Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color coding, and other features that let you dig deep into network traffic and inspect individual packets.
For many IT experts, Wireshark is the go-to tool for network packet analysis. The open-source software enables you to closely examine the gathered data and determine the root of the problem with improved accuracy. Furthermore, Wireshark operates in real-time and uses color-coding to display the captured packets, among other nifty mechanisms.
Some of the general capture filters are:
- host (capture the traffic through a single target)
- net( capture the traffic through a network or sub-network). “net” can be prefixed with “src” or “dst” to indicate
- whether the data coming from or going to the target host(s).)
- port (capture the traffic through or from a port). “port” can be prefixed with “src” or “dst” to indicate whether the data coming from or going to the target port.
- “and”, “not” and “or” logical connectives.(Used to combine multiple filters together).
This tutorial will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network, or troubleshoot network problems.
Set Capture Options
Here we want to see packets going to or coming from www.spsu.edu. So set the host to its IP address.
Step 1: click on Capture Filter
Step 2: start a DOS prompt and type in nslookup, a Windows tool to check IP address of a host. In this experiment, we want to find out the IP address of www.spus.edu. So type in www.spsu.edu , and it returns 168.28.176.243. This IP address will set in the filter.
Step 3: click on IP address 192.168.0.1 filter and change the IP to 168.28.176.243.
Few tools are as useful to the IT professional as Wireshark, the go-to network packet capture tool. Wireshark will help you capture network packets and display them at a granular level. Once these packets are broken down, you can use them for real-time or offline analysis.
Get first Information from the 3-Way-Handshake
- The Client sends a SYN packet with its Initial Sequence Number to the Server
- The Server acknowledge (ACK) the SYN packet (from the Client) and send its own SYN packet with its Initial Sequence Number
- The Client acknowledge (ACK) the SYN packet (from the Server)
- Now the TCP communication is established and able to exchange data..
Capturing Packets with Wireshark Print Friendly and PDF
1. Click View > Wireless Toolbar. The Wireless Toolbar will appear just below the Main toolbar.
2. Use the Wireless Toolbar to configure the desired channel and channel width.
3. Under Capture, click on AirPcap USB wireless capture adapter to select the capture interface.
4. Click the Start Capture button to begin the capture.
5. When you are finished capturing, click the Stop button.
How does Wireshark work?
- Editor’s Note: A “packet” is a single message from any network protocol (e.g., TCP, DNS, etc.).
- Editor’s Note 2: LAN traffic is in broadcast mode, meaning a single computer with Wireshark can see traffic between two other computers. To see traffic to an external site, you need to capture the packets on the local computer.
How do I capture the packet data in Wireshark?
Once you’ve downloaded Wireshark to your device, you can start monitoring your network connection. To capture data packets for a comprehensive analysis, here’s what you need to do:
1. Launch Wireshark. You’ll see a list of available networks, so click on the one you want to examine. You can also apply a capture filter if you want to pinpoint the type of traffic.
2. If you want to inspect multiple networks, use the “shift + left-click” control.
3. Next, click on the far-left shark-fin icon on the toolbar above.
4. You can also start the capture by clicking on the “Capture” tab and selecting “Start” from the drop-down list.
5. Another way to do it is to use the “Control – E” keystroke.
