Using Wireshark on Ubuntu

Wireshark is a powerful open source network analyser which can be used to sniff the data on a network, as an aide to troubleshooting network traffic analysis, but equally as an educational tool to help understand the principles of networks and communication protocols.

It is readily available for just about any Linux distribution and for Ubuntu, it can be installed via the Ubuntu Software Center or the terminal:

Before using wireshark, the dumpcap utility needs to be given permission to run as root. Without this, Wireshark won’t be able to capture network traffic when you are logged in as a normal user (which is always in distributions like Ubuntu). To add the “setuid” bit to dumpcap, use the following command:

Note that the quotes marks around the “which dumpcap” aren’t normal single quotes but rather the grave accent character. On Unix-like systems, this invokes command substitution where the output from the which command becomes a parameter for the chmod command, i.e. the full path of the dumpcap binary.


Start Wireshark and then click on the network interface you want to use to capture the data. On a wired network, it will likely be eth0. Now click Start.

Wireshark will begin capturing traffic and displaying it as a color coded list in the main window. TCP traffic is green, UDP packets are light blue, ARP requests are yellow and DNS traffic is shown in dark blue.


Just below the tool bar is the Filter box. To see only certain types of network packets, enter the protocol name in the edit box and click Apply. For example, to see only the ARP (Address Resolution Protocol) message, type arp into the Filter box and click Apply. The list will change to only show ARP messages. ARP is used on a LAN to discover which machine is using a certain IP address. Other example filters are HTTP, ICMP, SMTP, SMB and so on.

Wireshark can filter using more advanced criteria than just the protocol type. For example, to see all the DNS related traffic that has comes from a particular host, use the filter ip.src== and dns where is the source address you want to filter.


If you spot an interesting interaction between two hosts that you want to see in its entirety, then Wireshark has a “follow stream” option. Right click on any packet in the exchange and then click on “Follow TCP Stream” (or Follow UDP Stream, Follow SSL Stream depending on the protocol type). Wireshark will then show a complete copy of the conversation.

Try this

Using Wireshark can be as complex or as simple as you need it to be, there are plenty of advanced features for network experts but those wanting to learn about networks can also benefit from using it. Here is something to try if you want to learn more about Wireshark. Start a capture and set the filter to ICMP. Now ping your Linux machine using a command like this from another Linux machine or even from a Windows PC command shell:

Where is the IP address of the Linux machine. Now look at the packet list and see if you spot the network traffic for the ping.

Gary Sims

Gary has been a technical writer, author and blogger since 2003. He is an expert in open source systems (including Linux), system administration, system security and networking protocols. He also knows several programming languages, as he was previously a software engineer for 10 years. He has a Bachelor of Science in business information systems from a UK University.


  1. I just want to say I’m new to weblog and honestly savored you’re web page. More than likely I’m planning to bookmark your site . You absolutely come with terrific writings. Thanks for sharing your blog site.

  2. To set up Wireshark for ordinary users, use this instead:
    sudo dpkg-reconfigure -plow wireshare-common

    This will ask if you want to allow members of the group wireshark to be able to run wireshark as if it was executed as root. Do this to add a user myuser to this group:
    sudo addgroup myuser wireshark

    Then the user needs to log out and then back again for this to work, as groups are only set when you log in.

    1. Thanks for the group permission oriented approach. For my money, things might be better if this was the default install configuration. ~~~ 8d;-Dan

      1. It isn’t the default because of security issues if setting this to default value.
        I think it say something about it in /usr/share/doc/wireshark-common/README.Debian.gz (or some other file there).

        Anyway, you should probably always check out the package documentation in /usr/share/doc/package/

  3. I found that it is easier to read $(which dumpcap) compared with `which dumbcap`. Using the $(…) form of immediate execution is much more visible regardless of how it is viewed. Sadly, the back-tic, reverse-apostrophe often gets lost both on screen and on paper. ~~~~ 8d;-Dan

    1. But isn’t $(…) a Bash-ism? That is, a feature of Bash and not of Bourne Shell?
      If so, it will not be implemented if you change to another shell.

Comments are closed.