Using Wireshark on Ubuntu

Wireshark is a powerful open source network analyser which can be used to sniff the data on a network, as an aide to troubleshooting network traffic analysis, but equally as an educational tool to help understand the principles of networks and communication protocols.

It is readily available for just about any Linux distribution and for Ubuntu, it can be installed via the Ubuntu Software Center or the terminal:

Before using wireshark, the dumpcap utility needs to be given permission to run as root. Without this, Wireshark won’t be able to capture network traffic when you are logged in as a normal user (which is always in distributions like Ubuntu). To add the “setuid” bit to dumpcap, use the following command:

Note that the quotes marks around the “which dumpcap” aren’t normal single quotes but rather the grave accent character. On Unix-like systems, this invokes command substitution where the output from the which command becomes a parameter for the chmod command, i.e. the full path of the dumpcap binary.

wireshark-Start-capture

Start Wireshark and then click on the network interface you want to use to capture the data. On a wired network, it will likely be eth0. Now click Start.

Wireshark will begin capturing traffic and displaying it as a color coded list in the main window. TCP traffic is green, UDP packets are light blue, ARP requests are yellow and DNS traffic is shown in dark blue.

wireshark-live-capture

Just below the tool bar is the Filter box. To see only certain types of network packets, enter the protocol name in the edit box and click Apply. For example, to see only the ARP (Address Resolution Protocol) message, type arp into the Filter box and click Apply. The list will change to only show ARP messages. ARP is used on a LAN to discover which machine is using a certain IP address. Other example filters are HTTP, ICMP, SMTP, SMB and so on.

Wireshark can filter using more advanced criteria than just the protocol type. For example, to see all the DNS related traffic that has comes from a particular host, use the filter ip.src==192.168.1.101 and dns where 192.168.1.101 is the source address you want to filter.

wireshark-follow-stream

If you spot an interesting interaction between two hosts that you want to see in its entirety, then Wireshark has a “follow stream” option. Right click on any packet in the exchange and then click on “Follow TCP Stream” (or Follow UDP Stream, Follow SSL Stream depending on the protocol type). Wireshark will then show a complete copy of the conversation.

Using Wireshark can be as complex or as simple as you need it to be, there are plenty of advanced features for network experts but those wanting to learn about networks can also benefit from using it. Here is something to try if you want to learn more about Wireshark. Start a capture and set the filter to ICMP. Now ping your Linux machine using a command like this from another Linux machine or even from a Windows PC command shell:

Where 192.168.1.10 is the IP address of the Linux machine. Now look at the packet list and see if you spot the network traffic for the ping.

7 comments

  1. I just want to say I’m new to weblog and honestly savored you’re web page. More than likely I’m planning to bookmark your site . You absolutely come with terrific writings. Thanks for sharing your blog site.

  2. To set up Wireshark for ordinary users, use this instead:
    sudo dpkg-reconfigure -plow wireshare-common

    This will ask if you want to allow members of the group wireshark to be able to run wireshark as if it was executed as root. Do this to add a user myuser to this group:
    sudo addgroup myuser wireshark

    Then the user needs to log out and then back again for this to work, as groups are only set when you log in.

    • Thanks for the group permission oriented approach. For my money, things might be better if this was the default install configuration. ~~~ 8d;-Dan

      • It isn’t the default because of security issues if setting this to default value.
        I think it say something about it in /usr/share/doc/wireshark-common/README.Debian.gz (or some other file there).

        Anyway, you should probably always check out the package documentation in /usr/share/doc/package/

  3. I found that it is easier to read $(which dumpcap) compared with `which dumbcap`. Using the $(…) form of immediate execution is much more visible regardless of how it is viewed. Sadly, the back-tic, reverse-apostrophe often gets lost both on screen and on paper. ~~~~ 8d;-Dan

    • But isn’t $(…) a Bash-ism? That is, a feature of Bash and not of Bourne Shell?
      If so, it will not be implemented if you change to another shell.

Comments are closed.

Sponsored Stories