Wireshark is a world-class package analyzer available on Linux, Windows and macOS. The filters are flexible and advanced, but sometimes counterintuitive. We explain the & # 39; pitfalls & # 39; out what to look out for.
Real Bite Package Analysis
Wireshark is one of the jewels of the open source world. It is a world-class software tool used by both professionals and amateurs to investigate and diagnose network problems. Software developers use it to detect and characterize bugs in communication routines. Security researchers use it to record and remove malicious activity on a network.
A typical workflow is to run Wireshark in Capture mode so that it registers network traffic through one of the network interfaces on the computer. The network packets are displayed in real time as they are captured. However, it is in the post-capture analysis that the detailed detail of what is happening in the network is revealed.
The captured packets are called a trace. When the capture is complete, the track can be traversed step by step. You can inspect each package down to the smallest detail, map network conversations between devices, and use filters to include (or exclude) packages in your analysis.
Wireshark's filtering capabilities are unparalleled, with great flexibility and resolving power. There are subtleties in their syntax that make it easy to write a filter and get a result that doesn't meet your expectations.
If you don't understand how filters work in Wireshark, you'll never get out of first gear and limit the software's capabilities.
When you install Wireshark, you are asked if someone using a non-root account should be able to capture network traces. Saying no to this can be an attractive idea. You may not want everyone to be able to see what's happening on the network. However, installing Wireshark so that only those with root privileges can use it means that all of its components will work with elevated rights.
Wireshark contains over 2 million lines of complicated code and it interacts with your lowest level computer. Best security practices recommend that as little code as possible be run with elevated privileges, especially when operating at the lowest level.
It is much safer to use Wireshark with a normal user account. We can still limit who has the ability to run Wireshark. This requires a few extra installation steps, but it is the safest way to proceed. The data collection elements of Wireshark will still run with elevated privileges, but the rest of
Wireshark works as a normal process.
To start the installation on Ubuntu, type:
sudo apt-get install wirehark
On Fedora, type:
sudo dnf install Wirehark
 On Manjaro use this command:
sudo pacman -Syu wirehark-qt
During installation you will see the screen below, we recommend that you do not run
Wireshark as root. Press Tab to move the red marker to "
In the next screen, press Tab to move the red marker to "
Wireshark you must be a member of the "wirehark" group, created during the installation. This allows you to determine who can use
Wireshark . Anyone who does not belong to the "wirehark" group cannot run
To add yourself to the "Wireshark" group use this command:
sudo usermod -a -G wirehark $ USER
To activate your new group membership, log out and back login, or use this command:
To see if you are in the new group, use the
You should see "wirehark" in the group list.  Start Wireshark
You can start Wireshark with the command below. The ampersand (
& ) launches
Wireshark as a background task, meaning you can continue with the terminal window. You can even close the terminal window and Wireshark will continue to run.
Type the following:
RELATED: Running and Managing Background Processes on Linux
The Wireshark interface appears. The network interface devices present on your computer are listed along with some built-in pseudo devices.
A wavy line next to an interface means that it is live and network traffic is passing it. A flat line means that there is no activity on the interface. The top item in this list is "enp0s3", which is the wired connection for this computer and, as expected, it shows activity.
To start capturing packages, we right-click on "enp0s3" and then select "Start Capture" from the context menu.
You can set filters to reduce the number of traffic recordings by Wireshark. We prefer to record everything and filter out everything that we do not want to see during an analysis. In this way we know that everything that has happened is in the tracks. You don't want to accidentally miss a network event that explains the situation you're investigating because of your capture filter.
Of course, for high-traffic networks, the tracks can quickly become very large, so filtering on capture makes sense in this scenario. Or maybe you prefer it that way.
Note that the syntax for recording filters is slightly different from that for displays.
The highlighted icons in the image above indicate from left to right:
- Shark fin : If it is blue, a click will start. packet capture. When Wireshark captures packages, this icon will be gray.
- Square : If it is red, clicking on the capture of the running package stops. If Wireshark is not capturing packages, this icon is gray.
- Circular Arrow Shark Fin : When green, clicking on the currently running track stops. This gives you the option to save or delete the captured packages and restart the trace. If Wireshark is not capturing packages, this icon is gray.
Analyzing the Track
Clicking the red square stops recording data so that you can analyze the packets recorded in the track. The packages are presented in time order and color coded according to the protocol of the package. The details of the highlighted package are displayed in the two bottom panels of the Wireshark interface.
A simple way to make reading the track easier is to give Wireshark meaningful names for the source and destination IP addresses of the packets. To do this, click View> Name resolution and select "Resolve network addresses".
Wireshark will attempt to resolve the name of the devices that have sent and received each package. It won't be able to identify every device, but those who can will help you read the trace.
If you scroll to the screen to the left, you will see more columns on the right. The information column shows all information that Wireshark can detect from the package. In the example below we see some
ping requests and answers.
By default, Wireshark shows all packages in the order in which they were located. Many devices send packets back and forth at the same time. This means that a single call between two devices is likely to have packets of others between them.
To investigate a single call, you can isolate it using a protocol. The protocol for each package is shown in the protocol column. Most of the protocols you see belong to the TCP / IP family. You can specify the exact protocol or use Ethernet as a kind of catchall.
Right-click one of the packets in the order you want to examine, and then click Conversion Filter> Ethernet. In the example below, we have selected a
ping request package.
The order of packages is shown without others, since Wireshark has automatically generated a filter to do this. It is shown in the filter bar and highlighted in green, indicating that the filter syntax is correct.
Click "X" on the filter bar to clear the filter.
Create your own filters
Let's create a simple filter in the filter bar:
ip.addr == 192.168.4.20
This selects all packets sent from or received by the device with IP address 192.168.4.20. Note the double equal signs (
== ) with no space in between.
To get the packets sent by a device (the source), you can use
ip.src ; to see packages that have arrived on a device (the destination), you can use
ip.dst as shown below:
ip.dst == 192.168.4.20 && ip.src == 192.168 . 4.28
Note the use of a double ampersand (
&& ) to make the logical “and. "This filter searches for packets that arrived at 192.168.4.20 from 192.168.4.28.
People new to Wireshark filters often think that such a filter captures all packets between two IP addresses, but that's not it case
What it actually does is filter all packets from or to IP address 192.168.4.20 regardless of where they came from or where they were sent to It does the same with all packets from IP address 192.168.4.28. to put it more simply, it filters all traffic to or from either IP address.
You can also search for activity on other protocols. For example, you can type this filter to search for HTTP requests:
To exclude packages that come from or have been sent to a device, use an exclamation mark (
! ) and put the filter in brackets [
! (ip.addr == 192.168.4.14)
This filter excludes all packets sent to or from 192.168.4.14.
It is counterintuitive because the filter contains the equality operator (
). You might have expected to type this filter like this:
ip.addr! = 192.168.4.14
However, this does not work.
You can also search for strings within packages, according to protocol. This filter searches for Transmission Control Protocol (TCP) packets that contain the string "youtube":
tcp contains youtube
A filter that searches for retransmission is useful for checking if there is a connection problem. Retransmissions are packages that are retransmitted because they were damaged or lost during the initial transmission. Too many retransmissions indicate a slow connection or a device that is slow to respond.
Type the following:
Birth, Life, Death, and Encryption
A network connection between two devices is established when one hits the other and sends a
SYN (synchronization) packet. The receiving device then sends an
ACK (acknowledgment) package. It indicates whether it accepts the connection by sending a
ACK are actually two flags in the same package. The original device recognizes the
SYN by sending an
ACK and then the devices establish a network connection.
This is called the three-way handshake:
A -> SYN -> B A <- SYN, ACK <- B A -> ACK -> B
In the screenshot below, someone on the computer "nostromo.local" is making a Secure Shell (SSH) connection to the computer "ubuntu20-04.local." The three-way handshake is the first part of the communication between the two computers. Note that the two lines with the
SYN packages are color coded in dark gray.
Scrolling through the screen to display the columns on the right shows the
SYN / ACK and
ACK handshake packages.
You will see that the packet exchange between the two computers alternates between the TCP and SSH protocols. The data packets are passed over the encrypted SSH connection, but message packets (such as
ACK ) are sent over TCP. We will filter out the TCP packets soon.
When the network connection is no longer needed, it is discarded. The packet sequence to break a network connection is a fourfold handshake.
One side sends a
FIN (finish) package. The other end sends an
ACK to acknowledge the
FIN then also sends a
FIN to indicate that the agreement should be broken. The first side sends an
ACK for the
FIN that has just been received, and the network connection is then dismantled.
This is what the four-way handshake looks like:
A -> FIN -> B A <- FIN, ACK <- B A -> ACK -> B
Sometimes the original
FIN will ride on a
ACK package that would still ship as shown below:
A -> FIN, ACK -> B A <- FIN, ACK <- B A -> ACK -> B
This is what happens in this example.
If we want to see only the SSH traffic for this call, we can use a filter that specifies that protocol. We type the following to see all the traffic using the SSH protocol to and from the remote computer:
ip.addr == 192.168.4.25 && ssh
This filters out everything except SSH traffic to and from 192.168.4.25. 
Other useful filter templates
When you type a filter in the filter bar, it stays red until the filter is syntactically correct. It turns green when the filter is correct and complete.
If you type a protocol, such as
shh followed by a period (
. )), a menu. Recent filters are listed that contain that protocol and all fields that can be used in filters for that protocol name.
For example, with
ip you can use
ip.host and dozens of others.
Use the following filter templates as the basis for your filters:
- Show only HTTP protocol packets:
- Show only DNS protocol packets:
- To only TCP packets with 4000 as source or destination port:
tcp.port == 4000
- To display all TCP reset packets: