What is Wireshark?

What is Wireshark?

Wireshark is a cross-platform network protocol analyzer authorized under the GNU general public license. Authored by Gerald Combs, the project was originally named Ethereal project in the late 1990s while working for a small Internet service provider.

While he owned the copyright to the source code, he did not own the trademark to the Ethereal name. Gerald later left the company, and in 2006 Wireshark was born from the Ethereal Subversion repository and source code.

Wireshark is a widely used packet sniffer that is one of a kind for:

• Filtering
• Packet capture
• Visualization

The primary Wireshark function captures network packets in real-time and displays the captured package content in detail, allowing for analysis. 

Wireshark is widely used in the networking sphere. For example, network administrators use it to solve and troubleshoot network functionality problems, network design, and real-time network security protection. 

Wireshark Features

Real-time data is read, captured, and analyzed offline via the following methods, depending on your platform:

• Ethernet
• IEEE 802.11 
• USB
• Point-to-Point Protocol (PPP)/High-level Data Link Control (HDLC) 
• Fiber Distributed Data Interface (FDDI)
• Frame Relay 
• ATM
• Bluetooth  
• Token Ring

Wireshark provides decryption support for a large number of protocols, including:

• ISAKMP
• SSL/TLS
• SNMPv3
• IPsec
• Kerberos
• WEP
• WPA/WPA2

Wireshark possesses an interface to present data of hundreds of protocols on all network types and powerful VoIP analysis and display filters. Data packs get analyzed in real-time inside or outside of the network in various capture file formats, such as: 

• Network Instruments Observer
• NetScreen snoop
• Pcap NG
• Catapult DCT2000
• Microsoft Network Monitor
• Shomiti/Finisar Surveyor
• Tektronix K12xx
• Cisco Secure IDS iplog
• Novell LANalyzer
• RADCOM WAN/LAN Analyzer

System Requirements

Wireshark lists several system requirements, but here are the basic requirements you will need. Supported operating systems are Windows, macOS, and Linux. While the below requirements are stated for Windows, other systems need comparable specifications:

• Root permissions/access or Administrator access is required for parts of the tutorial.
• The Universal C Runtime (included with Windows 10, Windows Server 2019, and installed automatically on earlier versions).
• Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor.
• 500 MB available RAM. Larger capture files require more RAM.
• 500 MB available disk space. Capture files require additional disk space.
• Any modern display. Wireshark recommends 1280 × 1024 or higher resolution. It makes use of HiDPI or Retina resolutions if available.
• A supported network card for capturing.
  • Any Ethernet card works for capturing traffic.
  • Capturing raw Institute of Electrical and Electronics Engineers (IEEE) 802.11 information could represent a challenge without special equipment.

How to Install Wireshark

Wireshark is free to download and available for most operating systems. Choose the most appropriate option for your OS.

How to Install Wireshark on Windows

To complete the installation, you will need administrator permission. For Windows installation, download the 64-bit Windows installer and follow the on-screen installer steps.

Npcap is required for live packet capturing and is included with the Wireshark stable release packages for Windows. You can download it separately from their site if needed.

How to Install Wireshark on macOS

To install Wireshark on macOS, download and open the .dmg file. Then, drag and drop the Wireshark application into your Applications folder. Next, you need the ChmodBPF launch daemon to capture packets. Finally, locate and open the Install ChmodBPF.pkg file in the Wireshark .dmg to complete the installation.

Alternative Homebrew Installation

You have the option to use Homebrew to install Wireshark on macOS. First, install Homebrew via the terminal prompt using the following command.

url/bin/ruby -e "$(curl - fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

After you have successfully installed Homebrew, use the following command in the terminal prompt.

brew install wireshark

How to Install Wireshark on Debian Linux

Debian-based Linux systems require root permissions. Use the following commands to complete the installation.

sudo apt-get install wireshark

sudo dpkg-reconfigure wireshark-common

sudo usermod -a -G wireshark $USER

newgrp wireshark

Install Wireshark on CentOS, Red Hat Enterprise Linux (RHEL), and Fedora Linux

CentOS, Red Hat Enterprise Linux (RHEL), and Fedora Linux systems installation require root permissions. Depending on your package manager, use one of the following commands.

sudo dnf install wireshark

or

sudo yum install wireshark

Capturing Packets

After successfully installing Wireshark, you can capture live data. In the main window, select Capture and then Options. That will open another window with a list of available interfaces. Locate your desired interface and click Start to begin capturing the packets. 

After capturing the traffic you want, click Stop (a red square) at the top and begin your analysis.

Switching Wireshark to promiscuous mode requires Administrator or root access. Promiscuous mode allows your network interface to supply the host device with all packets it sees. It is the default mode unless the Capture packets in promiscuous mode option is turned off in the Capture Options.

Filtering Packets

Filtering data is one of the most important Wireshark features, especially if a large amount of data requires analysis.

By configuring Wireshark, you can capture the packets by your criteria:

• Traffic to and from a specific IP address.
• Traffic sent to a particular host.
• Traffic on specific ports. 

Wireshark Color Coding

Packets are color-coded by default, but each packet color allows for customization. A few default color codes are:

• UDP: Light blue
• TCP: Light purple
• ICMP: Light pink

Wireshark Network Statistics

Statistical analysis is crucial for obtaining in-depth insights into your network. Luckily, you won’t have to do the statistical analysis manually since you can just click on the statistics menu that provides various plotting, metrics, and graphs.

Some of the statistically analyzed variables: 

• The number of packets captured.
• The time span or duration of the stream.
• Average packets per second (PPS).
• Size in bytes.
• Average bytes/second.

Important Wireshark Commands

Wireshark has command line interface (CLI) support if your operating system is without a graphical user interface (GUI).

Using CLI, the syntax for any command you use is in the following format.

wireshark [options] [<infile>]

You can list all of Wireshark’s CLI parameters using the below command.

wireshark -h

In the example below, the Wireshark command captures packets on the Ethernet Interface 0 for 3 minutes. The flat -a is used to stop the capture automatically, and -i specifies which interface to capture.

wireshark -a duration:180 -i eth0 -w wireshark

Conclusion

Network professionals use Wireshark as their packet capture tool of choice. Once they break down the packets, they use them for real-time or offline analysis. It is a powerful tool for a deeper look into your network traffic.

Liquid Web offers a wide range of managed hosting environments for your websites, applications, and office infrastructure. Contact our sales team today for more information to ensure you get the right environment for your needs.