Wireshark is a free and open-source tool that provides users with powerful packet analysis. It’s based on the UNIX platform, for which it acts as an interface to capture packets from network interfaces or between two hosts using a TUN/TAP device. The goal of this article is not only to provide you with some basic information about Wireshark itself but also how to get started in troubleshooting your Linux box.,
The “wireshark tutorial” is a great place to start learning about Wireshark. It has step-by-step instructions, and it covers the basics of using Wireshark.
Assume you’re a network administrator who wants to collect network packets. In such circumstance, you have two options: acquire a high-priced hardware device or utilize Wireshark Linux Network Protocol Analyzer.
Wireshark allows you to capture and examine packets at your leisure. And in this article, you’ll learn how to install Wireshark on Linux as well as the fundamentals of packet capture and analysis.
Continue reading to ensure you never miss another vital network packet!
Prerequisites
This will be a hands-on presentation in this course. If you want to follow along, make sure you have the following items on hand.
- A Linux system – Ubuntu 20.04 LTS is used in this tutorial, although any Linux distribution will work.
How to Install Ubuntu 20.04 LTS (How to Install Ubuntu 20.04 LTS (How to Install Ubuntu 20.04 LTS
Wireshark on Linux Installation
Wireshark is installed by default with Ubuntu’s standard repository. However, the version that comes with the repositories can be outdated, so you need install the most current version.
You’ll use the APT package manager to update your system, add the official Wireshark repository, and install the newest version of Wireshark.
Associated:Examples of Ubuntu Apt Learning
To update your package repositories, open a terminal window and enter the command below. This program will scan your Ubuntu system for updates and upgrade any obsolete packages.
sudo apt update && sudo apt upgrade -y
Repositories for Packages are being updated.
2. Next, use the apt install command to install the necessary packages to create a new Wireshark repository.
The following will be installed as a result of this command:
- software-properties-common — Adds a PPA (personal package archive) to install software from using the apt add repository function.
- apt-transport-https — Adds an apt transport layer to HTTPS repositories required by Wireshark and future PPAs.
The packages are downloaded using SSL encryption when a repository is configured to HTTPS. This protocol prohibits eavesdroppers from intercepting and eavesdropping on your network’s communications.
apt-transport-https -y sudo apt install software-properties-common
Installing the Wireshark Repository’s Required Packages
3. Add the Wireshark development team’s PPA (personal package archive) (ppa:wireshark-dev/stable) to your Ubuntu system using the add-apt-repository command.
add-apt-repository is an utility that lets you add PPAs without having to manually update or create the sources.list file. If you want to install other repositories later, this tool will come in useful.
ppa:wireshark-dev/stable sudo add-apt-repository
To add the new PPA, press ENTER on your keyboard as shown below.
The new Wireshark PPA has been added.
4. Verify the sources using the ls command below. There is a file called list.
The sources.list file lists all of the PPAs that your Ubuntu system may use, including the Wireshark PPA you just installed.
ls /etc/apt/sources.list -l /etc/apt/sources.list -l /etc/apt/sources.list
Checking the sources Existence of a File
5. Use the apt update command to update your system, including the new Wireshark PPA you just installed.
You’ll see an additional line at the end of the result, as shown below, indicating that Wireshark repositories are installed on your machine.
Adding the Wireshark Repositories to your System
6. Run the apt install command below to install the latest stable version of Wireshark on your computer once you’ve updated your system.
wireshark -y sudo apt install
When prompted to enable non-superusers to collect packets, choose Yes and hit ENTER on your keyboard to complete the installation, as shown below.
Before data is transferred to the Linux kernel, where network rights are determined, Wireshark catches it. Superusers must authenticate themselves when using particular commands like sudo.
Providing Non-Superusers with the Ability to Capture Packets
7. Finally, execute the command below to see whether your computer has Wireshark —version installed.
The most recent stable version of Wireshark as of this writing is 3.4.8, as indicated below, although yours may change.
Checking the Wireshark version that is installed
Because you’re new to Wireshark, use the wireshark –help command to see the Wireshark help manual.
Taking a look at the Wireshark Help Manual
Using the Wireshark GUI to capture packets
You may start capturing packets now that Wireshark is loaded. The good news is that Wireshark offers a graphical user interface that allows you to capture and analyze packets with only a few mouse clicks. However, in order to capture packets, you must first add your user to the wireshark group.
1. Run the usermod command on your system to add your username to the wireshark group; in this example, it’s the non-root user ($(whoami)).
This command executes the whoami command and passes the result to the usermod command, allowing you to add users to groups without having to hardcode group names.
usermod -aG wireshark $ sudo usermod -aG wireshark $ (whoami)
Adding the wireshark Group to the non-root user
2. Then, to ensure that the modifications take effect, use the reboot command to restart your system. Log in with the same user account you created to the wireshark group after you’ve been booted.
Rebooting the Computer
3. To access the Wireshark UI without any flags or arguments, use the wireshark command below.
If the PC you’re using doesn’t have a wireless card, you may safely disregard the nl80211 not found warning that appears when the Wireshark UI starts, as seen below. This message is intended to help you address wireless driver difficulties.
Using the Terminal to launch the Wireshark UI
You may also access the Wireshark UI via your Dock’s apps finder, as demonstrated below. Wireshark may be found by searching for it and then launching it.
Using the Menu Bar to access the Wireshark UI
4. Select which interfaces you wish to capture packets from from the All interfaces display drop-down option, as shown below. You’ll also notice a Wired card or a Bluetooth network adapter mentioned if your system has one.
To begin collecting packets, select any network adapters and USB devices mentioned and click the blue Wireshark icon in the toolbar. The eth0 interface, which is the Ethernet card on the system, is used in this demonstration.
Selecting Network Interfaces for Packet Capture
Despite the fact that Wireshark shows all of the network interfaces on the system, not all of them are active at any one time. If you have a USB network adapter hooked into your laptop, for example. Unless you connect that USB device to a wireless access point and broadcast packets over the air, the interface will not be operational.
5. In your terminal, run the ping command to google.com to see whether your system can connect to the internet.
Your connection may or may not function depending on your machine’s setup. Your machine can successfully connect to the internet if it can access google.com.
The Wireshark UI displays all of the packets sent and received by your machine across the specified internet interface. Wireshark also recorded a lot of packets from the specified interface, as you can see below.
Some workstations will not be able to connect to the internet because of firewall restrictions or other settings that are outside the scope of this article. To enable packets to flow freely on your network, you may need to create certain IPTables or UF rules, or alter settings during the receiving process.
How to Configure the UFW Firewall on Linux
Using the Wireshark GUI to capture packets Interface
6. Now, in the packet list pane window, click on a packet to get additional information about it. When you click on a packet, the tree view and byte view windows appear immediately, as seen below.
The tree view and byte view packet panels may both be seen.
7. To examine additional information about the chosen packet, click the right-arrow button to expand any area of the tree. The byte view window illustrates how a value looks in bytes when you click on it in the tree view pane, as seen below.
Wireshark lets you study packets in great detail to figure out what’s preventing your machine from connecting to the internet or creating other network problems.
Taking a Closer Look at a Few Packets
For clarification, you may want to open the packets in a separate window. If this is the case, right-click a packet and choose Show Packet in New Window from the context menu as shown below.
If you have a lot of packets to look at, moving between windows is significantly faster than looking at them one by one.
Seeing Packets in a Separate Window
Filtering Packets Using Filter Expressions and Filter Strings
If you know precisely what you’re searching for or want to examine packets based on a criteria, filtering out all other packets is better (such as the destination IP address). For example, your server may be handling hundreds or thousands of packets per second. It’s almost hard to find what you’re searching for amid a sea of packages.
By typing a filter string into the text box area at the top of the main Wireshark window, you can filter out all other packets. For example, you may wish to analyze the headers of a TCP stream to figure out why your system can’t communicate with the internet.
1. Type tcp into the filter string box and press ENTER to view only packets that match your criteria. Any other packet type will be ignored by Wireshark and will not be shown in the packet list window below.
Only TCP Packets are listed.
2. Next, click on Analyze —> Display Filter Expression. A new pane window pops up that allows you to do packet filtering in a more advanced way.
Getting to the Expression Pane for the Display Filter
Some filter expressions for finding certain packets are shown below.
Viewing Expressions of Comparisons
3. Finally, enter http in the search bar, click on http.bad_header_name —> is present —> OK to find illegal characters in the header name of the http request to your server from a client.
Illegal characters were discovered in the http request’s header name.
Creating a File from Captured Packets
If you’re troubleshooting an issue that includes one or more packets, you should store those packets since they may be useful for subsequent study.
In Wireshark, for example, you can’t address a connection problem by observing packets in real time. If you save those packets to a file, however, someone else (an ISP or another networking specialist) may look at them and discover what’s going on on your network.
Click on the File menu —> Save As to choose the save location, and set a name for the file with a .pcap file extension (i.e., ata.pcap). Wireshark will save all packets captured in the session to the .pcap file. You can share this file with others to help troubleshoot your network problem.
Creating a File from Captured Packets
Conclusion
In this article, you’ve learned how to install Wireshark on a Linux server for packet capture and analysis. You have also learned the basic Wireshark features of capture settings, different ways of filtering packets, and Creating a File from Captured Packets.
You may now collect packets to debug client-side DHCP difficulties or other network connection issues with your newfound knowledge. You can already examine packets for security considerations at this stage (checking encrypted traffic flows).
Wireshark is a tool used to troubleshoot networks. It has many features and it can be difficult to get started with Wireshark. This article will help you get started with Wireshark on Linux. Reference: how to use wireshark to get ip.
Frequently Asked Questions
How do I troubleshoot network issues with Wireshark?
A: First and foremost, make sure you can ping the machine. If you cannot get a response from it then that is usually your first sign of an issue with connectivity. The next step would be to disable any firewalls on your computer so that anything being sent across the network will not be blocked by them.
How do I start Wireshark on Linux?
A: On top of the launch pad on Windows, its possible to start Wireshark with shortcut keys. The first key is Alt+Enter which brings up a menu and selects Capture Options. From there you can select Start WireShark when windows starts or automatically after a crash.
How use Wireshark Linux?
A: Wireshark is a network analyzer. It allows you to see whats happening on your computers network from the command line or via GUI interface.
Related Tags
- wireshark tutorial: how to sniff network traffic
- how to use wireshark to monitor network traffic
- wireshark tutorial pdf
- how to use wireshark to get passwords
- wireshark commands