Wireshark is a powerful open source network analyser which can be used to sniff the data on a network, as an aide to troubleshooting network traffic analysis, but equally as an educational tool to help understand the principles of networks and communication protocols.
It is readily available for just about any Linux distribution and for Ubuntu, it can be installed via the Ubuntu Software Center or the terminal:
Before using wireshark, the
dumpcap utility needs to be given permission to run as root. Without this, Wireshark won’t be able to capture network traffic when you are logged in as a normal user (which is always in distributions like Ubuntu). To add the “
setuid” bit to
dumpcap, use the following command:
Note that the quotes marks around the “which dumpcap” aren’t normal single quotes but rather the grave accent character. On Unix-like systems, this invokes command substitution where the output from the
which command becomes a parameter for the
chmod command, i.e. the full path of the
Start Wireshark and then click on the network interface you want to use to capture the data. On a wired network, it will likely be
eth0. Now click Start.
Wireshark will begin capturing traffic and displaying it as a color coded list in the main window. TCP traffic is green, UDP packets are light blue, ARP requests are yellow and DNS traffic is shown in dark blue.
Just below the tool bar is the Filter box. To see only certain types of network packets, enter the protocol name in the edit box and click Apply. For example, to see only the ARP (Address Resolution Protocol) message, type
arp into the Filter box and click Apply. The list will change to only show ARP messages. ARP is used on a LAN to discover which machine is using a certain IP address. Other example filters are HTTP, ICMP, SMTP, SMB and so on.
Wireshark can filter using more advanced criteria than just the protocol type. For example, to see all the DNS related traffic that has comes from a particular host, use the filter
ip.src==192.168.1.101 and dns where
192.168.1.101 is the source address you want to filter.
If you spot an interesting interaction between two hosts that you want to see in its entirety, then Wireshark has a “follow stream” option. Right click on any packet in the exchange and then click on “Follow TCP Stream” (or Follow UDP Stream, Follow SSL Stream depending on the protocol type). Wireshark will then show a complete copy of the conversation.
Using Wireshark can be as complex or as simple as you need it to be, there are plenty of advanced features for network experts but those wanting to learn about networks can also benefit from using it. Here is something to try if you want to learn more about Wireshark. Start a capture and set the filter to ICMP. Now ping your Linux machine using a command like this from another Linux machine or even from a Windows PC command shell:
192.168.1.10 is the IP address of the Linux machine. Now look at the packet list and see if you spot the network traffic for the ping.