Wireshark is a packet analyzer. It is used to analyze packets going over the wire live or from a packet capture. It is cross-platform, widely used, and well maintained.
On Windows, Wireshark can be downloaded from Wireshark.org. On Linux, Wireshark can be found in the popular package managers.
Wireshark has a graphical interface with the functionality of tcpdump. It can see all visible traffic on the interface it is monitoring if the interface is operating in promiscuous mode, and can display that traffic as soon as it is captured. Once the traffic is captured, the packets can be taken apart layer by layer to be analyzed.
To start a live packet capture on Wireshark, select the interface you want to monitor and start the packet capture. Packets will then be shown as they are captured in real time. The packet capture can be stopped at anytime, and the packets captured can be saved for later analysis. Wireshark can also analyze packet captures from other sources such as tcpdump.
To create a packet capture on tcpdump to be analyzed with Wireshark later:
tcpdump -i eth0 -s 65535 -w dump.pcap
You will need to specify the interface you are using under the -i flag as well as name the dump as desired. The .pcap file generated from tcpdump as well as other .pcap files can be opened in Wireshark to be analyzed.
Besides the basic packet analyzation feature, Wireshark includes other useful features such as filtering, color coding, searching, and the ability to follow TCP streams.
Sans has published a useful Wireshark guide for further reading.
Leave a Reply