Wireshark is one of the most popular network packet analyzers available. It has been embraced by network admins worldwide and has become one of the essential network troubleshooting tools for IT teams.
Read on to learn more about Wireshark, how to use it, and some relevant cases and alternatives. We will mainly focus on how you can use this tool to maintain a robust network within your organization.
What is Wireshark?
In simple terms, Wireshark is a network protocol analyzer or a packet sniffer. It can capture packets in a connection between two PCs, between a server and a PC, or between a LAN and the internet.
It is currently available on Linux, macOS, various UNIX systems, and Microsoft Windows with a GUI developed using Qt. A non-GUI version called TShark is also available.
Besides troubleshooting, Wireshark is also used for cybersecurity applications, testing the stability of applications, and even as a learning tool.
How to use Wireshark?
Wireshark is pretty straightforward to use. First of all, no matter the OS you have, start by downloading Wireshark from the official website (it's free!).
Now, let's take a look at the steps you need to take according to your operating system.
Wireshark for Windows
Open the executable and follow the steps to install it. If you’re trying it for the first time, go with all the default options (just keep hitting the next button).
Wireshark for macOS
You can also use a process similar to that of Windows in macOS. Just download, run the executable file, and you’re done.
You can also use homebrew to ensure Wireshark installation goes smooth. For this, you first need to install Homebrew. Once you have it, open the terminal in your system, and run this command.
brew install wireshark
Homebrew will install Wireshark perfectly in your system.
Wireshark for Linux
The exact process of installing Linux may vary a bit with distros. Here’s how the process goes for Ubuntu.
First, update APT with this command:
sudo apt update
Install Wireshark with this command:
sudo apt-get install wireshark
Capturing packets using Wireshark
Once installed, open Wireshark. You’ll be greeted by a screen that shows all the network connections you can monitor.
To start, choose the networks you want to capture from. Then, you can either just click the button that looks like the Wireshark logo (marked as “Start capturing packets”) or go to the capture menu and click “Start.”
Once you click the button, the tool will start capturing the network packets.
You can use the red button on the top left corner to stop the capture. To save the captured packets, go to "File" - "Save as."
Wireshark filters: How to filter and inspect packets
There are two types of Wireshark filters: capture filters and display filters.
Wireshark capture filters out network packets from being saved. To use the capture filters, just add the filters in the section right above the list of connections when you open Wireshark.
For example, you can use the filter to capture packets only to and from a specific IP address. First, enter the command host IP address
. For example:
host 172.18.5.4
The syntax for these filters is pretty easy to understand. If you want traffic only through a specific port or IP address, mention those in the capture filter. For example, to get only port 53 traffic, just type port 53
.
If you want to avoid packets from a specific port or IP address, just type ‘not’ followed by the port or the IP address. For example, if you want to avoid packets from port 53, type: not port 53
.
Displayed filters, on the other hand, are there to analyze or find the packets relevant to you. They can be set up before, during, or after capturing packets. They won’t be displayed. Wireshark allows you to add display filters in the space at the top of the main screen.
You can edit them during the capture process:
And once you’ve stopped packet capture, you can filter out the packets by going to "Analyse - Display filters" and choosing the filters:
Wireshark color coding
By default, Wireshark follows the following scheme for marking the different packets:
Wireshark color coding | Packet |
Light purple | TCP |
Light blue | UDP |
Black | The packet has errors |
Light green | HTTP traffic |
Light yellow | smb, nbss, nbns, nbipx, NetBIOS |
Dark yellow | routing |
Dark grey | TCP SYN, FIN |
You can view these rules by going to "View" - "Coloring rules.
Wireshark also lets you set temporary rules when performing analysis or save permanent rules for later usage.
To set a temporary rule, just click on a packet, and press the Ctrl key along with any number key. First, the filter will try to identify all packets with the same TCP and mark them with a similar color. Further rules will mark packets with the same UDP, the same IP, followed by the same ethernet.
You can also set up permanent coloring rules by heading to "View" - "Coloring rules".
The Wireshark community has developed many helpful coloring rules that you can download and use.
Troubleshooting network issues with Wireshark
Wireshark can identify if the packets are getting lost or too many are flooding the network. For example, you can use the Statistics menu to determine where the most significant or abnormal traffic is generated.
Common Wireshark use cases
Fixing network latency issues
While you may not be able to detect network issues with Wireshark, you can figure out the cause. Maybe your servers cannot process legit requests, for instance. Then, you’ll be able to identify this with Wireshark.
Network security
If a monitoring tool raises the alarm, you can use Wireshark to confirm security issues. For example, imagine a flooded network due to repeated requests during a DOS attack. The user can capture the network packets and use Wireshark to determine where these requests come from.
You can also use Wireshark to observe how your security configurations are working after they have been tweaked.
Testing protocol implementations
When working with new or unfamiliar protocols, you may face issues with interoperability. Wireshark supports over a hundred protocols and can capture and dissect network packets from any of these protocols.
Wireshark alternatives
Even though Wireshark remains an industry standard, many alternatives have come up over the years. Here are a few.
Cloudshark
Cloudshark is a powerful network analyzer geared more towards enterprises and security teams. This means that it is deployed in the cloud or on-premise and, unlike Wireshark, is accessed over a browser.
Sysdig
Sysdig has a couple of solutions geared towards Cloud, Kubernetes, and container security. Unlike Wireshark, it's not just about analysis but also monitoring. Sysdig’s solutions can help you secure your cloud and container system with automatic threat detection.
Packets (mojo Packets)
Packets are mainly used for troubleshooting WiFi connections. The solution is entirely cloud-based and helps you visualize and analyze packets captured from almost all capture tools. Like Cloudshark, Packets also lets you collaborate with others to diagnose issues quickly.
Colasoft
Colasoft has a suite of tools for network analysis and performance monitoring. Capsa Enterprise's premium network performance analysis tools allow 24/7 network monitoring and in-depth packet analysis.
SmartSniff
SmartSniff lets you capture TCP/IP packets across your network adapters. The solution lets you visualize these packets as a conversation between servers and clients.
The bottom line
Wireshark is an open-source packet capture and analysis tool. It helps you analyze packets over a network and troubleshoot issues.
There are two types of Wireshark filters: display filter and capture filter. Capture filters are for capturing only specific packets. But with display filters, all packets will be captured, but only some will be displayed.
Wireshark offers coloring rules for easy analysis of captured packets. They mark packets with different colors according to your rules.
Frequently Asked Questions
What is Wireshark used for?
Wireshark is a tool for capturing and analyzing packets over a network. You can use it to troubleshoot network issues, test protocol implementations, analyze networks' security, and even learn different network protocols.
How to read Wireshark capture packets?
To capture network packets, open Wireshark, choose the networks, and click the capture button. The network packets captured will be listed below the other as a numbered list.
The time column shows the time at which the packet was captured. The source and destination columns show where we are getting the packets from and where it is going. The protocol column shows the network protocol the specific data packet was using, and the length shows the size of the data packet.
Is Wireshark safe?
Yes. While it can be used for unethical purposes, you’re free to use it on your networks or those you have permission.
Is Wireshark free?
Wireshark is open-source and is available for free.