Wireshark Tutorial

CYBER SECURITY
Wireshark Tutorial For Beginners

By Rocky ◆ November 12, 2022 ◆ Updated: November 12, 2022  2 Comments  22 Mins Read
 Share     
Networks are used by computers to communicate. These networks could be connected to the
internet or a local area network (LAN). Network Sniffers are programs that capture low-level
package data that is transmitted over a network. An attacker can analyze this information to
discover valuable information such as user ids and passwords.
In this tutorial, you will find out how Wireshark works. We’ll walk you through where to find and
how to install the Wireshark application on your PC. You will learn how to launch a packet
capture and what data you might anticipate receiving from it. The Wireshark lesson will also
demonstrate how to utilize the data modification tools in the interface to their full potential.
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
You will also discover how to obtain data analysis tools that are superior to Wireshark’s built-in
tools.
Table of Contents
What is Wireshark?
Wireshark is an open-source and free network traffic inspection tool. It captures and displays
packets in real-time for offline analysis in a human-readable format with microscopic details. It
requires some sound knowledge of basic networking and is considered an essential tool for
system administrators and network security experts.
Wireshark, formerly known as Ethereal, shows information from hundreds of different
protocols across all significant network types. The analysis of data packets might be done
offline or in real-time. Numerous capture and trace file types, including CAP and ERF, are
supported by Wireshark. Integrated decryption tools, such as WEP and WPA/WPA2, display
the encrypted packets for a number of popular protocols.
Wireshark is the de-facto go-to tool for several network problems that vary from network
troubleshooting, security issue examination, inspecting network traffic of a suspicious
application, debugging protocol implementations, along with network protocol learning
purposes, etc.
The Wireshark project was initiated in 1998. Thanks to the global networking expert’s
voluntary contribution, it continues to make updates for new technologies and encryption
standards. Hence, it’s by far one of the best packet analyzer tools and is utilized as a standard
commercial tool by various government agencies, educational institutes, and non-profit
organizations.
History of Wireshark:
In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri-
Kansas City was working for a small ISP (Internet Service Provider). The protocol at that time
did not complete the primary requirements. So, he started writing Ethereal and released the
first version around 1998. The network integration services own the Ethernet trademark.
Combos still held the copyright on most of the ethereal source code, and the rest of the
source code was re-distributed under the GNU GPL. He did not own the Ethereal trademark,
so he changed the name to Wireshark. He used the contents of the ethereal as the basis.
Wireshark has won several industry rewards over the years including eWeek, InfoWorld, PC
Magazine and also as a top-rated packet sniffer. Combos continued the work and released
the new version of the software. There are around 600 contributed authors for the Wireshark
product website.
The functionality of Wireshark:

Wireshark is similar to tcpdump in networking. Tcpdump is a common packet analyzer that
allows the user to display other packets and TCP/IP packets, being transmitted and received
over a network attached to the computer. It has a graphic end and some sorting and filtering
functions. Wireshark users can see all the traffic passing through the network.
Wireshark can also monitor the unicast traffic which is not sent to the network’s MAC address
interface. But, the switch does not pass all the traffic to the port. Hence, the promiscuous
mode is not sufficient to see all the traffic. The various network taps or port mirroring is used
to extend capture at any point.
Port mirroring is a method to monitor network traffic. When it is enabled, the switch sends the
copies of all the network packets present at one port to another port.
Uses of Wireshark:
Wireshark can be used in the following ways:
It is used by network security engineers to examine security problems.
It allows the users to see all the traffic being passed over the network.
It is used by network engineers to troubleshoot network issues.
It also helps to troubleshoot latency issues and malicious activities on your network.
It can also analyze dropped packets.
It helps us to know how all the devices like laptops, mobile phones, desktops, switches,
routers, etc., communicate in a local network or the rest of the world.
Features
Wireshark has a rich feature set that includes the following:
Deep inspection of hundreds of protocols, with more being added all the time
Live capture and offline analysis
Standard three-pane packet browser
Multi-platform: Runs on Windows, Linux, OS X, FreeBSD, NetBSD, and many others
Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
The most powerful display filters in the industry
Rich VoIP analysis
Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult
DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer®
(compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments
Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer,
Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets
EtherPeek/TokenPeek/AiroPeek, and many others
Capture files compressed with gzip can be decompressed on the fly
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token
Ring, Frame Relay, FDDI, and others (depending on your platform)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3,
SSL/TLS, WEP, and WPA/WPA2
Coloring rules can be applied to the packet list for quick, intuitive analysis
Output can be exported to XML, PostScript®, CSV, or plain text
How to Download and Install Wireshark

The first thing you need to do is download and install it. You can download Wireshark for
free from the company website. To have the smoothest running experience, it is advised that
you download the latest version available on your platform from the “stable release” section.
Install on Windows
Once you’ve downloaded the program you can start the setup process. During installation,
you may be prompted to install WinPcap. It’s important to install WinPcap as without it you will
be unable to capture live network traffic. Without WinPcap you will only be able to open saved
capture files. To install, simply check the Install WinPcap box.
Let’s look at this in more detail.
Select the installer for your Windows architecture (64-bit or 32-bit) and click on the link to
download the package.
Once the installer is on your computer, follow these steps:

Click on the downloaded file to run it. Click Yes in the User Account Control window.
Click Next on the opening screen of the installer.
In the License Agreement screen, click the Noted button.
Leave all of the defaults in the Choose Components screen. Click the Next button.
Leave all settings as they are in the Additional Tasks screen and click on Next.
In Choose Install Location, just click on Next.
In the Packet Capture screen, leave the consent box checked and click the Next button.
In the USB Capture screen, check the Install USBPcap box and press the Install button.
Let the installation progress. During the process, you will be presented with a consent
screen for Npcap. Click on I Agree.
In the NPcap Installation options screen check Restrict Npcap driver’s access to
Administrators only, Support raw 802.11 traffic (and monitor mode) for wireless
adapters, and Install Npcap in WinPcap API-compatible Mode. Click on Install.
When the Npcap setup has finished. Click on Next and then Finish to dismiss that dialogue
window. The Wireshark installation will continue.
In the Installation Complete screen, click on Next and then Finish in the next screen.
Look in your Start menu for the Wireshark icon. Click on it to run the utility.
Install on Mac
To install Wireshark on Mac you first need to download an installer. To do this, download an
installer such as exquartz. Once you’ve done this, open the Terminal and input the following
command:
<% /Applications/Wireshark.app/Contents/Mac0S/Wireshark>
Then wait for Wireshark to start.

Install on Unix
In order to run Wireshark on Unix, you need a couple of other tools installed on your system
first. These are:
GTK+, The GIMP Tool Kit, and Glib, are both from the same source.
You will also need Glib. You can get familiar with both tools at https://www.gtk.org/
libpcap, which you get from http://www.tcpdump.org/.
After installing the above supporting software, and downloading the software for Wireshark,
you need to extract it from the tar file.
gzip -d wireshark-1.2-tar.gz
tar xvf wireshark-1.2-tar
Change to the Wireshark directory and then issue the following commands:
./configure
make
make install
You can now run the Wireshark program on your Unix computer.
How to Capture Data Packets

Capturing data packets is one of the main uses of Wireshark as a network investigation tool.
For thorough network analysis, it is crucial to learn how to configure Wireshark to collect
packets. It’s vital to remember that while using Wireshark for the first time, it can be
challenging to capture packets. There are three steps you must do before beginning to
capture packets:
Make sure that you have the administrative privileges to start a live capture on your
device
Choose the correct network interface to capture packet data from
Capture packet data from the correct location in your network
You are now prepared to begin the capture procedure after completing these three steps.
When you use Wireshark to capture packets, they are shown to the user in a format that is
easy to read. If you want to examine more detailed information, you may also segment
packets using filters and color coding.
When you first open up Wireshark, you’ll be met by the following launch screen:
The first thing you need to do is look at the available interfaces to capture. To do this,
select Capture > Options. The “Capture Interfaces” dialog box will then open as shown below:
To begin, select the box next to the interface you wish to record, then click the Start button. If
you wish to collect data from several sources at once, you can choose different interfaces.
On Unix or Linux, the dialog box is shown in a similar style like this:
You can also start Wireshark by using the following command line:
<¢ wireshark -i eth0 —k>
You can also use the shark fin button on the toolbar as a shortcut to initiate packet capturing.
Once you click this button, Wireshark will start the live capture process.
If you want to stop capturing, click the red stop button next to the shark fin.
Promiscuous Mode
You must switch on “promiscuous mode” if you wish to generate an overhead view of your
network packet transfers. In promiscuous mode, Wireshark examines each packet it
encounters as it passes across the interface. When this mode is turned off, your network is
less transparent, and you only get a restricted snapshot of it (this makes it more difficult to
conduct any analysis).
To activate the promiscuous mode, click on the Capture Options dialog box and
click promiscuous mode. In theory, this should show you all the traffic active on your
network. The promiscuous mode box is shown below:
But this frequently isn’t the case. You must visit the Wireshark website to find information
about your particular hardware because many network interfaces are resistant to
promiscuous mode.
On Windows, it’s useful to open Device Manager and check whether you have your settings
configured to reject promiscuous mode. For example:
(Simply click on network and then make sure that your promiscuous mode setting is set
to Allow All).
Promiscuous mode will be rejected if your settings are set to “reject,” which will reduce the
amount of packets Wireshark may collect. Check your Device Manager to make sure that your
interface isn’t preventing any data from passing through, even if promiscuous mode is active
in Wireshark. By taking the time to look through your network architecture, you can make sure
Wireshark gets all the data packets it needs.
How to Analyze Captured Packets

Once you’ve captured your network data, you’ll want to look at your captured packets. In the
screenshot below you’ll see three panes, the packet list pane, the packet bytes pane, and
the packet details pane.
If you want more information, you can click on any of the fields in each packet to see more.
When you click on a packet, you’re shown a breakdown of its internal bytes in the byte view
section.
Packet List
The packet list pane is shown at the top of the screenshot. Each piece is broken down to a
number with time, source, destination, protocol, and support information.
Packet Details
The middle contains packet information, which display the chosen packet’s protocols. Each
segment can be made larger by clicking the arrow next to the row you want to expand. By
selecting the item with the right click, you may easily add other filters.
Packet Bytes
The page’s footer displays the packet bytes pane. The internal data of the packet you choose
is displayed on this page. When you select a portion of the data in this section and highlight it,
the packet details pane also highlights the information that goes with it. By default,
hexadecimal format is used to display all data. Right-click the pane and choose this choice
from the context menu to convert it to bit format.
Basic concepts of the Network Traffic

Both a local network and the Internet were intended for use in order for the devices to
connect with one another. It is employed to identify hosts or network interfaces. It offers the
ability to construct a path to the host within that network as well as the host’s location. The
set of predetermined guidelines or conditions under which communication should take place
is known as the Internet Protocol. IPv4 and IPv6 are the different types of IP addresses.
IPv4 is a 32-bit address in which each group represents 8 bits ranging from 0 to 255.
IPv6 is a 128-bit address.
IP addresses: IP addresses are assigned to the host either dynamically or statically. Most
private users have dynamic IP addresses, while business users or servers have static IP
addresses. Dynamic IP changes whenever the device is connected to the Internet.
Computer Ports: The computer ports work in combination with the IP address directing all
outgoing and incoming packets to their proper places. There are well-known ports to work
with like FTP (File Transfer Protocol), which has port no. 21, etc. All the ports have the
purpose of directing all packets in the predefined direction.
Protocol: The Protocol is a set of predefined rules. They are considered the standardized form
of communication. One of the most used protocols is TCP/IP. It stands for Transmission
Control Protocol/Internet Protocol.
OSI model: The OSI model stands for Open System Interconnect. The OSI model has seven
layers, namely, the Application layer, Presentation layer, Session layer, Transport layer,
Network layer, Data Link Layer, and the physical layer. The OSI model gives a detailed
representation and explanation of the transmission and reception of data through the layers.
The OSI model supports both connectionless and connection-oriented communication modes
over the network layer. The OSI model was developed by ISO (International Standard
Organization).
How to Use Wireshark Filters

Capture filters give Wireshark instructions to only record packets that satisfy specific
requirements. A capture file can also have filters applied to it so that only specific packets are
displayed. Display filters are the name given to this.
Wireshark provides a large number of predefined filters by default. To use one of these
existing filters, enter its name in the Apply a display filter entry field located below the
Wireshark toolbar or in the Enter a capture filter field located in the center of the welcome
screen.
For example, if you want to display TCP packets, type TCP. The Wireshark autocomplete
feature shows suggested names as you begin typing, making it easier to find the correct
moniker for the filter you’re seeking.
Another way to choose a filter is to select the bookmark on the left side of the entry field.
Choose Manage Filter Expressions or Manage Display Filters to add, remove, or edit filters.
You can also access previously used filters by selecting the down arrow on the right side of
the entry field to display a history drop-down list.
Capture filters are applied as soon as you begin recording network traffic. To apply a display
filter, select the right arrow on the right side of the entry field.
What is Network Sniffing?

Computers communicate by broadcasting messages on a network using IP addresses. Once a
message has been sent on a network, the recipient computer with the matching IP address
responds with its MAC address.
Network sniffing is the process of intercepting data packets sent over a network. This can
be done by a specialized software program or hardware equipment. Sniffing can be used to
Capture sensitive data such as login credentials
Eavesdrop on chat messages
Capture files have been transmitted over a network
The following are protocols that are vulnerable to sniffing
Telnet
Rlogin
HTTP
SMTP
NNTP
POP
FTP
IMAP
The above protocols are vulnerable if login details are sent in plain text
Passive and Active Sniffing

Before we look at passive and active sniffing, let’s look at two major devices used to network
computers; hubs and switches.
A hub works by sending broadcast messages to all output ports on it except the one that
has sent the broadcast. If the IP address matches, the broadcast message is responded to
by the recipient computer. Therefore, while using a hub, the broadcast message is visible to
every computer connected to the network. It functions at the OSI Model’s physical layer, or
layer 1.
The diagram below illustrates how the hub works.
A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast
messages are transmitted to the physical ports that correspond to the receiver computer’s
IP/MAC address settings. This implies that only the receiving machine can see broadcast
messages. Switches function at the network layer and the data connection layer (layer 2).
(layer 3).
The diagram below illustrates how the switch works.
Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is
called passive sniffing because it is difficult to detect. It is also easy to perform as the hub
sends broadcast messages to all the computers on the network.
Active sniffing is intercepting of packages transmitted over a network that uses a switch.
There are two main methods used to sniff switch-linked networks, ARP poisoning, and MAC
flooding.
Hacking Activity: Sniff network traffic

In this practical scenario, we are going to use Wireshark to sniff data packets as they are
transmitted over the HTTP protocol. For this example, we will sniff the network using
Wireshark, then log in to a web application that does not use secure communication. We will
log in to a web application on http://www.techpanda.org/
The login address is admin@google.com, and the password is Password2010.
Note:In order to demonstrate the online application, we will log in. The method can also be
used to sniff data packets from machines connected to the same network as the one you are
now using. The sniffer includes all HTTP and other protocol data packets in addition to just
techpanda.org.
Sniffing the network using Wireshark
The illustration below shows you the steps that you will carry out to complete this exercise
without confusion
Download Wireshark from this link http://www.wireshark.org/download.html

Open Wireshark
You will get the following screen
Select the network interface you want to sniff. Note for this demonstration, we are using a
wireless network connection. If you are on a local area network, then you should select the
local area network interface.
Click on the start button as shown above
Open your web browser and type in http://www.techpanda.org/
The login email is admin@google.com and the password is Password2010

Click on submit button
A successful logon should give you the following dashboard
Go back to Wireshark and stop the live capture
Filter for HTTP protocol results only using the filter textbox
Locate the Info column and look for entries with the HTTP verb POST and click on it
Just below the log entries, there is a panel with a summary of captured data. Look for the
summary that says Line-based text data: application/x-www-form-urlencoded
You should be able to view the plaintext values of all the POST variables submitted to the
server via HTTP protocol.
What is a MAC Flooding?

MAC flooding is a network sniffing technique that floods the switch MAC table with fake
MAC addresses. This causes the switch memory to become overloaded and causes it to
function as a hub. All computers connected to a network receive the broadcast messages
once the switch has been compromised. This enables the sniffing of data packets as they
travel across the network.
Counter Measures against MAC flooding

Some switches have a port security feature. This feature can be used to limit the number
of MAC addresses on the ports. It can also be used to maintain a secure MAC address table
in addition to the one provided by the switch.
Authentication, authorization, and accounting servers can be used to filter discovered
MAC addresses.
Sniffing Counter Measures
Restriction of network physical media highly reduces the chances of a network sniffer
being installed.
Encrypting messages as they are transmitted over the network greatly reduces their value,
as they are difficult to decrypt.
Changing the network to a Secure Shell (SSH)network also reduces the chances of the
network being sniffed.
Wireshark Color Rules

While Wireshark’s capture and display filters restrict the packets that are captured or
displayed on the screen, its colorization feature goes a step further by being able to discern
between various packet types based on their distinct hue. By using their row color in the
packet list window, this rapidly identifies specific packets within a saved set.
Wireshark comes with about 20 default coloring rules, each can be edited, disabled, or
deleted. Select View > Coloring Rules for an overview of what each color means. You can
also add your own color-based filters.
Select View > Colorize Packet List to toggle packet colorization on and off.
Wireshark Statistics
The Wireshark provides a wide domain of statistics. They are listed below:
Below is the list of statistics of Wireshark along with the description:

I/O GRAPHS
It shows the graph for the network traffic. The graph will look similar but changes as per the
traffic involved. There is a table below the figure, which has some filters. Using the ‘+’ sign,
you can add more filters, and using ‘-sign you can remove the existing filters. You can also
change the color. For every particular filter, you can add a colored layer, which increases the
visibility of the graph.
The tick option under the ‘Enabled,’ displays the layer according to your requirements.
For example, we have applied the filter ‘TCP errors’ and the changes can be viewed easily.
The image is shown below:
If you click on a certain area of the graph, the corresponding network traffic packet will be
shown on the screen. A filter can also be applied to a particular port.
Another category of the graph comes under the option ‘TCP Stream graphs.’
It gives the visualization of the TCP sequence number with time.
Below are the steps to understand the TCP Stream graphs:
Open the wireshark. Click on the interface to watch the network traffic.
Apply the filter as ‘TCP.’
Click on the option ‘Statistics’ on the menu bar and select ‘TCP Stream graphs‘ and select
‘Time sequence (tcptrace). You can also choose other options in the ‘TCP Stream graphs’
category depending on your requirements. Now the screen will look as:
You can now see the points on the graph in more detail because you have zoomed in. Lines
are used to represent the packets. The length along the Y-axis displays the packet’s size.
Additionally, the green line may be seen ascending before leveling out. This shows that the
data was acknowledged (Acknowledged). This value’s increase suggests that more data is
being sent.
The data is being sent and then ACK, this is the proper use of the TCP. The flat line here
signifies that nothing is happening.
The green line above is called ‘received window.’ The gap between the received window and
the packet defines how much space is in the received buffer.
Want to learn more about Wireshark?

Check out the following hour-long webinar titled “Using Wireshark” if you want to go a little bit
deeper: An Interactive Demonstration You can watch the video on demand after registering; it
is available.
And the table below contains links to Wireshark, as well as actual packet, captures that you
can use to learn more. You can even download a quick “cheat sheet” in PDF form from
packetlife.net.
Summary
Network sniffing is intercepting packages as they are transmitted over the network
Passive sniffing is done on a network that uses a hub. It is difficult to detect.
Active sniffing is done on a network that uses a switch. It is easy to detect.
MAC flooding works by flooding the MAC table address list with fake MAC addresses. This
makes the switch to operate like a HUB
Security measures as outlined above can help protect the network against sniffing.
Recommended Articles;
SQLmap Tutorial
Pentesting: What It Is, Why You Need It, and How to Get Started
121 of the Best Places to Learn to Code For Free
Top 9 Popular Languages For Backend Web Development
Full Stack Web Developer Roadmap
What Is The Dark Web? How To Access It And What You Will Discover
What Is Cryptocurrency? Everything You Need To Know
Blockchain Developer Roadmap
IOS Developers Roadmap 2022
Game Development Roadmap 2022
Ethical Hacking Roadmap – A Beginners Guide
Backend Developer Roadmap – A Beginners Guide
Best Web Hosting For Developers
wireshark tutorial wireshark tutorial for beginners
 PREVIOUS ARTICLE NEXT ARTICLE 
Best Black Friday Web Hosting Deals 2022 Swyftx Review
Rocky
For newcomers who wish to advance their knowledge and abilities, I create quality data here.
Here, I share in-depth tutorial realted to web development, Finance, Ethical Hacking, and
much more.
VIEW 2 COMMENTS

Wireshark Tutorial

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireshark Tutorial

Uploaded by

Copyright:

Available Formats

CYBER SECURITY

Wireshark Tutorial For Beginners

The functionality of Wireshark:

How to Download and Install Wireshark

Once the installer is on your computer, follow these steps:

Then wait for Wireshark to start.

How to Capture Data Packets

<¢ wireshark -i eth0 —k>

How to Analyze Captured Packets

Basic concepts of the Network Traffic

How to Use Wireshark Filters

What is Network Sniffing?

Passive and Active Sniffing

Hacking Activity: Sniff network traffic

Download Wireshark from this link http://www.wireshark.org/download.html

Open your web browser and type in http://www.techpanda.org/

The login email is admin@google.com and the password is Password2010

Go back to Wireshark and stop the live capture

What is a MAC Flooding?

Counter Measures against MAC flooding

Sniffing Counter Measures

Wireshark Color Rules

Below is the list of statistics of Wireshark along with the description:

Want to learn more about Wireshark?

wireshark tutorial wireshark tutorial for beginners

 PREVIOUS ARTICLE NEXT ARTICLE 

Best Black Friday Web Hosting Deals 2022 Swyftx Review

You might also like