Internet Windows Android
Expand
home

How to know the gateway to track wireshark. Network analysis with Wireshark

Wireshark is a powerful network analyzer that can be used to analyze traffic passing through your computer's network interface. You may need this to detect and resolve network problems, debug your web applications, network programs, or sites. Wireshark allows you to fully view the contents of a packet at all levels, so you can better understand how the network works at a low level.

All packets are captured in real time and provided in an easy-to-read format. The program supports a very powerful filtering system, color highlighting, and other features that will help you find the packages you need. In this tutorial, we will look at how to use Wireshark to analyze traffic. Recently, the developers have moved on to work on the second branch of the Wireshark 2.0 program, which has brought in many changes and improvements, especially for the interface. This is what we will use in this article.

Key features of Wireshark

Before proceeding to the consideration of traffic analysis methods, you need to consider what capabilities the program supports in more detail, what protocols it can work with and what to do. Here are the main features of the program:

  • Capturing packets in real time from wired or any other type of network interfaces, as well as reading from a file;
  • The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP, and local virtual interfaces;
  • Packages can be sifted by many parameters using filters;
  • All known protocols are highlighted in the list in different colors, for example TCP, HTTP, FTP, DNS, ICMP and so on;
  • Support for capturing VoIP calls traffic;
  • Supports decryption of HTTPS traffic with a certificate;
  • Decryption of WEP, WPA traffic of wireless networks in the presence of a key and handshake;
  • Display of network load statistics;
  • View packet contents for all network layers;
  • Displays the time of sending and receiving packets.

The program has many other features, but these were the main ones that might interest you.

How to use Wireshark

I assume that you already have the program installed, but if not, then you can install it from the official repositories. To do this, type the command in Ubuntu:

$ sudo apt install wireshark

After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise the program will not be able to analyze network packets. This can be done from the main menu or through the terminal using the command, for KDE:

$ kdesu wireshark

And for Gnome / Unity:

$ gksu wireshark

The main window of the program is divided into three parts, the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.

Network traffic analysis

To start the analysis, select a network interface, for example, eth0 and click the button Start.

After that, the next window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:

  • Top part- these are menus and panels with various buttons;
  • Package List- then the stream of network packets that you will analyze is displayed;
  • Package content- just below the contents of the selected package is located, it is divided into categories depending on the transport layer;
  • Real representation- at the very bottom, the contents of the package are displayed in real form, as well as in the form of HEX.

You can click on any package to analyze its contents:

Here we see a request packet to the DNS to get the ip address of the site, the domain is sent in the request itself, and in the response packet we receive our question, as well as the answer.

For more convenient viewing, you can open the package in a new window by double-clicking on the entry:

Wireshark Filters

It is very inconvenient to go through the packages manually to find the ones you need, especially with an active stream. Therefore, it is better to use filters for such a task. There is a special line under the menu to enter filters. You can click Expression to open the filter constructor, but there are a lot of them, so we'll cover the most basic ones:

  • ip.dst- target ip address;
  • ip.src- sender's ip address;
  • ip.addr- ip of the sender or recipient;
  • ip.proto- protocol;
  • tcp.dstport- port of destination;
  • tcp.srcport- port of the sender;
  • ip.ttl- filter by ttl, determines the network distance;
  • http.request_uri- the requested website address.

You can use the following operators to specify the relationship between a field and a value in a filter:

  • == - equals;
  • != - not equal;
  • < - smaller;
  • > - more;
  • <= - less than or equal to;
  • >= - more or equal;
  • matches- regular expression;
  • contains- contains.

To combine multiple expressions, you can use:

  • && - both expressions must be true for the package;
  • || - one of the expressions may be true.

Now let's take a closer look at several examples of filters and try to consider all the signs of relations.

First, let's filter out all packets sent to 194.67.215.125 (losst.ru). Type a line in the filter field and click Apply... For convenience, wireshark filters can be saved using the button Save:

ip.dst == 194.67.215.125

And in order to receive not only sent packets, but also received in response from this node, you can combine two conditions:

ip.dst == 194.67.215.125 || ip.src == 194.67.215.125

We can also select the transferred large files:

http.content_length> 5000

After filtering the Content-Type, we can select all the images that were uploaded, analyze the wireshark traffic, the packets of which contain the word image:

http.content_type contains image

To clear the filter you can click the button Clear... It happens that you do not always know all the information necessary for filtering, but you just want to study the network. You can add any field of the package as a column and see its contents in the general window for each package.

For example, I want to display the ttl (lifetime) of a packet as a column. To do this, open the information about the packet, find this field in the IP section. Then call the context menu and select the option Apply As Column:

You can also create a filter yourself based on any desired field. Select the required field and open the context menu, then press Apply as filter or Prepare as filter then choose Selected to display only the selected values, or Not selected to remove them:

The specified field and its value will be applied or, in the second case, substituted into the filter field:

In this way, you can add a field of any package or a column to the filter. There is also this option in the context menu. You can also use simpler conditions to filter protocols. For example, let's analyze Wireshark traffic for HTTP and DNS protocols:

Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.

Then a window will open in which you will find all the data transferred between the server and the client:

Diagnosing Wireshark Issues

You might be wondering how to use Wireshark 2 to detect network problems. To do this, in the lower left corner of the window there is a round button, when you click on it, a window opens. Expet Tools... In it, Wireshark collects all error messages and network problems:

The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems and here you can see them very quickly. Wireshark filters are also supported here.

Wireshark traffic analysis

You can very easily understand what exactly the users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.

To do this, you first need to stop capturing traffic using the red square on the panel. Then open the menu File -> Export Objects -> HTTP:

It is a very powerful utility that has a lot of functions. It is impossible to put all its functionality in one article, but the basic information provided here will be enough for you to master everything you need to know.

- the presence of a built-in expert system that will allow you to quickly parse the buffer by services or types of errors. This will significantly speed up the time to localize the problem and work with information that has already been sorted and previously estimated for you. Here you can pay attention to solutions from VIAVI Solutions called Observer or ClearSight Analyzer from Netscout.

If the budget is not allocated, but there are problems, then it remains to stock up on patience and coffee and. In transmission networks, data at speeds of 1 Gbit / s and higher fills up the traffic capture buffer instantly and a rather large data array is obtained at the output. This data array, understanding the interaction between different devices on the network, can be filtered by different parameters. For this, Wireshark has several options:

    Color coding of erroneous packets - can be customized. Packets with errors will be highlighted in the buffer with a special color.

    Filter through the filter string. You are experienced with Wireshark and protocols, and you can enter the filter yourself. A large selection of filters can be found.

    Select any area in the batch, right click and "Apply as filter". Method for beginners: very convenient, since you don't have to rack your brains.

What are the main filters for displaying traffic?

Wireshark filter by protocol

It is enough to enter the name of the protocol in the filter line and press enter. The screen will display packets that belong to the required protocol. So the filter looks like:

If the capture buffer needs to be filtered by several protocols, then it is necessary to list all the desired protocols and separate them with the || sign. For example:

arp || http || icmp

Wireshark filter by IP address and filter by MAC

The filter will differ slightly depending on the direction of traffic. For example, we want to filter by sender IP address 50.116.24.50:

ip.src == 10.0.10.163

For the recipient, the filter will look like ip.dst == x.x.x.x, and if we want to see packets regardless of the direction of traffic, then just enter:

ip.addr == 50.116.24.50

If we need to exclude some address from the selection field, then we need to add! =. Example:

ip.src! = 80.68.246.17

If we analyze traffic inside the local network and know the user's MAC address, then we can specify his MAC address as a Wireshark filter, for example:

eth.addr == AA: BB: CC: DD: EE: FF

Wireshark filter by port number

When analyzing traffic, we can configure a filter by the port number through which a particular protocol is transmitting traffic. The numbers of all registered ports can be found Example:

As well as with IP and MAC addresses, we can separately filter by ports of receipt or departure tcp. srcport and tcp. dstport. In addition to specifying port numbers, Wireshark provides an excellent opportunity to filter the buffer by flags in the TCP protocol. For example, if we want to see TCP packets with the SYN flag (establishing a connection between devices), then enter in the search bar:

Popular Filters

The table below lists the most popular filters for displaying the contents of the capture buffer:

Filter for display

Description

Writing example

Sender or recipient MAC address

eth.addr == 00: 1a: 6b: ce: fc: bb

Sender MAC address

eth.src == 00: 1a: 6b: ce: fc: bb

Recipient MAC address

eth.dst == 00: 1a: 6b: ce: fc: bb

ARP protocol - destination MAC address

arp.dst.hw_mac == 00: 1a: 6b: ce: fc: bb

arp.dst.proto_ipv4

ARP - Recipient IP Version 4

arp.dst.proto_ipv4 == 10.10.10.10

ARP Protocol - Sender MAC Address

arp.src.hw_mac == 00: 1a: 6b: ce: fc: bb

arp.src.proto_ipv4

ARP - Sender IP Version 4

arp.src.proto_ipv4 == 10.10.10.10

VLAN ID

IP version 4 address of the recipient or sender

ip.addr == 10.10.10.10

IP version 4 address of the recipient

ip.addr == 10.10.10.10

Sender IP version 4

ip.src == 10.10.10.10

IP protocol (decimal)

IP version 6 address of the recipient or sender

ipv6.addr == 2001 :: 5

Sender IP version 6

ipv6.addr == 2001 :: 5

IP version 6 address of the recipient

ipv6.dst == 2001 :: 5

Receiver or sender TCP port

Destination TCP port

tcp.dstport == 80

Sender TCP port

tcp.srcport == 60234

UDP destination or sender port

Destination UDP port

udp.dstport == 513

Sender UDP port

udp.srcport == 40000

vtp.vlan_info.vlan_name

vtp.vlan_info.vlan_name == TEST

bgp.originator_id

BGP ID (IPv4 Address)

bgp.originator_id == 192.168.10.15

Next Hop BGP (IPv4 Address)

bgp.next_hop == 192.168.10.15

RIP IPv4 address

rip.ip == 200.0.2.0

OSPF Router ID

ospf.advrouter == 192.168.170.8

EIGRP Autonomous System Number

HSRP virtual IP address

hsrp.virt_ip == 192.168.23.250

Virtual IP address using VRRP protocol

vrrp.ip_addr == 192.168.23.250

Wi-Fi sender or receiver MAC address

wlan.addr == 00: 1a: 6b: ce: fc: bb

Wi-Fi sender MAC address

wlan.sa == 00: 1a: 6b: ce: fc: bb

Wi-Fi destination MAC address

wlan.da == 00: 1a: 6b: ce: fc: bb

What filters do you most often use in your work?

While debugging a particular problem, sometimes you may have to analyze the protocol traffic going out and coming into your machine. Wireshark is one of the best tool used for this purpose. In this article we will learn how to use Wireshark network protocol analyzer display filter.

1. Download and Install Wireshark

After downloading the executable, just click on it to install Wireshark.

2. Select an Interface and Start the Capture

Once you have opened the wireshark, you have to first select a particular network interface of your machine. In most of the cases the machine is connected to only one network interface but in case there are multiple, then select the interface on which you want to monitor the traffic.

From the menu, click on ‘Capture -> Interfaces’, which will display the following screen:

3. Source IP Filter

A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is:

Ip.src == 192.168.1.1

4. Destination IP Filter

A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as mentioned in the filter. For example:

Ip.dst == 192.168.1.1

5. Filter by Protocol

Its very easy to apply filter for a particular protocol. Just write the name of that protocol in the filter tab and hit enter. In the example below we tried to filter the results for http protocol using this filter:

6. Using OR Condition in Filter

This filter helps filtering the packets that match either one or the other condition.

Suppose, there may arise a requirement to see packets that either have protocol ‘http’ or ‘arp’. In that case one cannot apply separate filters. So there exists the ‘||’ filter expression that ORs two conditions to display packets matching any or both the conditions. In the example below, we tried to filter the http or arp packets using this filter:

Http || arp

7. Applying AND Condition in Filter

This filter helps filtering packet that match exactly with multiple conditions.

Suppose there is a requirement to filter only those packets that are HTTP packets and have source ip as ‘192.168.1.4’. Use this filter:

Http && ip.src == 192.168.1.4

8. Filter by Port Number

This can be done by using the filter 'tcp.port eq'. For example:

Tcp.port eq 80

9. Match Packets Containing a Particular Sequence

The filter syntax used in this is: ‘contains’.

Tcp contains 01:01:04

10. Reject Packets Based on Source or Destination

Filter here is ‘ip.src! =’ Or ‘ip.dst! =’.

Ip.dst! = 192.168.1.1

If you enjoyed this article, you might also like ..

Wireshark is a powerful network analyzer that can be used to analyze traffic passing through your computer's network interface. You may need it to detect and solve network problems, debug your web applications, network programs, or sites. Wireshark allows you to fully view the contents of a packet at all levels, so you can better understand how the network works at the low level.

All packets are captured in real time and provided in an easy-to-read format. The program supports a very powerful filtering system, color highlighting, and other features that will help you find the packages you need. In this tutorial, we'll look at how to use Wireshark to analyze traffic. Recently, the developers moved to work on the second branch of the Wireshark 2.0 program, many changes and improvements were made to it, especially for the interface. This is what we will be using in this article.

Before proceeding to consider the methods of traffic analysis, you need to consider what capabilities the program supports in more detail, with what protocols it can work and what to do. Here are the main features of the program:

  • Capturing packets in real time from wired or any other type of network interfaces, as well as reading from a file;
  • The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP and local virtual interfaces;
  • Packages can be sifted by many parameters using filters;
  • All known protocols are highlighted in the list in different colors, for example TCP, HTTP, FTP, DNS, ICMP and so on;
  • Support for capturing VoIP calls traffic;
  • Supports decryption of HTTPS traffic with a certificate;
  • Decryption of WEP-, WPA-traffic of wireless networks in the presence of a key and handshake;
  • Display of network load statistics;
  • View packet contents for all network layers;
  • Displays the time of sending and receiving packets.

The program has many other features, but these were the main ones that might interest you.

How to use Wireshark

I assume that you already have the program installed, but if not, then you can install it from the official repositories. To do this, type the command in Ubuntu:

sudo apt install wireshark

After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise it will not be able to analyze network packets. This can be done from the main menu or through the terminal using the command for KDE:

And for Gnome / Unity:

The main window of the program is divided into three parts: the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.

Network traffic analysis

To start the analysis, select a network interface, for example eth0, and click the button Start.

After that, the next window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:

  • Top part- these are menus and panels with various buttons;
  • Package List- then the stream of network packets that you will analyze is displayed;
  • Package content- just below the contents of the selected package is located, it is divided into categories depending on the transport layer;
  • Real representation- at the very bottom, the contents of the package are displayed in real form, as well as in the form of HEX.

You can click on any package to analyze its contents:

Here we see a request packet to the DNS to get the site's IP address, the domain is sent in the request itself, and in the response packet we receive our question, as well as the answer.

For more convenient viewing, you can open the package in a new window by double-clicking on the entry:

Wireshark Filters

It is very inconvenient to go through the packages manually to find the ones you need, especially with an active stream. Therefore, it is better to use filters for such a task. There is a special line under the menu to enter filters. You can click Expression to open the filter constructor, but there are a lot of them, so we'll cover the most basic ones:

  • ip.dst- target IP address;
  • ip.src- the sender's IP address;
  • ip.addr- IP of the sender or recipient;
  • ip.proto- protocol;
  • tcp.dstport- port of destination;
  • tcp.srcport- port of the sender;
  • ip.ttl- filter by ttl, determines the network distance;
  • http.request_uri- the requested website address.

You can use the following operators to specify the relationship between a field and a value in a filter:

  • == - equals;
  • != - not equal;
  • < - smaller;
  • > - more;
  • <= - less than or equal to;
  • >= - more or equal;
  • matches- regular expression;
  • contains- contains.

To combine multiple expressions, you can use:

  • && - both expressions must be true for the package;
  • || - one of the expressions may be true.

Now let's take a closer look at several filters with examples and try to understand all the signs of relationships.

First, let's filter out all packets sent to 194.67.215 .. Type a line in the filter field and click Apply... For convenience, Wireshark filters can be saved using the button Save:

ip.dst == 194.67.215.125

And in order to receive not only sent packets, but also received in response from this node, you can combine two conditions:

ip.dst == 194.67.215.125 || ip.src == 194.67.215.125

We can also select the transferred large files:

http.content_length> 5000

By filtering out the Content-Type, we can select all the images that have been uploaded; Let's analyze the Wireshark traffic, the packets of which contain the word image:

http.content_type contains image

To clear the filter, you can press the button Clear... It happens that you do not always know all the information necessary for filtering, but just want to study the network. You can add any field of the package as a column and see its contents in the general window for each package.

For example, I want to display the ttl (lifetime) of a packet as a column. To do this, open the information about the packet, find this field in the IP section. Then call the context menu and select the option Apply As Column:

In the same way, you can create a filter based on any desired field. Select it and bring up the context menu, then press Apply as filter or Prepare as filter then choose Selected, to display only the selected values, or Not selected to remove them:

The specified field and its value will be applied or, in the second case, substituted into the filter field:

In this way, you can add a field of any package or a column to the filter. There is also this option in the context menu. You can also use simpler conditions to filter protocols. For example, let's analyze Wireshark traffic for HTTP and DNS protocols:

Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.

Then a window will open in which you will find all the data transferred between the server and the client:

Diagnosing Wireshark Issues

You might be wondering how to use Wireshark 2.0 to detect network problems. To do this, in the lower left corner of the window there is a round button, when you click on it, a window opens. Expet Tools... In it, Wireshark collects all error messages and network problems:

The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems, and here you can see them very quickly. Wireshark filters are also supported here.

Wireshark traffic analysis

You can very easily understand what exactly the users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.

To do this, you first need to stop capturing traffic using the red square on the panel. Then open the menu File -> Export Objects -> HTTP:

Did not find an answer to your question? Look at here
Assembler School: Operating System DevelopmentAssembler School: Operating System Development
The Rust language and why you should eat it Rust where to start programmingThe Rust language and why you should eat it Rust where to start programming
ISCSI Theory and Practice Securing an iSCSI SANISCSI Theory and Practice Securing an iSCSI SAN