How To Use Wireshark To Capture, Filter And Inspect Packets

If you have just entered the field of network administration, you would surely wish to find and learn about some great tools that can analyze your network traffic efficiently and smartly. Whether it is to monitor your home or office network, a network analyzer is indispensable.

How To Use Wireshark To Capture, Filter And Inspect Packets

Photo Credit:

One such valuable tool is Wireshark, a network protocol analyzer that facilitates a live capture of traffic and offers several smart tools for analyzing, examining, and filtering data being exchanged via packets. In this article, you will learn to use Wireshark for keeping an eye on your network, but it is assumed that you have the basic knowledge of network functioning along with that of the TCP.

What is Wireshark?

Formerly called Ethereal, Wireshark is a network scrutiny tool that captures live packets and presents them to the administrator in a human-readable format. Its support for countless protocols across several types of networks allows a network administrator to troubleshoot any issue pertaining to a network, detect unwanted or risky traffic, and monitor the network performance.

The plus point of this software is that it runs on several platforms ranging from Windows to Solaris. Let’s now see how to download Wireshark before we know how it helps in seizing packets, filtering them, and in inspecting a malicious program’s traffic.

How to Download and Install Wireshark?

To download this network analyzer for Windows or OS X, you need to visit the URL, In case you are a Linux user, check out the tool’s package repositories. For example, Ubuntu users shall find the tool in the Ubuntu Software Center. Once you find the right version, download and install it just like any other software.

How to Capture Packets?

Launch the installed tool and click the desired interface name from the Interface List for capturing the packets on that particular network interface. For instance, for capturing packets on a wireless network, click the wireless interface.

Wireshark To Capture, Filter And Inspect Packets

After clicking the interface, the packets will be displayed in real time, which are sent from or to your system, along with the details such as time, protocol, and length. If the promiscuous mode is turned on in the capture options while seizing packets on a wireless interface, other packets will also be visible on the network.

How To Use Wireshark To Capture, Filter And Inspect Packets

You will observe the packets in green, black, and blue colors; as Wireshark uses a color-code system for determining the traffic type. Green stands for TCP traffic, while light blue indicates UDP network. Dark blue is for the DNS packets, while black means TCP packets with issues such as out-of-order delivery. To stop capturing, you can click the stop capture icon on the toolbar.

How to Filter Packets?

Normally, while inspecting the traffic, all other apps utilizing the network close down for narrowing the traffic. However, the truth is that several packets are yet left out for examination. This is where the filters of Wireshark help! To apply a filter, enter the filter name into the Filter box located atop the window.

While typing, you will find the autocomplete feature at your service. For instance, you can enter TCP to see only TCP packets. If you want to apply a new filter, you can create it by selecting the Analyze --> Display Filters option.

Interestingly, you can view the communication by right clicking a desired packet and selecting the Follow TCP Stream option. Now if you close the window, the filter gets applied automatically, as the packets involved in the conversation are now shown.

How to Inspect Packets?

To inspect means to dig a packet for its details. In Wireshark, you can do so simply by clicking a packet.