Introduction

1.1 What is Wireshark?

Wireshark is a network packet analyzer. A network packet analyzer presents captured
packet data
in as much detail as possible.
➢ It is a powerful network protocol analyzer tool that allows users to capture,
analyze, and troubleshoot network traffic.
➢ It is one of the most widely used network analysis tools in the industry.
➢ It is a widely used tool among network administrators, security professionals,
and developers who need to understand and troubleshoot network-related
issues.
➢ Its comprehensive feature set and powerful analysis capabilities make it an
indispensable tool for anyone working with network technologies.
You could think of a network packet analyzer as a measuring device for examining
what’s happening inside a network cable, just like an electrician uses a voltmeter for
examining what’s happening inside an electric cable (but at a higher level, of course).
1.1.1. Some intended purposes
Here are some reasons people use Wireshark:
 Network administrators use it to troubleshoot network problems
 Network security engineers use it to examine security problems
 QA engineers use it to verify network applications
 Developers use it to debug protocol implementations
 People use it to learn network protocol internals
Wireshark can also be helpful in many other situations.

1.1.2. Features
The following are some of the many features Wireshark provides:
 Available for UNIX and Windows.
 Capture live packet data from a network interface.
 Open files containing packet data captured with tcpdump/WinDump, Wireshark, and many
other packet capture programs.
 Import packets from text files containing hex dumps of packet data.
 Display packets with very detailed protocol information.
 Save packet data captured.
 Export some or all packets in a number of capture file formats.
 Filter packets on many criteria.
 Search for packets on many criteria.
 Colorize packet display based on filters.
 Create various statistics.
Figure 1.1. Wireshark captures packets and lets you examine their contents.

1.1.3 Live capture from many different network media

Wireshark can capture traffic from many different network media types, including
Ethernet,Wireless LAN, Bluetooth, USB, and more.
The specific media types supported may be limited by several factors, including your
hardware and operating system.
The Wireshark capture engine provides the following features:
• Capture from different kinds of network hardware such as Ethernet or 802.11.
• Simultaneously capture from multiple network interfaces.
• Stop the capture on different triggers such as the amount of captured data, elapsed
time, or the number of packets.
• Simultaneously show decoded packets while Wireshark is capturing.
• Filter packets, reducing the amount of data to be captured. See Filtering while
capturing.
• Save packets in multiple files while doing a long-term capture, optionally rotating
through a
fixed number of files (a “ringbuffer”). See Capture files and file modes.
The capture engine still lacks the following features:
• Stop capturing (or perform some other action) depending on the captured data.
Prerequisites
Setting up Wireshark to capture packets for the first time can be tricky.
Here are some common pitfalls:
• You may need special privileges to start a live capture.
• You need to choose the right network interface to capture packet data from.
• You need to capture at the right place in the network to see the traffic you want to
see
1.1.4 User Interface
Wireshark’s main window consists of parts that are commonly known from many
other GUI
programs.
➢ The menu is used to start actions.
➢ The main toolbar provides quick access to frequently used items from the
menu.
➢ The filter toolbar allows users to set display filters to filter which packets are
displayed.
➢ The packet list pane displays a summary of each packet captured. By clicking
on packets in this pane you control what is displayed in the other two panes.
➢ The packet details pane displays the packet selected in the packet list pane in
more detail.
➢ The packet bytes pane displays the data from the packet selected in the packet
list pane, and highlights the field selected in the packet details pane.
➢ The packet diagram pane displays the packet selected in the packet list as a
textbook-style diagram.
➢ The statusbar shows some detailed information about the current program state
and the captured data.
The File menu provides options to open, save, and manage capture files. Users can
open existing capture files, merge multiple files, export selected packets, and print
packet information.
The Edit menu allows users to perform various editing tasks, such as copying packet data, finding
packets, marking/unmarking packets, and accessing the software's preferences.
The View menu controls the layout and appearance of the Wireshark interface, enabling users to
customize the display of packet data, including the packet list, packet details, and packet bytes
panes.
The Go menu facilitates navigation through the captured packets, allowing users to jump to specific
packets, move between packets, and go to the first or last packet in the capture.
The Capture menu provides access to network interface configuration, capture options, and the
ability to start, stop, and restart packet captures.
The Analyze menu offers tools for applying display filters, decoding protocols, and analyzing
expert information, TCP/UDP streams, and other protocol-specific data.
The Statistics menu presents a wide range of statistical and analytical reports, covering protocol
hierarchies, conversations, endpoints, and various protocol-specific metrics.
The Telephony menu contains options for analyzing Voice over IP (VoIP) and other telephony-
related protocols, such as SIP, ISUP, and MGCP.
The Tools menu provides access to additional utilities, scripts, and user guides to enhance
Wireshark's functionality and user experience.
The Wireless menu offers specialized tools for analyzing wireless network traffic, including WLAN
statistics, frame charts, and security analysis.
The Help menu gives access to the software's documentation, online resources, and information
about the Wireshark application.

1.1.5 Import files from many other capture programs

Wireshark can open packet captures from a large number of capture programs.
For a list of input formats see Input File Formats.
The native capture file formats used by Wireshark are:
• pcap. The default format used by the libpcap packet capture library. Used by
tcpdump, _Snort,
Nmap, Ntop, and many other tools.
• pcapng. A flexible, extensible successor to the pcap format. Wireshark 1.8 and later
save files as
pcapng by default. Versions prior to 1.8 used pcap. Used by Wireshark and by
tcpdump in newer
versions of macOS.
The following file formats from other capture tools can be opened by Wireshark:
• Oracle (previously Sun) snoop and atmsnoop captures
• Finisar (previously Shomiti) Surveyor captures
• Microsoft Network Monitor captures
• Novell LANalyzer captures
• AIX iptrace captures
• Cinco Networks NetXray captures
•NETSCOUT (previously Network Associates/Network General) Windows-based
Sniffer and Sniffer Pro captures
• Visual Networks’ Visual UpTime traffic capture
• Linux Bluez Bluetooth stack hcidump -w traces
• Apple PacketLogger captures
• Android Logcat binary and text format logs
1.1.6 Export files for many other capture programs
Wireshark can save captured packets in many formats, including those used by other
capture programs.
Output File Formats
Wireshark can save the packet data in its native file format (pcapng) and in the file
formats of other
protocol analyzers so other tools can read the capture data.
NOTE
Saving in a different format might lose data
Saving your file in a different format might lose information such as comments,
name resolution, and time stamp resolution. See Time Stamps for more information
on time stamps.
The following file formats can be saved by Wireshark (with the known file
extensions):
• pcapng (*.pcapng). A flexible, extensible successor to the libpcap format.
Wireshark 1.8 and later save files as pcapng by default.
Versions prior to 1.8 used libpcap.
• pcap (*.pcap).
The default format used by the libpcap packet capture library. Used by tcpdump,
_Snort, Nmap, Ntop, and many other to
• Microsoft Network Monitor - NetMon (*.cap)
• Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*.fdc,*.syc)
• Cinco Networks NetXray captures (*.cap)
• Network Associates Sniffer - Windows (*.cap)
• Network Instruments/Viavi Observer (*.bfr)
• Novell LANalyzer (*.tr1)
• Oracle (previously Sun) snoop (*.snoop,*.cap)
• Visual Networks Visual UpTime traffic (*.*)
• Symbian OS btsnoop captures (*.log)
• Tamosoft CommView captures (*.ncf)
• Catapult (now Ixia/Keysight) DCT2000 .out files (*.out)
• Endace Measurement Systems’ ERF format capture(*.erf• EyeSDN USB S0 traces
(*.trc)
• Tektronix K12 text file format captures (*.txt)
• Tektronix K12xx 32bit .rf5 format captures (*.rf5)
• Android Logcat binary logs (*.logcat)
• Android Logcat text logs (*.*)
• Citrix NetScaler Trace files (*.cap)
1.1.7Many protocol dissectors
There are protocol dissectors (or decoders, as they are known in other products) for a
great many protocols
1.1.8 Open Source Software
Wireshark is an open source software project, and is released under the GNU General
PublicLicense (GPL).
You can freely use Wireshark on any number of computers you like, withoutworrying
about license keys or fees or such.
In addition, all source code is freely available under the GPL. Because of that, it is
very easy for people to add new protocols to Wireshark, either as plugins, or built into
the source, and they often do!

1.1.9 What Wireshark is not

Here are some things Wireshark does not provide:
• Wireshark isn’t an intrusion detection system. It will not warn you when someone
does strange things on your network that he/she isn’t allowed to do.
However, if strange things happen, Wireshark might help you figure out what is
really going on.
• Wireshark will not manipulate things on the network, it will only “measure” things
from it.
Wireshark doesn’t send packets on the network or do other active things (except
domain nameresolution, but that can be disabled).

1.2 System Requirements

The amount of resources Wireshark needs depends on your environment and on the
size of the capture file you are analyzing.
The values below should be fine for small to medium-sized capture files no more
than a few hundred MB.
Larger capture files will require more memory and disk space.
NOTE
Busy networks mean large captures
A busy network can produce huge capture files. Capturing on even a 100 megabit
network can produce hundreds of megabytes of capture data in a short time. A
computer with a fast processor, and lots of memory and disk space is always a good
idea.
Although Wireshark uses a separate process to capture packets, the packet analysis is
single threaded and won’t benefit much from multi-core systems.
Microsoft Windows
Wireshark should support any version of Windows that is still within its extended
support lifetime.
At the time of writing this includes Windows 11, 10, Server 2022, Server 2019, and
Server 2016.
It also requires the following:
• The Universal C Runtime. This is included with Windows 10 and Windows Server
2019 and is installed automatically on earlier versions if Microsoft Windows Update
is enabled. Otherwise you must install KB2999226 or KB3118401.
• Any modern 64-bit Intel or Arm processor.
• 500 MB available RAM. Larger capture files require more RAM.
• 500 MB available disk space. Capture files require additional disk space.
• Any modern display. 1280 × 1024 or higher resolution is recommended.
Wireshark will make use of HiDPI or Retina resolutions if available. Power users will
find multiple monitors useful.
• A supported network card for capturing
◦ Ethernet. Any card supported by Windows should work. See the wiki pages on
Ethernet capture and offloading for issues that may affect your environment.
◦ 802.11. See the Wireshark wiki page. Capturing raw 802.11 information may be
difficult without special equipment.
◦ Other media.
macOS
Wireshark supports macOS 10.14 and later. Similar to Windows, supported macOS
versions depend on third party libraries and on Apple’s requirements.
Apple Silicon hardware is supported natively starting with version 4.0
• Wireshark 3.6 was the last release branch to support macOS 10.13.
• Wireshark 3.4 was the last release branch to support macOS 10.12.
• Wireshark 2.6 was the last release branch to support Mac OS X 10.6 and 10.7 and
OS X 10.8 to 10.11.
• Wireshark 2.0 was the last release branch to support OS X on 32-bit Intel.
• Wireshark 1.8 was the last release branch to support Mac OS X on PowerPC.
The system requirements should be comparable to the specifications listed above for
Windows.
UNIX, Linux, and BSD
Wireshark runs on most UNIX and UNIX-like platforms including Linux and most
BSD variants. The
system requirements should be comparable to the specifications listed above for
Windows.
Binary packages are available for most Unices and Linux distributions including the
following
platforms:
• Alpine Linux
• Arch Linux
• Canonical Ubuntu
• Debian GNU/Linux
• FreeBSD
• Gentoo Linux
• HP-UX
• NetBSD
• OpenPKG
• Oracle Solaris
• Red Hat Enterprise Linux / CentOS / Fedora
If a binary package is not available for your platform you can download the source
and try to build
it.