Wireshark

This article is a stub. You can help by expanding it.

Resources

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Emerge

root #emerge --ask net-analyzer/wireshark

Configuration

Permissions

Warning
Running Wireshark as root can be dangerous and is unnecessary. See the Wireshark Security page for more details.

As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the wireshark group:

root #gpasswd -a $USER wireshark

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

root #newgrp wireshark

Usage

Techniques

Network Name Resolution

To automatically resolve IP addresses to domain names, open the preferences window from Edit -> Preferences, clicking the Name Resolution panel and selecting the Enable Network Name Resolution check box.

Note
Enabling Network Name Resolution will increase the captured traffic due to additional DNS requests.

Filter packets to a specific IP Address

To see all incoming and outgoing traffic for a specific address, enter ip.addr == w.x.y.z in the filter box, replacing w.x.y.z with the relevant IP address. Additionally, to view only incoming traffic, replace ip.addr with ip.src; to view only outgoing traffic, replace ip.addr with ip.dst.

Terminal-based Wireshark

TShark is Wireshark's terminal-based network protocol analyzer. TShark's native file format is pcap. All packet capture options are listed by entering

user $tshark -h

For example, to capture packets across a specified network interface and save the results, enter

user $tshark -i wlan0 -w capture-output.pcap

Replace wlan0 with the desired network interface and capture-output with the desired filename.

External resources

https://wiki.archlinux.org/index.php/wireshark The Arch Linux Wiki entry on Wireshark.