Quick start with Wireshark

Raphael Vieira
Raphael Vieira

Wireshark is an open-source network protocol analysis software program, widely considered the industry standard. It is a packet sniffer and analysis tool which captures network traffic from ethernet, Bluetooth, wireless (IEEE.802.11), token ring, and frame relay connections, among others, and stores that data for offline analysis. In this article we will see how to do a basic network scan using Wireshark.

Like any other packet sniffer, Wireshark does three things:

  • Packet capture
  • Filtering
  • Visualization

Installing

Ubuntu

  1. Install the package
sudo apt-get install wireshark
  1. Update the package
sudo dpkg-reconfigure wireshark-common
  1. Add user privileges to use Wireshark
sudo adduser $USER wireshark

Red Hat

  1. Install the GUI and CLI version of Wireshark
sudo dnf install wireshark-qt
  1. Add user privileges to use Wireshark
sudo usermod -a -G wireshark username

There are also Windows and MacOs installers

Using Wireshark

There are a couple of ways in which wireshark can be used:

  • Directly by capturing traffic on an interface.
  • Indirectly, by importing system trace files and using Wireshark as a traffic/packet analyzer.

The latter being the most used option in a production environment where no X server is likely to be running on a host and promiscuous mode will not be allowed.

Direct Capture

The instructions below can only be applied to a server running an X server . Hence, this limits on all server running without it. However, it can be used as Tracefile analyser in the homonymous section on this page.

  1. Select Capture | Interfaces
  2. Select the interface on which packets need to be captured. This will usually be the interface where the Packet/s column is constantly changing, which would indicate the presence of live traffic). If you have multiple network interface cards (i.e. LAN card and Wi-Fi adapter) you may need to check with your IT administrator to determine the right interface.
  3. Click the Start button to start the capture.
  4. Recreate the problem. The capture dialog should show the number of packets increasing. Try to avoid running any other internet applications while capturing.
  5. Once the problem which is to be analyzed has been reproduced, click on Stop. It may take a few seconds for Wireshark to display the packets captured.
  6. Save the packet trace in the default format. Click on the File menu option and select Save As. By default Wireshark will save the packet trace in libpcap format. This is a filename with a .pcap extension.

Wireshark does provide a command line interface if you operate a system without a graphical user interface but the best practice would be to use the CLI to capture and save a log so you can review the log with the GUI.

Tracefiles analyser

Wireshark has its own command line toolset. But, the utility Linux tcpdump is the one being used in this example, as it will be likely to be already installed, or , certainly readily available from all distros.

tcpdump basics

tcpdump has many options, to get a list of interfaces on a system , use the command tcpdump -D

But, since the tracefile will be imported and filtered in Wireshark, best results are obtained by :

  • either using a specific port on all interfaces (e.g. if we want to capture database traffic only)
  • or capturing all traffic and then apply filters, to check, say, server comms.

Use cases

Direct Connection example

Wireshark can be used from home Internet problems, checking ICMP traffic, to more complex network issues, such as packet relay issues. Here’s a common example of how a Wireshark capture can assist in identifying a problem. This figure shows an issue on a home network, where the internet connection was very slow:

Home network capture

The problem was discovered by drilling down into the IPv6 Internet Message Control Protocol (ICMP) traffic, which is marked in black. In Wireshark, any packet marked in black is considered to reflect some sort of issue.

The problem was resolved by restarting the cable modem. Of course, while this particular problem didn’t necessitate using Wireshark, but is a good example of how it works.

Indirect analysis from server side tcp trace generated with tcpdump

The workflow is the following:

  1. Capture traffic using tcpdump into a .pcap file
  2. import into Wireshark
  3. Filter data

Capturing Postgres traffic using tcpdump

Best/comprehensive results are using this expression:

tcpdump -v -i any port 5432 -w postgres.pcap

A specific number of packets can be set using the option -c or based on output filesize -C

An example of SSL Handshake can be seen in the following picture:

SSL Handshake

The following steps were used to obtained the packet filtering shown:

  1. start the capture
tcpdump -v -i any port 5432 -w tcp.pcap
  1. In a Primary/Standby setup connect from the Standby to the Primary using SSL
psql "postgresql://david@pg1rl:5432/pooltest?sslmode=require" 
  1. once connected execute a query and quit

  2. stop tcpdump (ctrl + c)

  3. transfer the file to your desktop

  4. import into wireshark (file->open)

  5. Since we are interested in the SSL communication , enter the ip addresses of the two servers and the protocol in the ‘filter’ , this will remove all the TCP syn-ack (ip.addr == 10.0.2.10 or ip.addr == 10.0.2.11) and tls

For server comms, best to capture all packets and apply suitable filtering.

tcpdump -v -i any -w tcp.pcap 

On busy server the tracefiles may grow significantly, therefore, monitored targeted experimental tests are advised.

Here’s an example of a email sent from a VM running postfix as an MTA and using google smtp server:

SMTP Traffic

filter applied

not ssh and not udp and not tcp.len==0 and not arp

An example of Wireshark detecting SElinux issues:

selinux issues

See tcpdump man pages for more details about the utility itself.

For mode details about Wireshark, please refer to the Wireshark documentation.

Was this article helpful?

0 out of 0 found this helpful