Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
Contents
Installation
Wireshark's default interface uses Qt, the GTK+ interface is deprecated and might be removed in the future.
Install wireshark-qt or wireshark-gtk when you prefer the GTK+ interface.
Both frontends depend on the wireshark-cli package that provides the tshark
CLI.
Capturing as normal user
Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation. [1]
The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap
executable.
/usr/bin/dumpcap
can only be executed by root and members of the wireshark
group.
Therefore to use Wireshark as a normal user you just have to add your user to the wireshark
group:
sudo gpasswd -a $USER wireshark
Re-login to apply the change or use newgrp wireshark
to open a shell with the new group and start Wireshark from there.
A few capturing techniques
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.
Filtering TCP packets
If you want to see all the current TCP packets, type tcp
into the "Filter" bar or in the CLI, enter:
$ tshark -f "tcp"
Filtering UDP packets
If you want to see all the current UDP packets, type udp
into the "Filter" bar or in the CLI, enter:
$ tshark -f "udp"
Filter packets to a specific IP Address
- If you would like to see all the traffic going to a specific address, enter display filter
ip.dst == 1.2.3.4
, replacing1.2.3.4
with the IP address the outgoing traffic is being sent to.
- If you would like to see all the incoming traffic for a specific address, enter display filter
ip.src == 1.2.3.4
, replacing1.2.3.4
with the IP address the incoming traffic is being sent to.
- If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter
ip.addr == 1.2.3.4
, replacing1.2.3.4
with the relevant IP address.