Wireshark is a free and open-source packet analyzer that captures data packets flowing over the network (wire) and presents them in an understandable form through its GUI. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It runs on Linux, OS X, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License. Wireshark supports a wide range of protocols likeTCP, UDP, HTTP and even advanced protocols such as AppleTalk. It has several advance options such as filtering the packets, exporting packets, and name resolution. Wireshark can capture live data flowing through the network.
Working of Wireshark
In computer networking, promiscuous mode or promisc mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a hub (instead of a switch) or one being part of a WLAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.
The Wireshark network sniffing make use of the promiscuous mode. First, Wireshark transfers the network interface into promiscuous mode where it can capture raw binary data flowing through the network. Then the chunks of binary data collected are then converted into a readable form. The packets are also re-assembled based on their sequence. Finally the captured and re-assembled data is analyzed. The initial analysis involves identifying the protocol type, the communication channel, port numbers, and so on. At an advanced level, the different protocol headers can also be analyzed for a deeper understanding.
Downloading and installing wireshark
You can download and install wireshark for your operating system from the download page at https://www.wireshark.org/download.html or you can find the download page through a simple google search. Once downloaded, you can double click on the installer (e.g. Wireshark-win64-1.12.4.exe) to install. Click agree/next on all screens selecting all options. Wireshark uses another tool called WinPcap behind the scenes in Windows, so if you have not installed it already, select that as well on one of the screens when asked. Windows Packet Capture (WinPcap) is the Windows version of the libpcap library; it includes a driver to support capturing packets. Wireshark uses this library to capture live network data on Windows.
Demo – Start capturing data in your local machine
You can start capturing by either clicking on interface list, selecting your network card and clicking start there, or by selecting your network card under the start and clicking on start.
You can list the available capture interfaces, show the capture options, start a new live capture, stop the running live capture and also restart the running live capture using the icons available on top (towards left) under menu options. You can also save the capture using the save icon or by going to File > Save.
You can analyze the saved capture files using wireshark utilizing its features such as filtering. For instance, if you need your http request/response details, search for http in the filter.
There are also icons on top (towards right) for zoomin in and out, resize all columns, edit capture filter, edit/apply display filter, edit coloring rules, edit preferences etc. Edit capture filter will only capture as per settings whereas display filter will capture everything and show you as per your filter.