Wireshark

From ArchWiki
Revision as of 13:16, 16 April 2017 by Larivact (talk | contribs) (Capturing as normal user: shorten)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Wireshark's default interface uses Qt, the GTK+ interface is deprecated and might be removed in the future.

Install wireshark-qt or wireshark-gtk when you prefer the GTK+ interface.

Both frontends depend on the wireshark-cli package that provides the tshark CLI.

Capturing as normal user

Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation. [1]

The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap executable.

/usr/bin/dumpcap can only be executed by root and members of the wireshark group.

Therefore to use Wireshark as a normal user you just have to add your user to the wireshark group:

sudo gpasswd -a $USER wireshark

Re-login to apply the change or use newgrp wireshark to open a shell with the new group and start Wireshark from there.

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.

Note: To learn the capture filter syntax, see man pcap-filter(7). For display filters, see man wireshark-filter(4).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar or in the CLI, enter:

$ tshark -f "tcp"

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar or in the CLI, enter:

$ tshark -f "udp"

Filter packets to a specific IP Address

  • If you would like to see all the traffic going to a specific address, enter display filter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter display filter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.
  • If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter ip.addr == 1.2.3.4, replacing 1.2.3.4 with the relevant IP address.