In the previous chapter, we learned what packet analyzers are used for. In this chapter we will learn more about the Wireshark GUI features, and see how it helps in capturing and analyzing packets effectively, by covering the following topics:
Start Wireshark by clicking on the Wireshark icon or type Wireshark
in the command line. When Wireshark starts it launches the following screen and provides the following ways to capture packets:
The following table explains the various options that we have on the Start screen:
Sr. no. |
Wireshark capture options |
What is this? |
---|---|---|
1 |
Interface List |
Opens up a live list of capture interfaces, and counts the incoming/outgoing packets |
2 |
Start |
You can choose an interface from the list and start capturing packets |
3 |
Capture Options |
Provides various options for capturing and displaying packets |
4 |
Open Recent |
Wireshark displays recently used packets |
We will cover each capturing option in detail one by one.
Click on Interface List; Wireshark will show a list of available network interfaces in the system and which one is active, by showing packets going in and out of the Interface, as shown in the following screenshot:
Choose the right (live) interfaces and click on the Start button to start capturing packets. If you want to capture packets on loopback (127.0.0.1
), select the interface lo0.
In Start options, users can multiselect or select the interface displayed in the list and then click on Start. This doesn't give you the flexibility to see on which interface the packets are active. Users can configure the capture options by double clicking on the interface or by clicking on Capture Options:
Wireshark provides the flexibility to configure packets that need to be captured with various capture options. To begin, try these basic settings:
28:cf:e9:1e:df:a9
will translate to 192.168.1.101
.216.58.220.46
will translate to google.com
).443
will translate to https
).216.58.196.14
will translate to ns4.google.com
) also referred to as reverse DNS lookup.Users can also choose these options by selecting the Wireshark View menu and applying the following settings:
The drawbacks of name resolution are as follows:
Wireshark provides a range of capture filter options, use these options to decide which packets will save to the disk. These options are useful when capturing packets over a longer period of time. Wireshark uses the Berkeley Packet Filter (BPF) syntax for this purpose, for example tcp src port 22
. This option also saves disk space. For example, to capture only TCP packets, follow the given steps:
Users can fine-tune Wireshark to auto-capture files periodically. To do this, click on Capture Options | Capture Files, as shown in the following screenshot:
Wireshark will generate files such as test_00001_20150623001728.pcap
and test_00002_20150623001818.pcap
.
The formats of the multiple generated files are as follows:
test
: This is the filename00001
: This is the file number20150623001728
: This is the date/time stamppcap
: This is the file extension3.133.152.198