Difference between revisions of "Wireshark"

From ArchWiki
Jump to navigation Jump to search
(Filter packets to LAN: flag with Template:Expansion)
(Capturing as normal user: Removed the duplicate instructions from Users & groups)
Line 14: Line 14:
 
{{Note|The deprecated GTK+ interface has been removed in Wireshark 3.0.}}
 
{{Note|The deprecated GTK+ interface has been removed in Wireshark 3.0.}}
  
== Capturing as normal user ==
+
== Capturing privileges ==
  
Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation.[https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes]
+
Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation [https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes].
  
 
The {{Pkg|wireshark-cli}} [[PKGBUILD#install|install script]] sets packet capturing [[capabilities]] on the {{ic|/usr/bin/dumpcap}} executable.
 
The {{Pkg|wireshark-cli}} [[PKGBUILD#install|install script]] sets packet capturing [[capabilities]] on the {{ic|/usr/bin/dumpcap}} executable.
  
{{ic|/usr/bin/dumpcap}} can only be executed by root and members of the {{ic|wireshark}} group.
+
{{ic|/usr/bin/dumpcap}} can only be executed by root and members of the {{ic|wireshark}} group, therefore to use Wireshark as a normal user you have to add your user to the {{ic|wireshark}} [[user group]] (see [[Users and groups]]).
 
 
{{Remove|Duplicates [[Users and groups]].}}
 
 
 
Therefore to use Wireshark as a normal user you just have to add your user to the {{ic|wireshark}} [[user group]]:
 
 
 
# gpasswd -a ''username'' wireshark
 
 
 
Re-login to apply the change.
 
  
 
== A few capturing techniques ==
 
== A few capturing techniques ==

Revision as of 14:19, 16 May 2019

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Install the wireshark-qt package for the Wireshark GUI or wireshark-cli for just the tshark CLI.

Note: The deprecated GTK+ interface has been removed in Wireshark 3.0.

Capturing privileges

Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation [1].

The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap executable.

/usr/bin/dumpcap can only be executed by root and members of the wireshark group, therefore to use Wireshark as a normal user you have to add your user to the wireshark user group (see Users and groups).

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.

Note: To learn the capture filter syntax, see pcap-filter(7). For display filters, see wireshark-filter(4).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar or in the CLI, enter:

$ tshark -f "tcp"

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar or in the CLI, enter:

$ tshark -f "udp"

Filter packets to a specific IP address

  • If you would like to see all the traffic going to a specific address, enter display filter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter display filter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.
  • If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter ip.addr == 1.2.3.4, replacing 1.2.3.4 with the relevant IP address.

Exclude packets from a specific IP address

ip.addr != 1.2.3.4

Filter packets to LAN

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: 192.168.0.0/16 is not the only private address range. (Discuss in Talk:Wireshark#)

To only see LAN traffic, no internet traffic run

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

Filter packets by port

See all traffic on 2 ports or more:

tcp.port==80||tcp.port==3306
tcp.port==80||tcp.port==3306||tcp.port==443