Wireshark is a tool used for capturing and analyzing network traffic.

Capturing

Launching

sudo wireshark

If the user is in wireshark group, root permissions are not needed.

Filtering

  • Capture Filter: decides what to capture; data that does not match will be dropped
  • Display Filter: decides what gets shown on screen; data that does not match will be hidden until filter is changed
flowchart LR
	a[Network Traffic] --> b[Capture Filters] --> c[Capture Engine] --> d[Display Filter] --> e[Display]

Filters

We use filters to look for interesting network traffic. You can enter text as filter, or choose from the Capture > Capture filters menu.

Operators

Logical, boolean

Network

net 1.2.3.0/24

Port / Protocol

tcp.port == 8080

TCP Streams

To view a TCP stream (e.g. full HTTP request & response exchange, SSH sessions, etc):

  • Right click packet
  • Select Follow > TCP Stream in the context menu