Introduction to Wireshark architecture
Wireshark package installation and usage
Basic analysis and filtering
Wireshark cloud services
Version and feature parity
Data stream and graphs
Introduction
Wireshark is an open source network packet analyzer used to capture packets in real time flowing through the network. Wireshark is also used to analyze packets captured by other applications or Wireshark in an offline manner. It provides a simple command line (CLI) or graphical user interface (GUI) to analyze and sniff network traffic over an interface like Ethernet, Wi-Fi, Bluetooth, token ring, frame relay, and many more. Wireshark presents a flexible way to filter the desired data to be captured through capture filters and, while analyzing, limit packets being shown in a capture through display filters. Wireshark has many other robust packet flow analysis and decode tools integrated, which makes it an indispensable weapon in the armory of networking and security professionals. Also at the same time, it’s used in educational institutes for teaching networking protocols.
The idea of an open source packet analysis tool occurred to Gerald Combs after wanting to troubleshoot and understand his network, creating Ethereal (original Wireshark) in 1997. Wireshark is an open source software released under the GNU General Public License (GPL). This means the source code is available freely under the GPL, and we don’t need to worry about license keys or fees to use on any number of computers. In addition, Wireshark has got good community support. From its release in July of 1998 to now, Wireshark had several contributors continually improving the program by adding new features and protocol support to Wireshark, either by integrating to the source code or as dissector (parser) plugins.
Available on all popular OSs like Windows, Linux, UNIX, and MacOSx.
Live packet capture from network interfaces and save data.
Analyze capture data by other applications like tcpdump, Windump, tshark, and many others capable of storing captures in pcap and pcapng format.
Import and analyze packet data in hex dumps.
Export captured packets in various file formats.
Display, filter, colorize, or search packets with very detailed protocol information.
Create various statistics and graphs based on packet flow information.
Decode encrypted data and analyze when all relevant data is available.
…and a lot more!
Get Me Started!
Wireshark development and tests frequently occur in Linux, Microsoft Windows, and macOS. The quickest GUI way to explore and install Wireshark is by visiting the official website at www.wireshark.org/download.html and choosing the right download specific for your operating system.
macOS
The official macOS Wireshark package bundle (.dmg) can be downloaded from the Wireshark download page, and contents can be copied to the /Applications folder.
In order to capture packets on macOS, the “ChmodBPF” package is required. It can be installed by opening the “Install ChmodBPF.pkg” file in the Wireshark .dmg during installation or post-installation from the Wireshark application by navigating to the “About Wireshark” section, selecting the “Folders” tab, and double-clicking “macOS Extras.”
The ChmodBPF and system path packages are included along with the Wireshark installer package.
Linux
Command-line installation varies based on Linux distributions. We have covered examples for Red Hat and Debian types, but other variants will follow the standard install approach.
Red Hat and Alike
Ubuntu and Debian Derivatives
Allowing Non-root User to Capture Packets
By default, Wireshark doesn't allow non-root users to do packet captures.
- a.
Try reconfiguring Wireshark by running
- b.
Create a Wireshark user and group:
- c.
Add the non-root user to the “wireshark” group by executing
- d.
Log out the non-root user and log back in again.
Windows Install
The Wireshark installer can be downloaded from www.wireshark.org/download and executed. During the installation, several optional components and the location of the installed package can be selected. For most users, default settings will work and are recommended.
On 32-bit Windows, the default install path is “%ProgramFiles%Wireshark”, and on 64-bit Windows, the default install path is “%ProgramFiles64%Wireshark”, and this % ... % maps to “C:Program FilesWireshark” on most systems.
Wireshark on Windows needs npcap for capturing packets. The latest npcap installer is part of the Wireshark installer. If npcap is not installed, live network traffic packet capture won’t be allowed, but Wireshark will still be able to open and analyze saved capture files. By default, the latest version of npcap is installed, but if a different version is required or reinstallation of npcap is needed, it can be done by triggering the install and checking the Install Npcap box as appropriate.
The First Capture
Chapter 2 covers the packet capture approach, dependencies, capture filter, etc. in detail. In this section, we are covering basics to get you started with Wireshark.
Once the Wireshark application is launched, the main interface is shown including sections for basic capture controls, capture filters, and display filters. Select the desired interface from the list by clicking and hit the start capture button to start the capture. To select multiple interfaces, press the Ctrl key (Command on MacOSx) and select the needed interfaces.
When capture is in progress, by default it shows live the packets being captured in various colors for different packet types. To stop, click the red square “Stop Capturing” button right next to the “Start Capturing” button. At first glance, you’ll notice the data split into various columns.
Understanding a Packet
It’s time to investigate a capture at the individual level. This is an example of one of the TCP packets captured.
When a packet is selected, Wireshark opens the bottom panel which gives important information on the features that are conveniently presented in the same way as the OSI model. The number of layers seen changes as the protocol selected changes.
In the preceding example, from the top down we can see the frame layer, the Ethernet (data link) layer, the IP (network) layer, and the TCP (transport) layer.
If there are more layers or headers in the packet, it is sequentially decoded in the Wireshark packet view. For a packet with multiple encapsulated protocols to be decoded properly, there must be a dissector available that decodes the corresponding protocol layer.
Every packet decode starts with the Frame dissector. It dissects the details of the captured metadata itself (e.g., timestamps). The Frame dissector passes the data to the lowest-level data dissector in the data link layer, for example, the Ethernet dissector gets triggered for the Ethernet header. The packet is then passed to the next dissector in the network layer, for example, the IPv4/v6 dissector gets triggered and so on. Each stage of dissectors decodes and displays the details of the packet.
Dissectors can be written as a self-registering plugin (a shared library or DLL) or built into Wireshark source code. The biggest benefit of going with the plugin approach is that rebuilding a plugin is much faster. If the dissector is built into the source code, then Wireshark needs to be completely recompiled and rebuilt. Hence, it makes more sense to write a dissector as a plugin. More details on dissectors are available in Chapter 9.
Capture Filters
We will discuss in detail capture filters in Chapter 2. Only basics have been included here for completeness on the getting started discussion.
Capture filters are used to decrease the size of captures by filtering out only relevant packets matching the condition before they are added to the capture file. Clicking the Capture Options button shows a screen containing a list of interfaces.
host 192.168.2.1: Packets to and from host 192.168.2.1
src host 192.168.2.1: Packets from host 192.168.2.1
dst host 192.168.2.1: Packets to host 192.168.2.1
net 192.168.2.0/24: Packets to and from all host part of network 192.168.2.0/24
port 8080: Packets to or from TCP or UDP port 8080
Display Filters
This is one of the main advantages of using Wireshark: its clean, simple style to display filtered packets. Wireshark display filters help filter out the matching packets and limit the number of packets displayed on a live capture or while analyzing a file with captured packets. Display filters are different from capture filters, and the syntax is slightly different and simpler than capture filters.
To apply a display filter, simply add the filter text in the display filter box and hit the enter key or apply button. When the display filter is removed from the filter box, all packets are shown.
A display filter can filter matching on a protocol type or a specific field(s) in the protocol. Also, the filter can use logical comparison operators and parentheses to create complex expressions.
arp or icmp: Packets of type ARP or ICMP
ip.addr == 192.168.2.1: Packets to and from ipv4 host 192.168.2.1
ip.src != 192.168.2.1: Packets not from ipv4 host 192.168.2.1
ip.dst == 192.168.2.1: Packets to ipv4 host 192.168.2.1
ip.addr == 192.168.2.0/24: Packets to and from all host part of network 192.168.2.0/24
tcp.port eq 443 or udp.port == 443: Packets to or from TCP or UDP port 443
Wireshark allows automatic display filter creation based on a packet or protocol fields in the packet. Simply right-click the desired packet of interest or protocol fields inside the packet and apply it as a filter. This method uses the device’s IP address, but the conversation filter below it can use its protocol.
Also, Wireshark allows adding a custom display filter button for frequently used or complex filters. This can be added by clicking the + button beside the display filter box which launches another text box.
Pcap vs. Pcapng
Multiple interfaces: Captured packets from multiple interfaces (e.g., wlan0 and eth0) can all be stored in a single file.
Tagged metadata: Wireshark tags metadata about what machine captured the data, including the OS type and sniffer application.
Precise timestamps: Time is now expressed as 64-bit time units, number, in seconds relative to January 1, 1970, UTC, instead of the former microseconds.
Individual comments: “Annotations” can be saved to individual frames of a capture.
The Capture Options tab gives a few additional settings useful to personalize user experience.
Data Representation
Data Representation
A symbol represents a square with an inverted L-shape line at the center. | First packet in a conversation. |
A part of the selected conversation symbol represents a square with a vertical line slightly leftwards from the center. | Part of the selected conversation. |
A not part of the selected conversation symbol represents a square with a vertical dashed line slightly leftwards from the center. | Not part of the selected conversation. |
A last packet in a conversation symbol represents a square with an L-shape line at the center. | Last packet in a conversation. |
A request symbol represents a square with an arrow pointing to the right and a vertical line from its center bottom. | Request. |
A response symbol exhibits a vertical line with a left arrow at the center inside the square. | Response. |
A symbol exhibits a vertical line with a tick mark at the center. | The selected packet acknowledges this packet. |
A symbol exhibits a vertical line with double tick marks at the center. | The selected packet is a duplicate acknowledgment of this packet. |
A symbol exhibits a vertical line with a dot at the center. | The selected packet is related to this packet in some other way, e.g., as part of reassembly. |
Big Picture: I/O Graphs
To see a broader view, I/O graphs can be used to track the packet flow rate and pattern activity using graphs. It is always easier to visualize a flow pattern graphically than the packet list view. An I/O graph can be used for live packet captures or completed captures through capture files. This helps in troubleshooting application issues and TCP/UDP transport layer issues.
To launch a default I/O graph, click Statistics ➤ I/O Graphs. The x axis represents the time interval (this can be altered through the interval drop-down), and the y axis represents packets per chosen interval for the flow type. The Y Axis unit type can be changed by double-clicking the flow type and choosing the desired options (bytes or bits or count, etc.). Additional graphs can be added by clicking the + button and defining a display filter for the flow type. In our example, we have added a custom graph for the dns response time.
Big Picture: TCP Stream Graphs
TCP stream graphs show a pictorial map of the packets within the TCP flow in a capture. The visual representation depicts how each packet in the flow is related to each other. There are multiple flavors of the stream graph, and using them can help with the deep-dive troubleshooting of a TCP flow.
Time Sequence (Stevens)
This graph shows visually the graph of TCP sequence numbers over time, similar to the graph in Richard Stevens’ TCP/IP Illustrated series of books.
In the following example capture, pauses in a transfer can be noticed by zooming into one section of the graph where there is no packet gain over a duration of time. Then clicking this portion takes the packet screen directly to that packet.
Time Sequence (tcptrace)
This graph shows TCP metrics details similar to the ones seen through the tcptrace utility, including acknowledgments, selective acknowledgments, forward segments, reverse window sizes, and zero windows.
The blue lines show the bytes of each packet sent by one device, and the green lines above represent the receive window size. If at any point, the vertical blue line reaches the green one, the maximum bytes allowed at that time is reached and the sender cannot live up to its name.
Throughput
This graph shows the average throughput and goodput for a TCP flow.
Round Trip Time
This graph shows the round trip time against the time or sequence number. RTT considered here is the acknowledgment timestamp corresponding to a particular packet segment.
Window Scaling
This graph shows the TCP window size and outstanding bytes.
Bigger Picture: Following a Packet Stream
Display filters or graphs won’t make the cut when we need a complete application view of the packet communication. Perhaps you are trying to understand how the application data looks like when we merge the individual packets of a TCP or UDP data stream. This is where following a data stream helps. It gives the overall application-level visibility of the combined payload of a packet stream. The supported protocols are TCP, UDP, DCCP, TLS, HTTP, HTTP/2, QUIC, and SIP.
To filter out, right-click the packet of interest, click Follow, and choose the right protocol type.
The following TCP conversation shows the entire conversation with colors, client packets in red and server packets in blue. If the stream has encrypted data, additional steps will be needed to show the decoded data.
Clicking the “Show Data as” drop-down menu and selecting YAML encoding can format the data contained within the flow in an easily readable way.
Biggest Picture: Flow Graphs
The previous representation of the TCP flow graph was specific to one protocol or flow, but what if there is a visual way to see the entire capture with all its hosts and conversations? Flow graphs!
It shows a consolidated visual representation of multiple host endpoints and the communication between them. The graph shows the flow direction, ports, flags, sequence number, and many more with nice comments explaining the state of the communication. You can scroll through the graph showing packet relative time and inspect all packets or filter connections by ICMP Flows, ICMPv6 Flows, UIM Flows, and TCP Flows. Also, instead of showing for all packets, you can limit the graph to a subset by applying a display filter.
CloudShark: The Floating Shark
What if we don’t have Wireshark or any other packet analysis utility locally installed and still we need to analyze a capture file or we want to analyze a capture file in the cloud, what do we do?
The networking company QA Café introduced a paid web-based cloud software named CloudShark. It was built around Wireshark’s cousin TShark, a packet-capturing console utility, and it mimics the style, but not functionality like Wireshark, as it cannot capture packets, but analyze them.
Get Me Started!
There is a sign-in and sign-up option at this web page: www.cloudshark.org/login. This is a paid service, but they offer a free 30-day trial.
http://username:password@server/path/file.pcap
Import server user credentials are hidden from any viewers of the file and are only stored in the CloudShark database. If the username or password contains special characters, follow these encoding rules. The search button at the bottom left of the page allows searching for previous uploaded files.
Feature Parity with Wireshark
The main packet panel, the variable bottom panel, and even the display filter text box are all kept the same as Wireshark.
The CloudShark interface displays a mini graph that can specify within which duration the application should display. This helps when the capture is big, and we can alter the timeline to focus on packets or the timeline of our interest.
The analysis tool and graph options shown in the menu are very similar to the ones in Wireshark with a few extra security features. Even annotations can be created for each individual packet, making it easier for collaborators to quickly find issues.
To share the capture file, select the export button and either download the current file with all its revisions or create a new one only including the filtered data (Create New Session).
CloudShark API
CloudShark offers a programmable way of interacting with the capture files through an API that allows users to gain packet data, upload/download documents, and expand their network infrastructure. Each registered user will have an API token that behaves like a typical username and password. You can find your default API token by clicking the Preferences ➤ API token option.
Its default permissions can be changed by clicking the token name and applying preferences. The authentication checkbox is important, since not checking it allows users to use the API without being logged in to CloudShark. The token is passed in as a parameter in a search query, which can be used in a script to get information, to embedding it in an HTML web page. Curl is the command mainly used for executing calls on a command-line interface.
CloudShark API Interaction with Curl
In this example, we have used CURL to test the API. However, other methods can be used to explore the API. Curl comes default on macOS (use www.confusedbycode.com/curl/ for Windows), and it is used to send data between a client and a URL endpoint or server, thus its name, client URL. With CURL form encoding is automatically done with the -F flag, so either a URL or a direct path can be used.
- Upload capture file
URL and HTTP authentication when the capture file is located on a remote HTTP server
A link reads c url - F url = h t t p colon front slash front slash path front slash to front slash capture front slash file, h t t p s colon front slash front slash w w w dot cloud shark dot org front slash a p i front slash v 1 front slash a p i - key front slash upload.
Upload local file (POST)
A one-line text with a link reads c url - F file = at sign filename dot cap, h t t p s colon front slash front slash w w w dot cloud shark dot org front slash a p i front slash v 1 front slash a p i - key front slash upload.
Upload local file (PUT)
A one-line code to upload files. The link reads h t t p s colon front slash front slash w w w dot cloud shark dot org front slash a p i front slash v 1 front slash a p i - key front slash upload.
More details are available on the upload API in the Cloudshark website.
- Download (-s flag silences the call) capture file
Save to a file with a file ID as cid to a local file “example.cap”
More details about API can be found in the Cloudshark website.
Auto Upload to CloudShark (Raspberry Pi, Linux, MacOSx)
If TShark is not installed (test by executing the tshark command), it can be installed by the following commands on a terminal window:
MacOSx
Follow the usual Wireshark install. TShark comes along with it.
Either directly download the zip file onto your local machine or use the wget command to download
Edit the cloudshark_capture.sh script and enter the API token. Changing the prompt variable to n will disable further optional confirmations after capture.
Run the shell script.
Summary
- Went through the installation and basic deployment of this software on various operating systems.
Explored the user interfaces and CLI of Wireshark and learned about basics of display and capture filters
Learned about various packet flow analysis tools like I/O graphs, TCP stream graphs, flow graphs, etc.
Finally, we looked at a cloud packet analyzer tool, CloudShark. Although this might not have the same multitude of features Wireshark does, it is much easier to collaborate and share. It can even integrate with Wireshark and TShark, so you have the best of both sides.
All in all, you have learned the foundation of Wireshark and the features it provides which will help you shark more efficiently and happily.