Using Wireshark for Packet analysis
Before we start using wireshark let's first install it. Installing wireshark for Linux platform is super easy. Just run the following command:
sudo apt-get install wireshark
For Windows users, you will have to download wireshark from here and then install it.
Now, once we have successfully installed wireshark, we will use it. Upon firing up Wireshark first you need to choose the interface for which you want to capture the traffic for wireless, ethernet etc.
If you are not sure about your interface just type ifconfig
(ipconfig
for windows) in command line and see what interface you are using currently to browse the web. After selecting the interface click on Capture packet button from the toolbar.
Now as you have clicked the capture button you will see random flooding of data in the Wireshark dashboard. Well, this is your network traffic. Some elementary ways to filter traffic:
- To filter traffic from any specific IP address type:
ip.addr == 'xxx.xx.xx.xx'
in the Apply a display filter field.
- To filter traffic for specific protocol say
TCP
, UDP
, SMTP
, ARP
, DNS
Requests etc just type the protocol name in the Apply a display filter field.
Filtering by IP address
Filtering by Protocol name
Saving the captured data on Wireshark
You can save the captured traffic data using following steps:
- Stop the packet capture by clicking on the Stop button.
- Go to, File → Save as → Filename.pcap
Note: For this tutorial save the file in .pcap
format.