Difference between revisions of "Wireshark"

From ArchWiki
Jump to navigation Jump to search
(Capturing as normal user: Removed the duplicate instructions from Users & groups)
m (Capturing privileges: link specific section)
 
Line 20: Line 20:
 
The {{Pkg|wireshark-cli}} [[PKGBUILD#install|install script]] sets packet capturing [[capabilities]] on the {{ic|/usr/bin/dumpcap}} executable.
 
The {{Pkg|wireshark-cli}} [[PKGBUILD#install|install script]] sets packet capturing [[capabilities]] on the {{ic|/usr/bin/dumpcap}} executable.
  
{{ic|/usr/bin/dumpcap}} can only be executed by root and members of the {{ic|wireshark}} group, therefore to use Wireshark as a normal user you have to add your user to the {{ic|wireshark}} [[user group]] (see [[Users and groups]]).
+
{{ic|/usr/bin/dumpcap}} can only be executed by root and members of the {{ic|wireshark}} group, therefore to use Wireshark as a normal user you have to add your user to the {{ic|wireshark}} [[user group]] (see [[Users and groups#Group management]]).
  
 
== A few capturing techniques ==
 
== A few capturing techniques ==

Latest revision as of 18:09, 17 May 2019

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Install the wireshark-qt package for the Wireshark GUI or wireshark-cli for just the tshark CLI.

Note: The deprecated GTK+ interface has been removed in Wireshark 3.0.

Capturing privileges

Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation [1].

The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap executable.

/usr/bin/dumpcap can only be executed by root and members of the wireshark group, therefore to use Wireshark as a normal user you have to add your user to the wireshark user group (see Users and groups#Group management).

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.

Note: To learn the capture filter syntax, see pcap-filter(7). For display filters, see wireshark-filter(4).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar or in the CLI, enter:

$ tshark -f "tcp"

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar or in the CLI, enter:

$ tshark -f "udp"

Filter packets to a specific IP address

  • If you would like to see all the traffic going to a specific address, enter display filter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter display filter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.
  • If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter ip.addr == 1.2.3.4, replacing 1.2.3.4 with the relevant IP address.

Exclude packets from a specific IP address

ip.addr != 1.2.3.4

Filter packets to LAN

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: 192.168.0.0/16 is not the only private address range. (Discuss in Talk:Wireshark#)

To only see LAN traffic, no internet traffic run

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

Filter packets by port

See all traffic on 2 ports or more:

tcp.port==80||tcp.port==3306
tcp.port==80||tcp.port==3306||tcp.port==443