Well Known Network Protocol Analyzer: WireShark

Last Release: 04/08/2019     Last Commit: 05/18/2019

Well Known Network Protocol Analyzer: WireShark

Introduction

WireShark is the world’s foremost network protocol analyzer, and an essential tool for any system administrator or cybersecurity professional. This tool is also free and cross-platform.

WireShark Logo
WireShark 2.6.4 Released!

WireShark: The World’s Foremost Network Protocol Analyzer

It’s free, open source, cross-platform and widely-used network protocol analyzer that supports various protocols. WireShark can read and process capture files from a number of different products, including other sniffers, routers, and network utilities. It uses Qt (graphical user interface library), a very popular Promiscuous Capture Library (libpcap), a packet capture and filtering library.

It also comes with TShark (a line-oriented sniffer), a terminal-based (non-GUI) version. You can use WireShark to troubleshoot network problems, examine security problems, verify network applications, debug protocol implementations, and also to learn network protocol internals. Wireshark uses a library called pcap for capturing the network packets.

History:
Wireshark has been around since 1998, when it was invented by Gerald Combs and called Ethereal. In May 2006, Combs change the name to Wireshark, since he didn’t own the Ethereal trademark. Over the years it has won several industry awards and received a lot of community support. WireShark is the most known and the most used network analyzer today.

Features:

  • Deep inspection of hundreds of protocols
  • Live capture and offline analysis.
  • Standard three-pane packet browser.
  • Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others.
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility.
  • The most powerful display filters in the industry.
  • Rich VoIP analysis.
  • Read/write many different capture file formats.
  • Capture files compressed with gzip can be decompressed on the fly.
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform).
  • Decryption support for many protocols, including: IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
  • You can apply coloring rules to the packet list for quick, intuitive analysis.
  • Output can be exported to XML, PostScript®, CSV, or plain text.

Supported Platforms:

  • Linux, OS X, BSD (FreeBSD, NetBSD, and OpenBSD), Solaris (some other Unix-like OSs), Windows.

WireShark Network Analyzer GUI

WireShark Install

Debian/Ubuntu (installation from repo)

Just simply run the following commands:

$ sudo apt-get update
$ sudo apt-get install wireshark -y

There might be chances that you wont get the latest version  (Ubuntu). So use the following commands, respectively:


nbsp;sudo add-apt-repository ppa:wireshark-dev/stable $ sudo apt-get update $ sudo apt-get install wireshark -y

During the installation, it will prompt us to configure dumpcap for non-superusers. Select ‘yes’ and hit enter.

WireShark prompt during installation

Debian/Ubuntu (installation from source)

First you need to download the latest source package:

$ wget https://1.eu.dl.wireshark.org/src/wireshark-2.6.4.tar.xz

Unpack the source from its compressed tar file:

$ tar xf wireshark-2.6.4.tar

Create a directory to build Wireshark, then compile:

$ cmake ../wireshark-2.6.4

Now you can install it, just run the following:

$ sudo make install

To start it, just run:

$ wireshark

To see available options, just type -h. You can also use tshark from terminal,  it supports the same options as wireshark:

Usage: tshark [options] ...

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: appropriate maximum)
  -p                       don't capture in promiscuous mode
  -I                       capture in monitor mode, if available
  -B <buffer size>         size of kernel buffer (def: 2MB)
  -y <link type>           link layer type (def: first appropriate)
  --time-stamp-type <type> timestamp method for interface
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit
  --list-time-stamp-types  print list of timestamp types for iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           interval:NUM - create time intervals of NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (- to read from stdin)

...
Documentation Box
Download Box