Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
Contents
Installation
The wireshark package has been split into the CLI version as well as GTK+ and Qt frontends, which depend on the CLI.
- CLI version (tshark) - Install package wireshark-cli.
- GTK+ frontend (wireshark-gtk) - Install package wireshark-gtk (deprecated).
- Qt frontend (wireshark) - Install package wireshark-qt (recommended).
Capturing as normal user
Running Wireshark as root is insecure.
Arch Linux uses
method from Wireshark wiki
to separate privileges. When wireshark-cli is installed, install script sets additional capabilities on the /usr/bin/dumpcap
executable, these capabilities can be listed as follows:
$ getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_dac_override,cap_net_admin,cap_net_raw+eip
/usr/bin/dumpcap
is the only process that has privileges to
capture packets. /usr/bin/dumpcap
can only be run by root and
members of the wireshark
group. Other users will see the
Couldn't run /usr/bin/dumpcap in child process: Permission denied error in Wireshark.
To use wireshark as a normal user, add the user to the wireshark
group (sudo gpasswd -a $USER wireshark
). Re-login to apply the changes or use newgrp wireshark
to open a shell with the new group and start Wireshark from there.
A few capturing techniques
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.
Filtering TCP packets
If you want to see all the current TCP packets, type tcp
into the "Filter" bar or in the CLI, enter:
$ tshark -f "tcp"
Filtering UDP packets
If you want to see all the current UDP packets, type udp
into the "Filter" bar or in the CLI, enter:
$ tshark -f "udp"
Filter packets to a specific IP Address
- If you would like to see all the traffic going to a specific address, enter display filter
ip.dst == 1.2.3.4
, replacing1.2.3.4
with the IP address the outgoing traffic is being sent to.
- If you would like to see all the incoming traffic for a specific address, enter display filter
ip.src == 1.2.3.4
, replacing1.2.3.4
with the IP address the incoming traffic is being sent to.
- If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter
ip.addr == 1.2.3.4
, replacing1.2.3.4
with the relevant IP address.