Introduction To Network Analysis Using Wireshark

February 17, 2021

As an IT professional, one of the most powerful networking tools you will find yourself using is Wireshark, this tool is mostly used to analyze network packets. This tutorial will be an overview of Wireshark, we will understand how it works, and go over its several uses.

Requirements

  • Networking Basics
  • TCP/IP stack
  • Reading and interpreting packet headers
  • Routing and port forwarding
  • DHCP

What is Wireshark?

Wireshark is an open-source project whose primary purpose is to develop a standard analysis tool for network protocols. It’s a network packet analyzer that captures data on a network then presents it in a human-understandable form.

This tool performs various operations such as:

  • Troubleshooting networks.
  • Performing security operations used to detect security threats such as port scanning on a network.
  • Learning more about network protocols at the microscopic level.
  • Performing analysis of voice over the internet (VoIP).

How does Wireshark works?

Wireshark is, like we said, a packet analyzer or a packet sniffer. Wireshark captures network traffic (the data moving currently on your network) and records the movement of data offline. To analyze the network activities, you can then use this data.

Installing Wireshark

In this tutorial, we are installing Wireshark in Ubuntu 20.04. By following the installation instructions here, you are free to use any other device.

Step 1: Updating the system apt


sudo apt update

This outputs the following, remember your output might be different from the one shown below:


jumamiller@OpijaKaeli:~$ sudo apt update
[sudo] password for jumamiller: 
Hit:1 http://ke.archive.ubuntu.com/ubuntu focal InRelease                      
Hit:2 http://dl.google.com/linux/chrome/deb stable InRelease                                                
Reading package lists... Done
Building dependency tree       
Reading state information... Done
243 packages can be upgraded. Run 'apt list --upgradable' to see them.
jumamiller@OpijaKaeli:~$ 

Step 2: Installing Wireshark

Since we have updated our system, we will install Wireshark’s latest version by running the following command:

jumamiller@OpijaKaeli:~$ sudo apt install Wireshark
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libc-ares2 libqt5multimedia5-plugins libqt5multimediagsttools5
  libqt5multimediawidgets5 libqt5opengl5 libsmi2ldbl libspandsp2
  libwireshark-data libwireshark13 libwiretap10 libwsutil11 wireshark-common
  wireshark-qt
Suggested packages:
  snmp-mibs-downloader geoipupdate geoip-database geoip-database-extra
  libjs-leaflet libjs-leaflet.markercluster wireshark-doc
The following NEW packages will be installed:
  libc-ares2 libqt5multimedia5-plugins libqt5multimediagsttools5
  libqt5multimediawidgets5 libqt5opengl5 libsmi2ldbl libspandsp2
  libwireshark-data libwireshark13 libwiretap10 libwsutil11 wireshark
  wireshark-common wireshark-qt
0 upgraded, 14 newly installed, 0 to remove and 243 not upgraded.
Need to get 22.0 MB of archives.
After this operation, 116 MB of additional disk space will be used.
Do you want to continue? [Y/n] 

To continue downloading Wireshark, type y. Depending on your network level, this may take a few minutes. Upon completion, it prompts you to configure Wireshark for root privileges using a window.

Configure-wireshark

Use the arrow keys, select the yes or no depending on your need, and then press enter.

Step 4: Verify Wireshark installation

Run the following command to get the version of Wireshark you have installed:


jumamiller@OpijaKaeli:~$ wireshark --version
Wireshark 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Copyright 1998-2020 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.12.8, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.15.0, with Lua 5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt
1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with SBC, with SpanDSP, without bcg729.

Running on Linux 5.4.0-58-generic, with          Intel(R) Celeron(R) CPU B830 @
1.80GHz (with SSE4.2), with 3824 MB of physical memory, with locale en_US.UTF-8,
with libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt
1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 9.3.0.
jumamiller@OpijaKaeli:~$ 

Step 5: Launch Wireshark

To start Wireshark, run the following command in the terminal:


jumamiller@OpijaKaeli:~$ wireshark
|

Running this command will redirect you to the Wireshark software window.

Fig 1.2 Wireshark window

Wireshark-window .

Congratulations, you now have Wireshark installed in your system and running.

Your first packet capture

We have Wireshark in our system installed. Let’s dive in and start experimenting with its features.

1. Wireshark graphical user interface

From Fig 1.2 above, Wireshark contains some commonly used menus: File, Edit, View, Go, Capture, Analyze, Statistics, Telephony, Wireless, Tools, and Help.

We will see the menus below menus:

  • Start Capturing Packets icon
  • Stop Capturing Packets icon
  • Restart Current Capture Icon

and several other icons that you can hover on and to get to know what they do.

2. Wireshark network interface selection

Usually, when you start a Wireshark without opening a capture file or starting a capture process, a welcome screen is displayed.
This window will always display currently opened capture files and the capture available interfaces.

The first step involves selecting the network interface to capture its data. Remember, that the interfaces are different for different operating systems.

Fig 1.3 Network interfaces

Network-Interfaces

From the screenshot above, we have 6 interfaces, that we can then choose from.

Hit on the Capture button just below the Welcome to Wireshark.

This prompts you to another window, as seen below.

Fig 1.4 Network interfaces 2

Network-Interfaces

Now select any of the interfaces you’re presented with. In this example, we’re going to explore the UDP Listener option.

Then, in the far left corner, click on the start button.

At this stage, you should be able to get an output like the one presented below.

Fig 1.5 Network traffic

Network-Traffics

In the capture panel above, you should notice that network packet capturing is in sequential order, with each line representing each packet captured.

The details, with rows and columns, are displayed in tabular form. Each row represents the collected packet, while additional information such as time, protocols, duration, et cetera is given in columns. It would be best if you referred to the above screenshot.

Let’s have a look at these columns and what type of information they provide us with.

  • No - Represents a specific sequence number of the network packet. To classify a given packet, one can use this.
  • Time - This is the time that a specific packet has been recorded.
  • Source - This represents where we are getting the packets from. This is denoted as Internet Protocols (IP Addresses).
  • Destination - This is used to represent the Internet Protocol(IP Address) where the packet is going.
  • Protocol - This refers to the protocol of the data you have captured. This could be TCP, ARP et cetera
  • Length- This is used to represent the size of the packet captured.
  • Info - This gives you additional information about the packet you have captured.

NOTE: Each protocol is represented with its color scheme. In our case, for example, the TCP protocol has a #cccccc background. This helps the user to differentiate between these protocols easily.

Congratulations, you have just successfully captured network packets, and that’s how user-friendly Wireshark is.

Packet details panel

Now that we can capture some data, try to click on a single row, and you will notice that some data is being displayed on the immediate window.

Fig 1.5 Packet details

Single-Packet-Details

On the highlighted protocol, click on it to get more details about this SSDP protocol as shown below:

Fig 1.6 More on packet details

Protocol-details

The information above tells us more about the packet captured, including the device used. This data is critical, especially in system hacks, where they can be collected for forensics.

Packet bytes panel

Remember when you clicked a given row from the packet details above, you could get details on the window on fig 1.6 above.

Consequently, this caused the window below Fig 1.6 to be updated as well.

Let’s take a looks.

Fig 1.7 Bytes details

bytes-panel

A closer look at this screenshot, the numbers are in bytes. This is the exact format of the data dump when the packet is captured.

Conclusion

In this tutorial, we worked on Wireshark, going over a quick overview on how to get started with this amazing tool.

We have also seen how we can install Wireshark in a Linux-based system and perform various tasks such as dumping the packet streams.

We will explore more in our next tutorial as we discuss more advanced features of Wireshark.

Happy coding.


Peer Review Contributions by: Lalithnarayan C


About the author

Miller Juma

Miller Juma, is a web enthusiast with 3+ years experience in PHP and Javascript. On his free time, he likes to learn more tricks on Laravel and Angular.

This article was contributed by a student member of Section's Engineering Education Program. Please report any errors or innaccuracies to enged@section.io.