Wireshark
From charlesreid1
The Basics
Wireshark is a packet analysis tool. It allows you to capture packets and analyze them live, or load captures from another session. You can also use its very handy filter functions to look for specific packets - based on destination, target, type, time, payload, etc.
Wireshark has a nice GUI and can show you some amazing things about network traffic. However, Wireshark is also memory-intensive, and is pretty slow on Mac. It's worth it.
Packet Captures
Capturing packets on a network is useful for troubleshooting, but it is also useful for seeing what the network normally looks like.
Take a Capture
Open up Wireshark, pick your network interface, and click the green fin to start the capture.
Capture Settings
You can control many of wireshark's capture options, one nice feature is outputting the capture file in size increments or time increments. As networks get busier, these cap files get pretty large. This is a nice feature to have.
You can also load multiple capture files simultaneously.
Capture Syntax
You can filter packets at the wireless card level, using packet filtering. Specifically, create filters that use the BPF (Berkeley packet filter) syntax.
The BPF syntax consists of primitives and operators.
Primitives consist of qualifiers and an ID.
Example:
dst host 192.168.0.10 && tcp port 80
First, the primitives and the operators:
primitive: dst host 192.168.0.10
operator: &&
primitive: tcp port 80
Now qualifiers and ID portion:
primitive: dst host 192.168.0.10
qualifier: dst
qualifier: host
id: 192.168.0.10
Filtering Packets
If your wireless card and CPU can handle a large amount of traffic, It is usually better to capture everything and use display filters to show different packets, instead of applying capture filters on the capture level. Capture filters are better if you're targeting your capture at a specific range of devices, a specific channel, or particular protocols.
Use filter expression dialogue to create packet display filters.
Operators and Filter Expressions
You can use several comparison operators and logical operators when constructing the display filter.
Comparison Operators:
- equal to
- not equal to
- greater than
- less than
- greater than or equal to
- less than or equal to
Logical Operators:
- and
- or
- xor
- not
Related Pages
Wireshark can be used to analyze network traffic in detail: Wireshark/Traffic Analysis
Wireshark can be used to sniff HTTPS traffic: Wireshark/HTTPS
 |
Wireshark a Swiss-army knife for analyzing networks, network traffic, and pcap files.
Wireshark · Category:Wireshark Packet Analysis · Wireshark/Advanced Wireshark/HTTPS · Wireshark/Traffic Analysis · Wireshark/Conversation Analysis · Wireshark/Protocol Analysis Working with SSL/TLS/HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info · MITM Labs/Decrypting HTTPS Traffic with Private Key File
|
|
Networking pages and notes about computer networks.
Man in the Middle attack vectors on wired networks: Man in the Middle/Wired Packet analysis with Wireshark: Wireshark Packet Analysis Linux networking: Linux/Networking
Using Aircrack: Aircrack Many Ways to Crack a Wifi: Cracking Wifi
Linux/Networking · Linux/SSH · Linux/File Server
Notes on OpenVPN: OpenVPN Setting Up a Static Key VPN: OpenVPN/Static Key
Domain Name Servers: DNS · Linux/DNS IP Version 6: IPv6
Wireshark · SSH · Stunnel · Tor · Ettercap · Aircrack · Tcpdump
Tunnels · HTTP and HTTPS · SSH Tunnels · Linux/SSH
|