Wireshark

From ArchWiki
Jump to navigation Jump to search

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Install the wireshark-qt package for the Wireshark GUI or wireshark-cli for just the tshark CLI.

Note: The deprecated GTK+ interface has been removed in Wireshark 3.0.

Capturing privileges

Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation [1].

The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap executable.

/usr/bin/dumpcap can only be executed by root and members of the wireshark group, therefore to use Wireshark as a normal user you have to add your user to the wireshark user group (see Users and groups#Group management).

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.

Note: To learn the capture filter syntax, see pcap-filter(7). For display filters, see wireshark-filter(4).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar or in the CLI, enter:

$ tshark -f "tcp"

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar or in the CLI, enter:

$ tshark -f "udp"

Filter packets to a specific IP address

  • If you would like to see all the traffic going to a specific address, enter display filter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter display filter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.
  • If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter ip.addr == 1.2.3.4, replacing 1.2.3.4 with the relevant IP address.

Exclude packets from a specific IP address

ip.addr != 1.2.3.4

Filter packets to LAN

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: 192.168.0.0/16 is not the only private address range. (Discuss in Talk:Wireshark#)

To only see LAN traffic, no internet traffic run

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

Filter packets by port

See all traffic on 2 ports or more:

tcp.port==80||tcp.port==3306
tcp.port==80||tcp.port==3306||tcp.port==443