Ready to Start Your Career?
By: Dr. Michael J. Garbade
August 5, 2019
How to Use the Wireshark Cyber Security Tool
By: Dr. Michael J. Garbade
August 5, 2019
Wireshark is a popular network protocol analyzer tool that enables you to gain visibility into the live data on a network. It’s a free and open-source tool that runs on multiple platforms.JPolansky1, a U.S.-based cybersecurity educator with extensive experience in teaching people, says that “adding Wireshark skills to your cyber security toolkit can assist in taking your career to the next level."
What is Wireshark used for?At its core, this tool was developed to peer data packets traveling across different networks. As such, Wireshark allows you to inspect the details of network traffic and make suitable decisions to maintain its sanity.Without a packet analyzer tool (also called packet sniffer), like Wireshark, it could be challenging to understand network communication exchange.Here are some common uses of Wireshark:
- Capturing real-time network data
- Importing data packets from text files
- Examining data packets and their protocol details
- Displaying, filtering, and searching data packets
- Colorizing data packets
- Troubleshooting network problems
- Generating statistics
How to use Wireshark to sniff network trafficWireshark for Windows or macOS can be downloaded from its official website2. If you have a Linux or any other UNIX-like platform, you can get the tool on the package repositories.For instance, Wireshark is available in the Ubuntu Software Center. You can also find Wireshark on the Kali Linux3 cybersecurity tool.After installing and launching Wireshark, you’ll be presented with a window shown below, which gives the various available network interfaces.You can initiate capturing data by double-clicking the name of the applicable network interface under Capture. For this Wireshark tutorial example, we’ll double click “any” to capture any live packets in progress. Thereafter, Wireshark will open a new screen to display the data packets that are being exchanged on the network in real-time. The top pane contains details about every packet header. The time index gives information about the period that elapsed between the beginning of the capture to the stop of the scanning.You can also find information about the source as well as the destination IP address of each packet, the protocol used, and other helpful information about the packet.If you want to find more information about any packet, you can click its row and additional details will be displayed.The middle pane contains more information about the packet selected on the top pane section. You can find more details about the protocol used, the port number used to transmit the packets, and other beneficial information.Lastly, the bottom pane is a hexadecimal output of the real digital contents of the packet under investigation.If you highlight any of the output data, its corresponding value in the middle pane will also be displayed, providing you with further information.Here is an example: As you can see above, the highlighted data gives the IP address of the destination of the packet transfer.If you want to get the most out of Wireshark, you can configure advanced options. For example, on the Capture menu, you can select “Options”.Thereafter, the Wireshark Capture Interfaces window will pop up, as shown below: The Input tab has various network interfaces you can select to sniff. Note that the Enable promiscuous mode button is checked by default. Enabling it allows you to view all the packets on the network without limiting to the packets associated with your network adapter.The Output tab allows you to specify the file where the data packets will be captured. It also provides choices for creating a sequence of files. Lastly, the Options tab provides options for displaying packets, options for setting the name resolution, and options for stopping capturing packets. Furthermore, you can save your packet captures on Wireshark and retrieve them later. Under the File menu, click “Save” to complete the saving process.
Wireshark color codingWhen scrutinizing the captured packets with Wireshark, the color should be your friend. Every packet row is color-coded although the colors are customizable. This way, you can easily identify the type of traffic at a glance. Here is the meaning of the default Wireshark colors:
- Black—packets with errors
- Light blue—UDP traffic
- Light purple—TCP traffic
- Gray—TCP handshake packets