Here is how to use Wireshark for beginners. It was originally known as Ethereal and it can capture packets in real-time and display them in a readable format on your computer.
Things you will need – Hardware
- A Computer
- A Wi-Fi connection/router
Things you will need – Software
- Wireshark. I will show you how to install it soon
Step 1: Download and install Wireshark
You have to go to Wireshark’s website to download Wireshark for Windows or macOS. If you are using Linux, the download will slightly vary by distribution. Most of the time, it is in the OS’s package repository. Ubuntu users can find it in the Ubuntu Software Center.
Just know that many organizations do not allow such tools on their networks. It is best to play it safe and not use this tool at work unless you have permission.
Tip: “The UAC crisis”
Depending on how you installed Wireshark, you might get bombarded by UAC prompts if you run it. I don’t think you can turn this off, but you can reduce the amount of UAC prompts you get to only one prompt if you run it as administrator. Most of the time, I don’t have the patience to actually run it with administrator privileges yet I don’t have the patience to answer “Yes” to every dialog it throws at me. The below steps will help you run it with administrator privileges by default.
1: Open file explorer
2: Navigate to C:\Program Files\Wireshark (Path in URL form). The path might be different if you have changed your installation directory
3: Look for “Wireshark.exe”
4: Right-click “Wireshark.exe”, click “Properties”, and navigate to the “Compatibility” tab.
5: Check the “Run this program as an administrator” option under “Settings”
Capturing packets
Now we can run Wireshark. The software looks quite modern for what you were probably thinking, for an open-source project. You can click on a wireless interface. For example, if you wanted to capture packets over Wi-fi, you would click your wireless interface. For me, and for most people, this Wi-fi interface is simply called “Wi-Fi”. When you double-click on these interfaces, you can capture packets with them. In this tutorial, I will use my Wi-fi interface.
Like I said, as soon as you double-click the interface’s name, a list of packets will appear in real-time. Wireshark will show you each packet coming to or from your computer, as well as tools to dive deeper into each packet, like packet details, source, destination, protocol, and even the raw hex of the packet.
Should you have promiscuous mode on, you will see every single packet going through the network, not just the ones that happen to be going in and out of your computer. Even though it is enabled by default, if you ever so happen to get it disabled, you can always enable it and check if it is enabled by going to Capture>Options>and checking if the “Enable promiscuous mode on all interfaces” checkbox is enabled. This is an example of a packet I captured:
This is how the packet list should look like:
Click the red “Stop” square at the top left-hand corner if you think sniffing time is up.
Sign up for our newsletter!
You can also keep the packets for saving if you need to share them or come back to them later by going to File>Save to save them as a local file. If you want to retrieve a packet file, go to File>Open>and select the capture file to monitor.
Filters
Out of this massive list of packets to inspect, if you are looking for a specific type, you would probably have a hard time finding it in that long, always growing list. This is where filters come in. The easiest and basic way to apply a filter is to enter it into the program’s filter box located above the packet list and then clicking the arrow button or enter. In this example, I will be typing “ARP” into the filter box and I will only see packets that use the ARP protocol for network transmission.
If you start trying to use filters, you’ll start to notice that Wireshark’s version of “filters” are more tech-heavy than you probably expected them to be. Wireshark has got some great documentation on how Wireshark’s language with filters works. You can add your own filters or check out some existing ones when you go to Analyze>Display Filters.
Color-Coding
If you have “Colorize Packet List” turned on at the top bar, the packets will be colored. Wirehark does this to help you identify their type at a glance. You can put your own coloring rules in View>Coloring Rules. You can see what they mean here, too.
TCP, UDP, TLS, HTTP, HTTP/2, and QUIC stream monitoring
Annother cool thing you can do with this software is to right-click on any packet that has the following protocol:
- TCP
- UDP
- TLS
- HTTP
- HTTP/2
- QUIC
To find the protocol of a packet, look under the packet’s “Protocol” column. Anyway, after you right-click an applicable packet, you can go to Follow>and click whatever option it will let you click or just click the one that seems appropriate for your protocol.
This will show you the full conversation between the server and the client.
Close the window and you’ll find a filter has been applied automatically. Wireshark is trying to show you only the packets that belong to the conversation you were following just now.
Inspecting deeper into these packets
You’ve most likley noticed now that you can click on a packet and you can dig down into it’s details.
You can also create filters based off of this information, just right-click any detail and use the “Apply as Filter” submenu.
Sample Captures
If there is nothing good to find on your network, you can use a sample capture off of Wireshark’s wiki.
Name resolution
If IP addresses are too much for you, use name resolution. To enable it go to View>Name Resolution>and enable all of them.
Done!
Wireshark is a very powerful tool, and yet we’ve not even made a dent in learning everything about what this software can do. You will find professionals using it for debuging network protocol implementations, finding security holes, and much more.