When you launch Wireshark for the first time, it's sometimes puzzling having to navigate the interface until you are familiar with all of the elements. Once you have a grasp of all the components, toolbars, and menu choices, you can capture and analyze traffic more efficiently. In this chapter, we'll start by exploring the Wireshark interface and reviewing all of the essentials of the welcome screen, including the sparklines, capture filters, and interfaces.
Although Wireshark currently has over 10 menu choices, in most cases, you'll find that there are a few that are more commonly accessed. So that you are more confident when moving about the interface, we'll examine the File menu, where you can open a file, save, print, and export a capture. We'll also investigate the Edit menu, where you can mark packets, set time references, and add comments. Finally, we'll take a look at the View menu so that you can learn how to customize the look and feel of the Wireshark interface.
In this chapter, we will cover the following topics:
Once you launch Wireshark, you'll find the menu choices across the top of the Wireshark welcome screen. If you don't have a capture file loaded, you will see that all of the menu choices are available. However, the icons might be dimmed, as shown in the following screenshot:
The icons will become active once you have a file open or are actively capturing packets.
Once in the welcome screen, you'll most likely either launch a file or begin capturing traffic. So, let's start with the many options that are available when opening a packet capture.
Beneath the icons and the display filter, you'll see a banner that reads Welcome to Wireshark. Underneath the banner, you will see the Open label, which will identify any previously opened packet captures that are available.
If you right-click on a file, you have the following options: Show in Folder, Copy file path, or Remove from list.
Note
In some cases, you might not have any files listed. In that case, the Show in Folder, Copy file path, or Remove from list options won't be available.
For example, while in a Windows operating system (OS), if you select Show in Folder, as shown in the following screenshot, this will launch the file explorer:
At that point, you can then select a file, drag it onto the Wireshark screen, and the file will open.
Once you begin capturing packets, you might have a dozen or so files in the Open file area. Although the files are shortcuts for ease of access, they could be distracting. If you want to remove the files, navigate to the File | Open Recent | Clear Menu menu, as shown in the following screenshot:
Next, let's take a look at the options for gathering network traffic.
When you're ready to capture traffic, you'll want to properly set up Wireshark. You can find the Capture label in the middle of the screen. Below that, you'll see …using this filter:. Once there, you can apply a capture filter in the space provided.
Note
A capture filter allows you to filter specific traffic during a capture. If you do use a capture filter, be aware that it will limit what you capture to only what you have filtered on, and you could miss the traffic that can help with your analysis.
On the right-hand side of the capture filter, you will see a drop-down menu that reads All interfaces shown. If you want to remove any of the classes of interfaces (such as Wired, Bluetooth, or Virtual), you can select one from the drop-down menu, as shown in the following screenshot:
Beneath the capture filter area, you'll see a list of available interfaces, and you can quickly begin capturing traffic by selecting an active sparkline.
Once you have either opened a packet capture or run a capture for analysis, you will most likely use one of the many menu choices. The following section covers what is possible in the File menu.
When working with the Wireshark interface, File is the go-to menu because it has all of the tasks commonly associated with working with a file, as shown in the following screenshot:
In this section, we'll walk through the many options found in the File menu. Let's begin with the ways to locate and open a file, save a capture, and compare options that are available when you close a file.
The first section in the File menu offers many choices for locating and opening files so that you can begin your analysis. While looking at the menu choices, you will see a light gray line that separates grouped objects. The first grouping is related to opening and closing a file, and it includes the following choices:
The next grouping consists of tasks that are related to saving a file:
The File Set option offers the ability to work with a set of files. For example, if you're doing a firewall ruleset and you're going through a whole month of files, you can work through the list one by one. When this option is selected, you can right-click and your choices will be List Files, Next File, and Previous File.
The following File menu section examines the many ways to export parts of a capture.
Instead of saving an entire file, you might want to only save a portion of the file or even just the objects found within the file. Within this section, you'll find several export options.
The first option is Export Specified Packets. Once the dialog box is open, you can include only displayed packets, a range of packets, and marked packets, as follows:
Another submenu choice is Export Packet Dissections, which offers many choices to export, as shown in the following screenshot, including Comma-Separated Values (CSV), plain text, and JavaScript Object Notation (JSON):
The next three submenu items offer more ways to export components and include the following:
Of all the options, Export Objects can provide a way in which to visualize the various objects found within the data stream, such as files, images, and executables. Let's explore this option next.
The Export Objects submenu choice identifies any objects found within the file and allows you to save and examine the objects. Once in the submenu choice, right-click to see the selection, as shown in the following screenshot:
To see an example of what you can export, navigate to https://www.cloudshark.org/captures/0012f52602a3.
Once you're on CloudShark, select Export | Download File from the menu found on the right-hand side of the screen. Then, open the packet capture file, http://packetlife.net/captures/HTTP.cap, in Wireshark. Once it has been downloaded, save it as HTTP.pcap.
Once open, select Export Objects | HTTP, which will display the list of objects found, as follows:
Within this window, you can select Save, Save All, or even Preview. If there are multiple objects in the capture, you can use the Text Filter function to drill down to a particular object.
I selected Save and then navigated to a temporary folder, Export. For the filename, I selected logo.png, as follows:
When you are done exporting, navigate to the folder and open the image. You should see the PacketLife.net logo.
If there are other objects within the file, you can save them in a similar manner. Alternatively, you can select Save All, which will save all objects within the capture.
As you can see, there are many ways to export components in Wireshark. In the lower part of the File menu, there are options to Print and Quit, which we'll evaluate next.
While examining packets, Wireshark offers many ways in which to print different sections of the capture. Using the HTTP.cap file, select Print, and you will see the following:
Once there, you can choose to print all of the packets, selected packets only, or a range of packets to a Portable Document Format (PDF), which you can then include in a report.
After completing your analysis, you'll want to quit the application. If you select Quit, and you have a new capture, Wireshark will ask you whether you'd like to save the file.
After running a capture or opening a file, you'll want to begin your analysis. In the following section, we will cover the Edit menu, where you can discover the many possibilities that are available when working with a packet capture.
The Edit menu allows you to find and mark packets, set a time reference, copy, provide detailed information for creating a configuration profile, or modify your preferences. The following is a screenshot of the Edit menu:
Within the Edit menu, there are numerous options. The following discussion outlines ways in which to copy various items and find packets within Wireshark.
In this section, we'll learn how Wireshark makes it easy to copy several objects within the interface. In addition, we'll discover how we can locate a specific packet or a string value within the capture.
Let's begin by covering the many options within the Copy submenu.
While analyzing packets, you might see an item or value you would like to copy. The Edit | Copy menu choice has many submenus to further define options, as follows:
Using the HTTP.cap file, we'll walk through some of the results when selecting the different copy options:
No. Time Source Destination Protocol Info
5 0.094268 174.143.213.184 192.168.1.140 TCP80 →
57678 [ACK] Seq=1 Ack=135 Win=6912 Len=0 Tsval=835172948 Tsecr=2216543
"No.","Time","Source","Destination","Protocol","Info"
"5","0.094268","174.143.213.184","192.168.1.140","TCP","80 → 57678 [ACK] Seq=1 Ack=135 Win=6912 Len=0 TSval=835172948 TSecr=2216543"
However, when using this option, it will not copy any tree items that are not expanded. For example, you will not see the details of the TCP Flags, as the tree has not been expanded.
After the Copy submenu choice, the next grouping offers ways to find packets.
While conducting an analysis, you might need to find specific packets. The following is a list of choices that can help you to navigate a packet capture:
While working with packets, you might find and mark packets that are interesting so that you can return to them at a later date. In addition to this, you might want to ignore specific packets.
Marking packets while in Wireshark is easily achieved. Once you have selected a packet, right-click, and Wireshark will mark the packet with a black background and white text, as follows:
The following is a list of options that you can use when marking packets:
In addition to marking packets to identify items of interest, you might want to ignore specific packets. The following list describes how you can select specific packets to ignore while doing your analysis:
While some packets might be ignored as they hold no value in the analysis, you might want to use other methods to determine delays, as we'll explore next.
In your analysis, you might have a group of packets where you want to see exactly how long the delay was within those packets. In Wireshark, you can set a time reference on the packet where you think the trouble began and watch the time values to see gaps in the transmission. Wireshark provides a variety of ways to set a time reference and then offers ways to navigate through the references. Options include the following:
If you need to adjust the time reference, you can use the Time Shift option.
If, during your analysis, you need to merge two captures that each used a different file format, you might want to use Time Shift. For example, if one file used the Network Time Protocol (NTP) and the other file used the Precision Timing Protocol (PTP), this option will help to sync up the files.
Once you select this option, it will launch a dialog box where you can set your values, as shown in the following screenshot:
The last option gives you the ability to undo all shifts if you get unexpected results.
Now that we understand how we can reference or shift time in Wireshark, let's take a look at ways in which to personalize your work area.
While working with a capture, you can record your changes by using comments or modifying the look and feel of your workspace.
When working with comments, the following choices are available:
In addition, you can fine-tune the interface in the following ways:
Although the Edit menu is widely used, let's take a look at the View menu so that you can see the many ways in which to modify the look and feel of your capture during analysis.
The View menu is where you can alter the appearance of the captured packets, and it includes ways to colorize packets, expand subtrees, or show a packet in a separate window.
Let's start with ways to adjust the toolbars and panels and how to go into full screen mode. If you would like to follow along, use the HTTP.pcap file.
In Wireshark, there are several ways to alter and enhance the interface, including how we view the toolbars and what panels we would like to be visible. We'll start at the top with the toolbars.
The toolbar section represents a grouping where similar items are combined in many menus. Once you are in this section, you will see a list of three toolbars that are currently available, as follows:
If you see a checkmark, as shown in the preceding screenshot, that indicates the toolbar is visible. The toolbars are explained as follows:
Once you get used to the toolbars, you will see that they provide a handy way to help you navigate the interface. Now, let's take a look at the next grouping, which is the panel view, so you can modify what is visible on the screen. A checkmark indicates the panel is visible. If you do not want a panel to be visible, uncheck the panel and it will be hidden from view:
The next section outlines the options for displaying time values in Wireshark, along with how to provide name resolution.
The Time Display Format and Name Resolution menu choices both have several options within their submenus. We'll start with the Time Display Format option, which provides several ways to view the time values in Wireshark.
Once you expand the Time Display Format menu choice, you will see several options regarding how you want your time displayed. The options include Date and Time of Day; Year, Day of Year, and Time of Day; and Time of Day and Seconds Since 1970-01-01.
When carrying out an analysis, most likely, you will use a format that allows you to visualize any gaps in transmission. In that case, the following options are used:
Time precision is also a consideration. When selecting a format, you have a choice of how many decimal places are displayed. There are several formatting options, as shown:
Most of the time, it is best to use Automatic, which is the default, and that will be the best precision that the OS can provide.
The last option is Display Seconds With Hours and Minutes, which, when set, will appear as follows:
The whole concept of time is important in packet analysis. Now you understand how you can easily modify the way time is represented. Name Resolution is another menu choice that has several selections. The following section will outline the options available to resolve names and the rationale behind why you would select each one.
Under the Name Resolution menu, you can resolve physical, network, and transport addresses. In most cases, Wireshark can resolve physical and transport addresses without any problem, as they both come from a file found in the local Wireshark folder.
To resolve physical addresses, Wireshark looks at the first six digits of a MAC address, which is the Organizational Unique Identifier (OUI). The resolution comes from the manuf.txt file, as shown here:
To resolve the transport address (or port number), Wireshark consults the services.txt file, which holds a list of services and the associated port number. For example, the Simple Mail Transport Protocol (SMTP) service uses port 25. When Wireshark identifies that port 25 is in use, it will display SMTP as the service, as long as you have requested name resolution.
The file uses the Internet Assigned Numbers Authority (IANA) port-number file for consistency and can be found in the Wireshark folder, as shown in the following screenshot:
The Resolve Network Addresses option will resolve a hostname to an IP address. Normally, this option is not checked because, if it is, Wireshark will ask the OS to contact the DNS server(s) to implement the resolution. This activity will then create a lot of additional network traffic.
If necessary, it is possible to change either the manuf or services files. In addition, you can also select Edit Resolved Names, which will bring up a Name Resolution Preferences toolbar where you can edit or add a name.
When working with a capture, there are ways to enhance your view, as we will learn in the next section.
To see the details of your capture, there are a few enhancements that include the ability to zoom in, expand the subtrees, and colorize the conversation:
Once done, you can collapse the subtree. In addition, you can also expand and/or collapse all subtrees.
To improve visibility and or highlight specific conversations, you can also use color.
Within Wireshark, there are several ways to use color. Coloring formats include the following:
The last grouping of menu choices provides ways to refresh the view to reload, resize, show the packet in a new window, or view the internals.
Wireshark doesn't limit the way you can view the data in the interface. In fact, in this last section, we'll see the many options that allow you to view the captured packets:
If you are a developer, the next section outlines what is available behind the scenes to allow Wireshark to dissect and display the various protocols.
The Internals menu choice provides advanced options that include the following submenu choices:
Within the table, you will also find the full name as well as the short name of the subdissector. For example, within the list of HTTP subdissectors, the short name for JPEG File Interchange Format (JPEG file in HTTP) is JFIF (JPEG) image.
The last few options will either freshen the view or reload the capture.
When using Wireshark, there is no shortage of ways to present the data. Some additional view options include the following:
The Reload as File Format/Capture option will give you a view inside the pcap. Using the HTTP.pcap file, I modified the layout and then selected the option, which displayed this view:
Whether you are a developer, network administrator, or student, you can appreciate the many flexible ways Wireshark provides to display and format data while working with a packet capture.
In this chapter, we explored all of the elements of the Wireshark welcome page, to give you a better understanding of what is available, even before opening a packet capture. We also took a closer look at commonly accessed menu choices to make navigating around Wireshark easier. First, we evaluated the File menu, which has all of the tasks commonly associated with working with a file.
Next, we studied the Edit menu, which allows you to find and mark packets, set a time reference, or modify your preferences. We concluded with the View menu, where you can alter the appearance of the captured packets, including how to colorize them, zoom in, or show a packet in a separate window.
In the next chapter, we will learn where and how to tap into a data stream. Because what you see when capturing data will depend on the type of network you are accessing, we will review the different network architectures. Then, when you are ready to capture, we will discover the various capture options, such as using multiple files and directing output. We'll also compare the difference between conversations and endpoints and finish with stressing the importance of baselining the network to help when conducting a troubleshooting exercise.
Now, it's time to check your knowledge. Select the best response and then check your answers, which can be found in the Assessments appendix:
A. Capture Toolbar
B. Main Toolbar
C. Status Bar
D. Filter Toolbar
3.148.144.228