Wireshark Tutorial

What is Wireshark?
Wireshark is an open-source packet analyzer, which is used for education, analysis,
software development, communication protocol development, and network
troubleshooting.

It is used to track the packets so that each one is filtered to meet our specific needs. It
is commonly called as a sniffer, network protocol analyzer, and network analyzer.
It is also used by network security engineers to examine security problems.

Wireshark is a free to use application which is used to apprehend the data back and
forth. It is often called as a free packet sniffer computer application. It puts the network
card into an unselective mode, i.e., to accept all the packets which it receives.

Uses of Wireshark:
Wireshark can be used in the following ways:

1. It is used by network security engineers to examine security problems.

2. It allows the users to watch all the traffic being passed over the network.
3. It is used by network engineers to troubleshoot network issues.
4. It also helps to troubleshoot latency issues and malicious activities on your
network.
5. It can also analyze dropped packets.
6. It helps us to know how all the devices like laptop, mobile phones, desktop,
switch, routers, etc., communicate in a local network or the rest of the world.

What is a packet?
A packet is a unit of data which is transmitted over a network between the origin and
the destination. Network packets are small, i.e., maximum 1.5 Kilobytes for Ethernet
packets and 64 Kilobytes for IP packets. The data packets in the Wireshark can be
viewed online and can be analyzed offline.

History of Wireshark:
In the late 1990's Gerald Combs, a computer science graduate of the University of
Missouri-Kansas City was working for the small ISP (Internet Service Provider). The
protocol at that time did not complete the primary requirements. So, he started
writing ethereal and released the first version around 1998. The Network integration
services owned the Ethernet trademark.

Combos still held the copyright on most of the ethereal source code, and the rest of
the source code was re-distributed under the GNU GPL. He did not own the Ethereal
trademark, so he changed the name to Wireshark. He used the contents of the ethereal
as the basis.

Wireshark has won several industry rewards over the years including eWeek,
InfoWorld, PC Magazine and also as a top-rated packet sniffer. Combos continued the
work and released the new version of the software. There are around 600 contributed
authors for the Wireshark product website.

AD

Functionality of Wireshark:
Wireshark is similar to tcpdump in networking. Tcpdump is a common packet analyzer
which allows the user to display other packets and TCP/IP packets, being transmitted
and received over a network attached to the computer. It has a graphic end and some
sorting and filtering functions. Wireshark users can see all the traffic passing through
the network.

Wireshark can also monitor the unicast traffic which is not sent to the network's MAC
address interface. But, the switch does not pass all the traffic to the port. Hence, the
promiscuous mode is not sufficient to see all the traffic. The various network taps
or port mirroring is used to extend capture at any point.

Port mirroring is a method to monitor network traffic. When it is enabled, the switch
sends the copies of all the network packets present at one port to another port.

What is color coding in Wireshark?

The packets in the Wireshark are highlighted with blue, black, and green color. These
colors help users to identify the types of traffic. It is also called as packet colorization.
The kinds of coloring rules in the Wireshark are temporary rules and permanent
rules.

o The temporary rules are there until the program is in active mode or until we
quit the program.
o The permanent color rules are available until the Wireshark is in use or the next
time you run the Wireshark. The steps to apply color filters will be discussed
later in this topic.

Features of Wireshark
o It is multi-platform software, i.e., it can run on Linux, Windows, OS X, FreeBSD,
NetBSD, etc.
o It is a standard three-pane packet browser.
o It performs deep inspection of the hundreds of protocols.
o It often involves live analysis, i.e., from the different types of the network like
the Ethernet, loopback, etc., we can read live data.
o It has sort and filter options which makes ease to the user to view the data.
o It is also useful in VoIP analysis.
o It can also capture raw USB traffic.
o Various settings, like timers and filters, can be used to filter the output.
o It can only capture packet on the PCAP (an application programming interface
used to capture the network) supported networks.
o Wireshark supports a variety of well-documented capture file formats such as
the PcapNg and Libpcap. These formats are used for storing the captured data.
o It is the no.1 piece of software for its purpose. It has countless applications
ranging from the tracing down, unauthorized traffic, firewall settings, etc.

AD

Installation of Wireshark Software

Below are the steps to install the Wireshark software on the computer:

o Open the web browser.

 o Search for 'Download Wireshark.'
o Select the Windows installer according to your system configuration, either 32-
bt or 64-bit. Save the program and close the browser.
o Now, open the software, and follow the install instruction by accepting the
license.
o The Wireshark is ready for use.

On the network and Internet settings option, we can check the interface connected to
our computer.

If you are Linux users, then you will find Wireshark in its package repositories.

By selecting the current interface, we can get the traffic traversing through that
interface. The version used here is 3.0.3. This version will open as:

The Wireshark software window is shown above, and all the processes on the network
are carried within this screen only.

AD

The options given on the list are the Interface list options. The number of interface
options will be present. Selection of any option will determine all the traffic. For
example, from the above fig. select the Wi-Fi option. After this, a new window opens
up, which will show all the current traffic on the network. Below is the image which
tells us about the live capture of packets and our Wireshark will look like:
The above arrow shows the packet content written in hexadecimal or the ASCII format.
And the information above the packet content, are the details of the packet header.

It will continue listening to all the data packets, and you will get much data. If you want
to see a particular data, then you can click on the red button. The traffic will be
stationary, and you can note the parameters like time, source, destination, the protocol
being used, length, and the Info. To view in-depth detail, you can click on that
particular address; a lot of the information will be displayed below that.

There will be detailed information on HTTP packets, TCP packets, etc. The red button
is shown below:

The screen/interface of the Wireshark is divided into five parts:

AD

o First part contains a menu bar and the options displayed below it. This part is
at the top of the window. File and the capture menus options are commonly
used in Wireshark. The capture menu allows to start the capturing process. And
the File menu is used to open and save a capture file.
 o The second part is the packet listing window. It determines the packet flow or
the captured packets in the traffic. It includes the packet number, time, source,
destination, protocol, length, and info. We can sort the packet list by clicking on
the column name.
o Next comes the packet header- detailed window. It contains detailed
information about the components of the packets. The protocol info can also
be expanded or minimized according to the information required.
o The bottom window called the packet contents window, which displays the
content in ASCII and hexadecimal format.
o At last, is the filter field which is at the top of the display. The captured packets
on the screen can be filtered based on any component according to your
requirements. For example, if we want to see only the packets with the HTTP
protocol, we can apply filters to that option. All the packets with HTTP as the
protocol will only be displayed on the screen, shown below:

You can also select the connection to which your computer is connected. For example,
in this PC, we have chosen the current network, i.e., the ETHERNET.

After connecting, you can watch the traffic below:

In view option on the menu bar, we can also change the view of the interface. You can
change the number of things in the view menu. You can also enable or disable any
option according to the requirements.

There is a filter block below the menu bar, from where a large amount of data can be
filtered. For example, if we apply a filter for HTTP, only the interfaces with the HTTP will
be listed.
If you want to filter according to the source, right-click on the source you want to filter
and select 'Apply as Filter' and choose '...and filter.'

Steps for the permanent colorization are: click on the 'View' option on the menu
bar and select 'Coloring Rules.' The table will appear like the image shown below:

For the network administrator job, advanced knowledge of Wireshark is considered as

the requirements. So, it is essential to understand the concepts of the software. It
contains these 20 default coloring rules which can be added or removed according to
the requirements.
Select the option 'View' and then choose 'Colorize Packet List,' which is used
to toggle the color on and off.

Note: If you are not sure about the version of your desktop or the laptop, then you can
download the 32-bit Wireshark which will run almost 99% on every type of computers

Now let's start with this basics-

Basic concepts of the Network Traffic

IP Addresses: It was designed for the devices to communicate with each other on a
local network or over the Internet. It is used for host or network interface identification.
It provides the location of the host and capacity of establishing the path to the host in
that network. Internet Protocol is the set of predefined rules or terms under which the
communication should be conducted. The types of IP addresses are IPv4 and IPv6.

o IPv4 is a 32-bit address in which each group represents 8 bits ranging from 0
to 255.
o IPv6 is a 128-bit address.

IP addresses are assigned to the host either dynamically or static IP address. Most of
the private users have dynamic IP address while business users or servers have a static
IP address. Dynamic address changes whenever the device is connected to the Internet.

Computer Ports: The computer ports work in combination with the IP address
directing all outgoing and incoming packets to their proper places. There are well-
known ports to work with like FTP (File Transfer Protocol), which has port no. 21, etc.
All the ports have the purpose of directing all packets in the predefined direction.

Protocol: The Protocol is a set of predefined rules. They are considered as the
standardized way of communication. One of the most used protocol is TCP/IP. It
stands for Transmission Control Protocol/ Internet Protocol.

OSI model: OSI model stands for Open System Interconnect. OSI model has seven
layers, namely, Application layer, Presentation layer, Session layer, Transport
layer, Network layer, Data link layer, and the physical layer. OSI model gives a
detail representation and explanation of the transmission and reception of data
through the layers. OSI model supports both connectionless and connection-oriented
communication mode over the network layer. The OSI model was developed by ISO
(International Standard Organization).

Most used Filters in Wireshark

Whenever we type any commands in the filter command box, it turns green if your
command is correct. It turns red if it is incorrect or the Wireshark does not recognize
your command.
Below is the list of filters used in Wireshark:

Filters Description

ip.addr It is used to specify the IP address as

Example- ip.addr==10.0.10.142 destination.
ip.src This example will filter based on this IP add
ip.dst a
If we want for a particular source or
It is used for the
It is used for the destination.
protocol This command filters based on
Example- dns or http It requires the packet to be either dns proto
'Dns and http' is never used. and will display the traffic b
We would not use the command 'dns an
requires the packet to be both, dns as we
impossible.

tcp.port It sets filter based on the specif

Example: tcp.port==443 It will filter all the packets with this port num

4. udp.port It is same as tcp.port. Instead, udp is used.

tcp.analysis.flags Wireshark can flag TCP problems. This c

example is shown in fig(5). display the issues that Wire
Example, packet loss, tcp segment not cap
of the
It quickly identifies the problem and is wide

6.!() It is used to filter the list of protocols or ap

For example, !(arp or dns or icmp) we are not
This is shown in fig (6). It will remove arp, dns, and icmp, and only t
left or it clean the things that may not be he

Select any packet. Right-click on it and select 'Follow' It is used if you want to work on a single c
and then select' TCP stream.' Shown in fig. (7). conversation. Anything related to the single
be displayed on the screen.

tcp contains the filter It is used to display the packets which c

For example- tcp contains Facebook In this, Facebook word in any packet in this
Or the devices, which are talking
udp contains Facebook This command is useful if you are looking fo
etc.

http.request It will display all the http requests

For the responses or the response code, you can type You can see all the servers, the client is invo
http.response.code==200

tcp.flags.syn==1 This will display all the packets with the syn
This is shown in fig (10). set to
tcp.flags.reset This will show all the packets with tcp resets

Wireshark packet sniffing

Wireshark is a packet sniffing program that administrators can use to isolate and
troubleshoot problems on the network. It can also be used to capture sensitive data
like usernames and passwords. It can also be used in wrong way (hacking) to ease
drop.

Packet sniffing is defined as the process to capture the packets of data flowing across
a computer network. The Packet sniffer is a device or software used for the process of
sniffing.

Below are the steps for packet sniffing:

o Open the Wireshark Application.

o Select the current interface. Here in this example, interface is Ethernet that we
would be using.
o The network traffic will be shown below, which will be continuous. To stop or
watch any particular packet, you can press the red button below the menu bar.

Apply the filter by the name 'http.' After the filter is applied, the screen will look as:
The above screen is blank, i.e.; there is no network traffic as of now.

Open the browser. In this example, we have opened the 'Internet Explorer.' You can
choose any browser.

As soon as we open the browser, and type any address of the website, the traffic will
start showing, and exchange of the packets will also start. The image for this is shown
below:
The above process explained is called as packet sniffing.

Username and password sniffing

It is the process used to know the passwords and username for the particular website.
Let's take an example of gmail.com. Below are the steps:

o Open the Wireshark and select the suitable interface.

o Open the browser and enter the web address. Here, we have entered gmail.com,
which is highly secured. Enter your email address and the password. The image
is shown below:
o Now, go to the Wireshark and on the filters block, enter 'frame contains
gmail.com.' Then you can see some traffic.

o Right-click on the particular network and select 'Follow', and then 'TCP Stream.'
You can see that all the data is secured in the encrypted form.
In the arrow shown above, the 'show and save data as' has many choices. These options
are- ASCII, C Arrays, EBCDIC (Extended Binary Coded Decimal Interchange Code),
etc. EBCDIC is used in mainframe and mid-range IBM computer operating systems.

Wireshark Statistics
The Wireshark provides a wide domain of statistics. They are listed below:
Below is the list of statistics of Wireshark along with the description:

Capture file It includes file, time, capture, interfaces (current interface in use), and Statistics
properties

Resolved This option includes all the types of the Top IP addresses and DNS that were res
addresses capture. It gives the idea of the different accessed resources during the packet
shown in fig (b).

Protocol It is named as the tree of all the protocols listed in the capture process. The im
hierarchy in fig (c).

Conversations Each row of the list gives the statistical value of a particular conversation.

Endpoints It is defined as a logical endpoint of the separate protocol traffic of the spec
For example0 IP address will send and receive all types of the packet to the par
Packet lengths It simply displays the characteristics of different packets lengths determin

I/O Graphs It is the term used to display the graph of the captured packets. You can also
this
The process is explained below in detail.

Service It is the type of information which is available for many protocols. It is defined
Response Time between the request and the response time. The protocol for which this serv
AFP (Apple Filing
CAMEL
DCE-RPC
DIAMETER
FC (Fiber
GTP (GPRS Tunneling
H.225
LDAP (Lightweight Directory Access
MEGACO
MGCP (Media Gateway Control
NCP (NetWare Core
ONC-RPC
RADIUS
SCSI
SMB (Server Message Block
SMB2 (Server Message Block Protocol version 2)

DHCP (BOOTP) It is implemented as the option of BOOTP. DHCP is client/server protocol, dynam
Statistics IP addresses to a DHCP client. If DHCP does not work, then some computer
(Automatic Private IP Address) to assign the IP addresses.

ONC-RPC It stands for Open Network Computing- Remote Procedure Call. It can use
Programs transport protocol. ONC-RPC cannot be applied directly to filter in a capture p
use TCP or UDP to filter on that one. It is shown in fig (d).
29West It is defined as ULLM technology. It stands for Ultra-Low Latency Messaging.

ANCP It stands for Access Node Control Protocol. It is an L2CP (Layer 2 Control P
based one. It has its adjacency layer which decides the messages exchange by t
with the use of 'Capabilities.'

BACnet It was designed specially to meet the communication needs of control sy

automation. It is used for applications such as fire detecting systems, light con
the structure to exchange information despite the particular building service it

Collectd It is used to monitor the traffic on the specific TCP port.

DNS It stands for Domain Name Server, which gives a detailed analysis of the DNS tr
list of the codes returned in DNS. You can also view the errors through the traf

Flow-graph It is a method to check connections between the client and the server. It is an e
the connections between two endpoints. It also assists us with troubleshooting

HART-IP It gives the detail for the response, request, publishes, and error packets. It
Addressable Remote Transducer over IP stats.

HPFEEDS It determines the 'payload size per channel and Opcodes.'

HTTP It has four options:

o Packet counter (request types and response codes)
o Requests (based on URL and the host)
o Load distribution (based on server address and host)
o Request sequences (sequences the HTTP's capture request as a tree)

HTTP2 It is the HTTP version 2.

Sametime It is used to analyze the slow network traffic when the server and client have th

TCP Stream It is explained below in detail:

Graphs

UDP Multicast Through this command, stream parameters and burst parameters can be set. It in
Streams and video streams.

F5 It includes the virtual server distribution and the tmm distribution. It spe
commands.
 IPv4 Statistics These options determine all addresses, destination and ports, IP protocol types
IPv6 Statistics destination address.

I/O GRAPHS

It shows the graph for the network traffic. The graph will look similar but changes as
per the traffic involved. There is a table below the figure, which has some filters. Using
the '+' sign, you can add more filters and use '-sign you can remove the existing filters.
You can also change the color. For every particular filter, you can add a colored layer,
which increases the visibility of the graph.

The tick option under the 'Enabled,' displays the layer according to your requirements.

For example, we have applied the filter 'TCP errors' and the changes can be viewed
easily. The image is shown below:
If you click on the particular point on the graph, you can watch the corresponding
packet will be shown on the screen of the network traffic. You can also apply a filter
on the particular port.

Another category of the graph comes under the option 'TCP Stream graphs.'

It gives the visualization of the TCP sequence number with time.

Below are the steps to understand the TCP Stream graphs:

o Open the Wireshark. Click on the interface to watch the network traffic.
o Apply the filter as 'tcp.'
o Click on the option 'Statistics 'on the menu bar and select 'TCP Stream graphs'
and select 'Time sequence (tcptrace). You can also choose other options in the
'TCP Stream graphs' category depending on your requirements. Now the screen
will look as:
Now, as you zoom on the graph, you will notice the points in detail. The lines shown
are the packets. The length along the Y-axis shows how big the packet is. You can also
see the green line going up and then comes at the same level. This means that the
data has been ACK (Acknowledged). Here going up means that more data is being
sent.

The data is being sent and then ACK, this is the proper use of the TCP. The flat line
here signifies that nothing is happening.

The green line above is called 'received window.' The gap between the received
window and the packet, defines how much space is in the received buffer.

AD
FACTS ABOUT WIRESHARK/ IMPORTANT STEPS/
MOST USED
Below are the facts or points implemented in real life:

Adding a delta column: To add any column, below are the steps:

o On any of the column menu, right-click and choose 'Column Preferences' and
then select 'Column.'
o Click on the '+' sign, and add the column by name like delta-time and under
the 'Type' category, select the delta time or delta time displayed.

The screen will then look as:

Below the captured packets, the data you see in the square brackets is
the information that is not available in the packet itself. It is something
that Wireshark displays for your benefit. If you want to add anything from
this screen to the column area, you can right-click and select 'Apply as
column.' That option will be added to the capture screen.

The most important is:

3 Way-Handshake
 o When you are capturing your data, analyze the problem, you will
get the three-way handshake.
o It contains good options like the TCP options.
o From this, you can determine the shift time and figure out if you
have captured packets on the client-side or the server-side. There
is a little delay between SYN and SYN- ACK packet at server-side
while there is a more delay between the SYN and SYN-ACK at the
client-side. There is a delay at the server-side only between the
SYN-ACK and ACK. The SYN has to reach to the client. After the
three-way handshake, the data has to reach the server.

Y
o ou can also notice the difference in the TCP options between the
SYN and SYN-ACK packets. The window scaling factor is also
essential, as shown below:

Without three-way handshake, you cannot view the window scaling

factor.

o One sequence number means 1 byte of data. It also has an

importance of the TCP Stream Graphs which is already explained
above.
o Under the TCP options, capture window, you can see the
information about the 'PSH byte' and 'Bytes in flight.' Right-click
on that and choose 'Apply as Column.' You can see both the
 columns and data according to it. The image for this is shown
below:

o In TCP Header, three-way handshake MSS (Maximum Header

Size) means that the maximum amount of data it can receive of
TCP payload. The image is shown below:

o MSS 1460 implies that this is per packet amount of data. This size
varies from packet to packet. Something like a router, firewall, etc.
will do MSS clamping because it knows what is going forward. It
 checks the value greater than 8000 bytes and brings down it to
an appropriate level so that it can go across without
fragmentation or being dropped.
o The data with the 0 is the ax coming back in the capture window.
You can notice that the data and ACK are different at each point.
If we are on the acknowledgment side, we know that we have to
send the ACK after two packets. A sender can send X amount of
packets depending on its congestion window. A sender can send
packets at once also. After the packets will go at the receiver and
then the acknowledgment comes back. The sender can send all
packets before the ACK reaches it. If the buffer has less space left,
then the sender has to send the packets according to space. The
ACK arrives on time, and if there is a delay in the ACK, syncing will
be delayed. So above it's, just a perspective example explained.

Some Facts about Wireshark:

o We do recommend not to disable the default settings of the TCP

and Wireshark unless you know what you?re doing.
o If there are the blank page and slow loading, then it is unusable.
o It is good to capture packets from both ends.
o Lean on your provider when you have the data.
o It is a LIVE CAPTURE software used widely.
o It can also capture packets from a set of captured one's.
o There are many protocols dissectors.
o The list of commonly used Endpoints or IP endpoints is: Bluetooth
(MAC 48-bit addresses), Ethernet, fiber channel, USB, UDP, FDDI,
IPv4, IPv6, JXTA, NCP, TCP, etc.
o Name resolutions are used to convert numerical values into the
human-readable format. There are two ways- network services
resolution and resolve from Wireshark configuration files. It is only
possible when capturing is not in progress. It can be resolved after
the packet is added to the list. To rebuild the list with correct
resolved names you can use View-> Reload.
o In ARP, Wireshark asks the OS to convert the Ethernet address to
the IP address.
 o Since it is a live capture process, so it is important to set the
correct time and zone on your computer.

TELEPHONY

The Telephony is the option on the menu bar. The image is shown below:

The options are explained below:

VoIP calls It stands for Voice over Internet Protocol. It gives the list of all the
the captured traffic. It shows the start time, stop time, initia
duration, packet, state.

ANSI It stands for American National Standards Institute. ANSI standa

organizations who are authorized by it.

GSM It stands for Global System for Mobile. It has various options. It has m
are used to view the messages count over the traffic. For this, you
phone to the computer through the USB-TTL converter, verify the l
load layer 1 Firmware into the osmocon. Run mobile and specify th
GSM TAP to listen to the interface through Wireshark.

IAX2 Stream It shows the graph with the forward and the reverse streams.
Analysis

ISUP Messages It stands for ISDN User Parts. It is used to establish and release ca
exchanges. It shows the messages by count and direction.
 LTE It stands for Long Term Evolution. It uses RRC (Radio Resource Co
controls MAC and RLC layers in the LTE interface. It shows the sta
LTE MAC and LTE RLC traffic.

MTP3 It provides messaging routing between signaling points in the SS7

statistics and summary. It stands for Message Transfer Part.

Osmux It is a multiplex protocol, which reduces the bandwidth by subs

signaling traffic. If it is not detected then Wireshark display this info
UDP packets or flow.

RTP It is called as RTP streams. It starts with the sequence number, pack
stats are created based on the jitter, packet size, arrival time, and de
time Transport Protocol.

RTSP It stands for Real-Time Streaming Protocol. It provides informat

counter of response packets and requests packets.

SCTP It stands for Stream Control Transmission Protocol. It is design

signaling messages over IP networks. It is only applicable for broad

SMPP It stands for Short Messages Peer to Peer. It determines the re

Operations operations of SMPP.

UCP Messages It is used to determine whether the captured packet is UCP or Nac

H.225 It is a streamed packetization and signaling protocol used for pac

communication systems.

SIP Flows It stands for Session Initiation Protocol. There is no need for any
multiples lines. Instead, it is installed on your current internet con
VoIP.

SIP Statistics It gives information about the request methods and all of the
connection.

WAP-WSP WSP stands for Wireless Session Protocol. It indicates the pack
Packet Extended post methods, status codes, and PDU types. WAP uses
Counter carrier.

WIRESHARK DECRYPTION

The decryption process is used for the data to be in a readable format.

Below are the steps for the decryption process.
o Open the Wireshark and then select the particular interface as
explained above.
o Go to the 'Edit' option and select the 'Preferences' option.
o A dialogue will appear as shown below:

o Select the 'Protocol' option in the left column.

o From the drop-down list, select the 'IEEE 802.11' option. Check the
box of decryption and click on the Edit option under it.
o A box will appear. Click on the option shown below:

o Select the option wpa-pwd and set the password accordingly.

o The data will be decrypted.
o But the above decryption process is only possible if there is a
proper handshake.