Packet Display Filter Field
Here you can enter a word (e.g. a protocol name) to hide all the packets that do not present that name.
The Packet-Listing Window
Here we can see a list of all the captured packets. Please note that the packet number is assigned by Wireshark for reasons of clarity and readability but it has nothing to do with the packet itself. In this list, you can also find the source and destination address, the time at which the packet was captured and the protocol type.
The Packet-Header Details Window
The genre of details that you can find here, include the details about the source or the ultimate destination of the packet selected, Ethernet and IP-layer details and so on.
The Packet-Contents Window
Displays the content of the selected packet in both hexadecimal and ASCII.
The Installation Process
Note that the non-root users won’t automatically have the permission to perform captures. To solve this problem please read the readme document (/usr/share/doc/wireshark-common/README.Debian) that says:
“Only root user will be able to capture packets. It is advised to capture
packets with the bundled dumpcap program as root and then run
Wireshark/Tshark as an ordinary user to analyze the captured logs. This is the default on Debian systems.”
Another possibility is to use Wireshark to both capture and analyze the packets, in this case the root user has to add the guest users to the Wireshark group in order to make them be able to capture.
All the possible actions in Wireshark, can be performed through the usage of the keyboard. The following is a list of all the fundamental keystrokes that you can use to move through a capture file.
A Capturing Test
To perform a capturing test, simply open your favourite browser. Then you can start Wireshark and you will see the main window where still no packet information is present. Go to “interfaces” and select you favourite one. Wireshark can use a great variety of different interfaces. Under Linux:
- “any” : virtual interface, captures from all available (even hidden!) interfaces at once
- “lo”: virtual loopback interface
- “eth0”, “eth1”, …: Ethernet interfaces
- “ppp0”, “ppp1”, …: PPP interfaces
- “wlan0”, “wlan1”, …: Wireless LAN
- “team0”, “bond0”: Combined interfaces (i.e. NIC teaming or bonding)
- “br0”, “br1”, …: Bridged Ethernet
- “tunl0”, “tunl1”: IP in IP tunneling
- “gre0”, “gre1”: GRE tunneling (Cisco)
- “ipsec0”, “ipsec1”: IPsec (VPN)
- “nas0”, “nas1”: ATM bridging as in RFC 2684 (used e.g. for xDSL connections)
- “usb0”, “usb1”, …: USB interfaces
To discover the supported interfaces for the other operating systems, you can consult the Wireshark Wiki. Note that if you put your interface in monitor mode, you will be able to capture not only the copy of the packets sent to you and from you but also the copy of all the packets that travel in your network ! Keep attention in this case, because the .pcap file could rapidly become very heavy.
Once you have selected the capture interface, click start and the capturing process will begin for the selected interface. While you surf the web, you will see the list of all the packets and once you will be satisfied, thus once you’ll think you have enough packets, you can stop the capturing process. Now go to the File Menu and click on “save as”. You can save the captured packets in several formats, the following is a list of the supported formats from the Wireshark’s site:
- pcapng (*.pcapng). A flexible, etensible successor to the libpcap format. Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8 used libpcap.
- libpcap, tcpdump and various other tools using tcpdump’s capture format (*.pcap,*.cap,*.dmp)
- Accellent 5Views (*.5vw)
- HP-UX’s nettl (*.TRC0,*.TRC1)
- Microsoft Network Monitor – NetMon (*.cap)
- Network Associates Sniffer – DOS (*.cap,*.enc,*.trc,*fdc,*.syc)
- Network Associates Sniffer – Windows (*.cap)
- Network Instruments Observer version 9 (*.bfr)
- Novell LANalyzer (*.tr1)
- Oracle (previously Sun) snoop (*.snoop,*.cap)
- Visual Networks Visual UpTime traffic (*.*)
The final part is the analysis of the captured packets. To perform a good analysis, you must have solid a networking base but this argument is not object of this tutorial that only explains how to use Wireshark to capture juicy information. For further study: