Wireshark

Wireshark is an open source network analyzer which will capture and display real time network traffic. It provides an in-depth view of all the ongoing network activities. It’s very useful in terms of troubleshooting network issues and in ensuring network security. 

Main uses of Wireshark would be for network troubleshooting and security, protocol and performance analysis.

Below are some clicks from my little walkaround on the tool:-

1. Firstly upon launching the app, you’ll be shown an option to choose the network adapter you’d like to analyze. In this case, i’ll be choosing eth0 (the curve shown is the ongoing traffic)

2. All the packets captured are from a youtube video i played, we can click on which packet we would like to analyze

   
   

3. This would be about filtering, whereby users will usually have 2 options, capture or display filters

a) Capture filters, it begins the capturing with you choosing to capture only the packets

that meets your criteria and nothing else

b) Display filters, in this method, you’ll end up capturing all the packets from the ongoing

traffic and then get it filtered to the choice of your packets

                             Example 3.b(1) result shown is for the filtered dns packets

Example 3.b(2) the result shown is for the filtered logical filter, which meets

both criteria of tcp and the specified host

4. Simply click on file → save as, for saving the captured packets for future analysis or sharing. By default it’d be saved in pcapng format, but you’ll also have other format options depending on your needs

5. Highlighted part below are the packet bytes which reveal the actual data within the packets. It’s showing hexadecimal bytes and corresponding ASCII values. It’s to decode a secret message as it travels through the network revealing the hidden information

6. Wireshark allows colorization of rules, which is a powerful tool for improving visualization and analysis. To create such rule, simply click on View → Coloring Rules and then the + icon. In this example, I created a rule whereby any packets of udp port 443 will be shown in brown color.

Result of the rule as per below, whereby the specified packets are shown in brown color.

7. In Wireshark, we are also allowed in having multiple profile and we can cater our requirements in the settings of each profile such time, protocol, column preferences, color profiles and more. To add a new profile, simply click on right click on profile on the bottom right and choose “New”. Name it as your wish and get it customized as you want it.

8. In the following few clicks, i’ll be discussing a little about the statistics option that’s available on WireShark. It has many sub-categories in it but i’ll just be explaining about a few of them. Statistics are basically for the involved packets and protocols captured. 

a. Capture File Properties

There’ll be plenty of info in this section for the captured packets, first would be the FILE information on where the file is located, how big it is, some unique hashes to identify the file. 

The TIME aspect shows when the first and last packet were captured and the elapsed time tells us the capture lasted for how long. Next up the CAPTURE section shows us about the hardware used, the operating system of it and the software used to capture the data.

INTERFACES shows us the specifics on how the data were captured. The network interface used is shown, whether there are any dropped packets, whether there were any filters used, the link type and maximum size of packet captured. Lastly would be the STATISTICS where most important information is displayed. It tells us how many packets were captured in total, how many were displayed or analyzed, the duration of the capture, average packets captured per second, average packet size, total number of bytes captured etc.

b. Resolved Addresses

It refers to the process of converting IP or MAC addresses into human readable names. This conversion is done using protocols like DNS for IP addresses and ARP for MAC addresses. It’s a very helpful feature when we’re trying to identify to locate devices, servers or website based on their network addresses. Like at the below click, we can see the IP addresses is resolved to a name google.com

c. Packet Lengths

Packet length refers to the size of individual packets captured during network analysis. We’ll get to know how much data is contained within each packet. Understanding packet length is important for several reasons, one of it to help us in monitoring network performance, also in identifying potential security threats

d. I/O Graphs

It basically helps us to see the busy and slow times for the network traffic. It is very helpful in fixing any network issue. It shows time on the horizontal axis and number of packets per tick on the vertical axis. We can even customize depending on which protocol’s traffic data that we’d like to see on the graph.

Final Thoughts..

Wireshark is basically a very powerful tool that can help us in monitoring our network and diagnosing any issues in it, with all the features that are in wireshark, we should be able to get it done pretty smoothly.