Wireshark is a tool used for capturing and analyzing network traffic.
Capturing
Launching
If the user is in wireshark
group, root permissions are not needed.
Filtering
- Capture Filter: decides what to capture; data that does not match will be dropped
- Display Filter: decides what gets shown on screen; data that does not match will be hidden until filter is changed
flowchart LR
a[Network Traffic] --> b[Capture Filters] --> c[Capture Engine] --> d[Display Filter] --> e[Display]
Filters
We use filters to look for interesting network traffic. You can enter text as filter, or choose from the Capture > Capture filters menu.
Operators
Logical, boolean
Network
net 1.2.3.0/24
Port / Protocol
tcp.port == 8080
TCP Streams
To view a TCP stream (e.g. full HTTP request & response exchange, SSH sessions, etc):
- Right click packet
- Select Follow > TCP Stream in the context menu