Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
Contents
Installation
Install the wireshark-qt package for the Wireshark GUI or wireshark-cli for just the tshark
CLI.
For the deprecated GTK+ interface, install the wireshark-gtk package. Note that this package will be removed in the future (Wireshark 3.0).
Capturing as normal user
Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation. [1]
The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap
executable.
/usr/bin/dumpcap
can only be executed by root and members of the wireshark
group.
Therefore to use Wireshark as a normal user you just have to add your user to the wireshark
user group:
# gpasswd -a username wireshark
Re-login to apply the change.
A few capturing techniques
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.
Filtering TCP packets
If you want to see all the current TCP packets, type tcp
into the "Filter" bar or in the CLI, enter:
$ tshark -f "tcp"
Filtering UDP packets
If you want to see all the current UDP packets, type udp
into the "Filter" bar or in the CLI, enter:
$ tshark -f "udp"
Filter packets to a specific IP Address
- If you would like to see all the traffic going to a specific address, enter display filter
ip.dst == 1.2.3.4
, replacing1.2.3.4
with the IP address the outgoing traffic is being sent to.
- If you would like to see all the incoming traffic for a specific address, enter display filter
ip.src == 1.2.3.4
, replacing1.2.3.4
with the IP address the incoming traffic is being sent to.
- If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter
ip.addr == 1.2.3.4
, replacing1.2.3.4
with the relevant IP address.