Wireshark is a popular network protocol analyzer tool that allows network analysts and troubleshooters to capture, analyze, and dissect network traffic. It is an open-source and cross-platform software that supports a wide range of network protocols and interfaces, making it a versatile tool for network analysis. With Wireshark, users can capture network packets in real-time or from a saved file, apply filters to analyze the captured traffic, and view detailed information about the protocols and data exchanged between network nodes. Wireshark provides numerous features, such as expert information, statistics, and visualization tools, to help network analysts and troubleshooters identify and resolve network issues. Its intuitive user interface, extensive filtering capabilities, and customization options make it a popular choice for network analysis and troubleshooting across industries and organizations. In this article, we will cover various aspects of Wireshark, including its features, filtering capabilities, capture modes, and keyboard shortcuts.
Whether you are a network administrator, a security professional, or just someone curious about how networks work, learning to use Wireshark is a valuable skill. This Wireshark cheat sheet will provide a solid foundation and reference for using Wireshark to monitor and analyze your network traffic.
(Desktop View Recommend)
Default Columns In a Packet Capture Output
When analyzing network traffic with a packet capture tool such as Wireshark, the output typically includes a list of columns that provide important information about each captured packet. Here are the default columns in Wireshark, along with their names and descriptions:
Column Name | Description |
---|---|
No. | The packet number in the capture file. |
Time | The time the packet was captured. |
Source | The source IP address of the packet. |
Destination | The destination IP address of the packet. |
Protocol | The protocol used by the packet (e.g., TCP, UDP, ICMP). |
Length | The length of the packet in bytes. |
Info | A summary of the packet contents, such as the HTTP request method or response code. |
These columns provide essential information that can help you analyze network traffic and troubleshoot network issues. For example, the source and destination columns can help you identify where the traffic is coming from and where it’s going. The protocol column can help you determine which application or service is generating the traffic, while the length column can help you identify unusually large or small packets that may indicate a problem. Finally, the info column can help you quickly identify important packets, such as those containing HTTP requests or responses.
It’s worth noting that you can customize the columns displayed in Wireshark to suit your needs. For example, you can add columns to display additional information such as the TCP sequence number or the DNS query name. To add or remove columns, simply right-click on the column header and select “Column Preferences”. From there, you can select the columns you want to display and adjust their order and width as needed.
Logical Operators
Logical operators are used in various programming languages and tools to combine two or more conditions or expressions to form a single, more complex condition. They are frequently used in network analysis and troubleshooting tools, such as packet capture tools, to filter and search for specific packets or network traffic. Here are the three main logical operators and their descriptions:
Operator | Name | Description |
---|---|---|
&& | AND | Evaluates to true if and only if both conditions are true. For example, in a packet capture filter, the expression ip.src == 192.168.1.1 && tcp.port == 80 would match only packets with a source IP address of 192.168.1.1 AND a TCP destination port of 80 . |
|| | OR | Evaluates to true if either or both conditions are true. For example, in a packet capture filter, the expression `ip.src == 192.168.1.1 |
! | NOT | Inverts the result of the condition. For example, in a packet capture filter, the expression !tcp.port == 80 would match packets that do NOT have a TCP destination port of 80 . |
These logical operators can be combined to create more complex conditions that are used to filter and search for specific packets or network traffic. By using these operators effectively, network analysts and troubleshooters can quickly isolate and diagnose network problems.
Filtering Packets (Display Filters)
Packet filtering, also known as display filtering, is the process of selecting specific packets from a captured network traffic for further analysis. Display filters in packet capture tools such as Wireshark provide a way to filter packets based on specific criteria such as protocol, IP address, port number, etc. Here are some common display filters along with their descriptions and examples:
Filter | Operator | Description | Example |
---|---|---|---|
ip.addr | == | Matches packets where the IP address matches the specified value. This can be used to filter packets based on either the source or destination IP address. | ip.addr == 192.168.1.1 |
tcp.port | == | Matches packets where the TCP port number matches the specified value. This can be used to filter packets based on either the source or destination port. | tcp.port == 80 |
udp.port | == | Matches packets where the UDP port number matches the specified value. This can be used to filter packets based on either the source or destination port. | udp.port == 53 |
http | Matches packets where the protocol is HTTP. This can be used to filter HTTP traffic, which can be useful for analyzing web traffic. | http | |
dns | Matches packets where the protocol is DNS. This can be used to filter DNS traffic, which can be useful for analyzing DNS queries and responses. | dns | |
icmp | Matches packets where the protocol is ICMP. This can be used to filter ICMP traffic, which can be useful for analyzing ping requests and responses. | icmp | |
frame.number | <, >, <=, >= | Matches packets with a frame number less than, greater than, less than or equal to, or greater than or equal to the specified value. | frame.number < 100 |
frame.time | <, >, <=, >= | Matches packets with a frame time less than, greater than, less than or equal to, or greater than or equal to the specified value. | frame.time >= "2023-03-10 10:00:00" |
By using these filters effectively, network analysts and troubleshooters can quickly isolate and diagnose network problems. These are just a few examples of the many display filters available in packet capture tools such as Wireshark. Understanding these filters and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.
Filter Types
Packet filtering is a crucial aspect of network analysis and troubleshooting. It allows network analysts to selectively view and analyze network traffic based on specific criteria. Packet capture tools such as Wireshark provide various types of filters for packet filtering. Here are some common types of filters along with their names and descriptions:
Filter Type | Name | Description |
---|---|---|
Capture Filter | BPF (Berkeley Packet Filter) | A low-level filter applied to a live capture or when saving a capture file. This filter is written in BPF syntax and is used to capture only the packets of interest. |
Display Filter | Wireshark filter | A high-level filter applied to an already captured packet capture file. This filter is written in Wireshark’s display filter syntax and is used to selectively view the packets of interest. |
Protocol Filter | Protocol filter | A filter applied to isolate packets that belong to a specific protocol or protocol family, such as IP, TCP, UDP, DNS, etc. |
Time Filter | Time-based filter | A filter applied to isolate packets that occurred within a specific time range or at a specific time interval. |
Endpoint Filter | Endpoint filter | A filter applied to isolate packets that belong to a specific endpoint, such as a specific IP address or MAC address. |
Conversation Filter | Conversation filter | A filter applied to isolate packets that belong to a specific conversation between two endpoints, such as a specific IP address or port. |
Expert Info Filter | Expert Info filter | A filter applied to isolate packets with specific expert info messages generated by Wireshark, such as warnings or errors. |
By using these filters effectively, network analysts and troubleshooters can quickly isolate and diagnose network problems. These are just a few examples of the many filter types available in packet capture tools such as Wireshark. Understanding these filters and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.
Wireshark Capturing Modes
Wireshark, like many other packet capture tools, supports various capturing modes that provide different levels of access and control over the captured traffic. Here are some common Wireshark capturing modes along with their names and descriptions:
Capturing Mode | Name | Description |
---|---|---|
Promiscuous Mode | Promiscuous Mode | Captures all network traffic seen by the network interface card (NIC), including traffic not intended for the host machine. This mode is useful for capturing all traffic on a network segment or for analyzing switch and router behavior. |
Non-Promiscuous Mode | Non-Promiscuous Mode | Captures only traffic intended for the host machine, such as traffic addressed to its MAC address. This mode is useful for capturing traffic on a specific machine and can help reduce the amount of captured traffic. |
Monitor Mode | Monitor Mode | Captures all wireless network traffic on a specific wireless channel. This mode is used for wireless network analysis and troubleshooting. |
Remote Capture | Remote Capture | Captures network traffic on a remote machine using the Wireshark Remote Packet Capture Protocol (RPCAP). This mode is useful for capturing traffic on machines that are not physically accessible or for capturing traffic on remote networks. |
File-based Capture | File-based Capture | Captures network traffic to a file for later analysis. This mode is useful for capturing large amounts of traffic over a longer period or for capturing traffic on systems with limited resources. |
By using these capturing modes effectively, network analysts and troubleshooters can gain better control over the captured traffic and reduce the amount of irrelevant traffic in the capture file. Understanding these modes and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.
Miscellaneous
Here are some miscellaneous features and capabilities of Wireshark along with their names and descriptions:
Feature | Name | Description |
---|---|---|
Protocol Decode | Protocol Decode | Wireshark can decode and display the contents of a captured packet according to the protocol specification. This feature allows network analysts to view the details of a specific protocol and can help identify protocol-specific issues. |
Conversation Statistics | Conversation Statistics | Wireshark can display conversation statistics between two endpoints, including the number of packets, bytes, and average packet size. This feature is useful for analyzing the performance of specific connections or for identifying potential network issues. |
Coloring Rules | Coloring Rules | Wireshark can apply color-coded highlighting to packets based on specific criteria, such as protocol or source/destination IP address. This feature allows network analysts to quickly identify relevant packets in a large capture file. |
Follow TCP Stream | Follow TCP Stream | Wireshark can reconstruct the contents of a TCP stream and display it in a separate window. This feature is useful for analyzing the contents of a specific connection and can help identify application-layer issues. |
Exporting Data | Exporting Data | Wireshark can export captured packets to various formats, including CSV, JSON, and XML. This feature allows network analysts to manipulate the captured data in external tools or to share it with others who do not have access to Wireshark. |
Plugins | Plugins | Wireshark supports various plugins that can extend its functionality and capabilities. These plugins can be developed by third parties or by the Wireshark community and can be used to enhance specific features or to add new ones. |
By using these features and capabilities effectively, network analysts and troubleshooters can gain greater insight into network behavior and diagnose network problems more efficiently. Understanding these features and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.
Capture Filter Syntax
A capture filter is a filter used to limit the amount of traffic captured by Wireshark when capturing packets in real-time. Here are some common capture filter syntax elements along with their names and descriptions:
Syntax Element | Name | Description |
---|---|---|
Protocol | Protocol | Filters packets based on the protocol type, such as TCP, UDP, or ICMP. |
Source/Destination Address | Host | Filters packets based on the source or destination IP address. |
Port Number | Port | Filters packets based on the port number, such as TCP port 80 for HTTP traffic. |
Network Address Range | Net | Filters packets based on a range of IP addresses, such as 192.168.0.0/24 for all hosts in the 192.168.0.0 subnet. |
Logical Operators | and, or, not | Used to combine multiple filter expressions or to negate a filter expression. |
Expression Grouping | ( ) | Used to group multiple filter expressions to control the order of evaluation. |
Primitive | Primitive | Specifies a basic condition to filter packets, such as src or dst for source or destination IP address, respectively. |
By using these syntax elements effectively, network analysts and troubleshooters can create capture filters that target specific traffic and reduce the amount of irrelevant traffic captured. Understanding these syntax elements and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.
Display Filter Syntax
A display filter is a filter used to selectively display packets from a packet capture file. Here are some common display filter syntax elements along with their names and descriptions:
Syntax Element | Name | Description |
---|---|---|
Protocol | Protocol | Filters packets based on the protocol type, such as TCP, UDP, or ICMP. |
Source/Destination Address | ip.addr | Filters packets based on the source or destination IP address. |
Port Number | tcp.port, udp.port | Filters packets based on the port number, such as tcp.port == 80 for HTTP traffic. |
Network Address Range | ip.src, ip.dst, net | Filters packets based on a range of IP addresses, such as ip.src == 192.168.0.0/24 for all packets with a source IP address in the 192.168.0.0 subnet. |
Time | frame.time | Filters packets based on the time of capture, such as frame.time > “2022-01-01 00:00:00” to display packets captured after a specific date and time. |
Logical Operators | and, or, not | Used to combine multiple filter expressions or to negate a filter expression. |
Expression Grouping | ( ) | Used to group multiple filter expressions to control the order of evaluation. |
Field Comparison | ==, !=, <, > | Used to compare fields within a packet, such as tcp.len > 100 to display packets with a TCP payload length greater than 100 bytes. |
By using these syntax elements effectively, network analysts and troubleshooters can create display filters that selectively display packets and highlight relevant information. Understanding these syntax elements and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.
Keyboard Shortcuts – Main Display Window
Here are some common keyboard shortcuts for the main display window in Wireshark:
Shortcut | Description |
---|---|
Ctrl + E | Expand all packets |
Ctrl + F | Open the display filter dialog |
Ctrl + G | Find the next packet matching the current display filter |
Ctrl + L | Open the capture filter dialog |
Ctrl + R | Apply or reapply the current display filter |
Ctrl + Shift + R | Clear the current display filter |
Ctrl + Shift + T | Toggle the time display format between absolute and relative |
Ctrl + Shift + X | Exit Wireshark |
Ctrl + + | Increase the font size |
Ctrl + – | Decrease the font size |
Ctrl + 1-9 | Toggle the display of specific packet details columns |
Tab | Switch focus between the packet list and packet details panes |
Shift + Tab | Switch focus in reverse order |
Enter | Expand or collapse a packet in the packet list |
Spacebar | Start or stop packet capture |
F1 | Open the Wireshark help documentation |
F3 | Find the next occurrence of a search term in the packet details pane |
F11 | Toggle full-screen mode |
By using these keyboard shortcuts, network analysts and troubleshooters can navigate through packets, filter traffic, and customize the display quickly and efficiently.
Protocols – Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp
Common Filtering Commands
Common Filtering Commands
USAGE | FILTER SYNTAX |
---|---|
Wireshark Filter by IP | ip.add == 10.10.50.1 |
Filter by Destination IP | ip.dest == 10.10.50.1 |
Filter by Source IP | ip.src == 10.10.50.1 |
Filter by IP range | ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
Filter by Multiple Ips | ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
Filter out IP adress | ! (ip.addr == 10.10.50.1) |
Filter subnet | ip.addr == 10.10.50.1/24 |
Filter by port | tcp.port == 25 |
Filter by destination port | tcp.dstport == 23 |
Filter by ip adress and port | ip.addr == 10.10.50.1 and Tcp.port == 25 |
Filter by URL | http.host == “host name” |
Filter by time stamp | frame.time >= “June 02, 2019 18:04:00” |
Filter SYN flag | Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
Wireshark Beacon Filter | wlan.fc.type_subtype = 0x08 |
Wireshark broadcast filter | eth.dst == ff:ff:ff:ff:ff:ff |
Wireshark multicast filter | (eth.dst[0] & 1) |
Host name filter | ip.host = hostname |
MAC address filter | eth.addr == 00:70:f4:23:18:c4 |
RST flag filter | tcp.flag.reset == 1 |
Main Toolbar Items
Others
Here is a summary of some of the other important features of Wireshark that we have not covered yet:
Feature | Description |
---|---|
Expert info | Wireshark’s expert system provides information on various issues and anomalies within captured traffic, such as retransmissions, duplicate packets, and protocol errors. |
Statistics | Wireshark provides various statistics and graphs for captured traffic, such as protocol hierarchy, conversation statistics, and packet length distribution. |
Customization | Wireshark offers a high degree of customization, including the ability to create custom columns, protocols, and dissector plugins. |
Exporting | Wireshark can export captured traffic to various formats, such as plain text, CSV, XML, and pcapng. |
Command-line interface | Wireshark can be used through its command-line interface, tshark, which provides similar functionality as the GUI but with greater automation and scripting capabilities. |
By utilizing these features, network analysts and troubleshooters can gain deeper insights into network traffic and more effectively troubleshoot issues.
FAQ
- What is Wireshark used for?
Wireshark is a network protocol analyzer tool used for capturing and analyzing network traffic in real-time or from a saved file.
- How do I use Wireshark?
You can use Wireshark by selecting the appropriate network interface, starting the capture, and applying filters to analyze the captured traffic. Wireshark also provides various statistics, expert information, and visualization tools to help with analysis.
- What are display filters in Wireshark?
Display filters are used to filter specific packets from the captured traffic to view only the relevant data. Display filters can be based on a variety of criteria such as IP addresses, protocol types, port numbers, etc.
- What are capture filters in Wireshark?
Capture filters are used to capture only the relevant network traffic based on specific criteria like IP addresses, port numbers, protocol types, etc.
- How do I export captured packets in Wireshark?
You can export captured packets in Wireshark by selecting the packets you want to export and using the “Export Packet Dissections” or “Export Specified Packets” options under the “File” menu. You can then select the desired export format, such as plain text, CSV, XML, or pcapng.
- Can Wireshark capture wireless traffic?
Yes, Wireshark can capture wireless traffic using a wireless network adapter in monitor mode.
- What is the difference between a display filter and a capture filter in Wireshark?
A display filter is used to filter packets that have already been captured and are displayed in the Wireshark GUI. A capture filter, on the other hand, is used to filter packets during the capture process and only captures the relevant network traffic.
Conclusion
Wireshark is a powerful and widely used network protocol analyzer tool that allows network analysts and troubleshooters to capture, analyze, and dissect network traffic. With its intuitive user interface, extensive filter options, and advanced features like expert info and statistics, Wireshark provides deep insights into network traffic and enables faster and more effective troubleshooting of network issues. Additionally, Wireshark’s customization options, such as custom columns and plugins, make it a flexible tool that can be tailored to specific needs. Overall, Wireshark is an essential tool for anyone involved in network analysis and troubleshooting.
Greetings! Very useful advice within this article! It’s
the little changes that produce the most important changes.
Thanks a lot for sharing!