Network tracing applications provide real-time routing information & help you in identifying any errors or issues encountered with your servers such as timeouts and blocked UDP or TCP packets. Tracing will specifically show the latency information for a packet to get from one Internet host to another.
A network analysis tool known as Wireshark captures packets in real-time and provides them in human-readable format. It includes filters, color coding and other features that allow an analyst to deep dive into network traffic and performs precise packet inspection.
Wireshark can be used for the following.
- Network Monitoring & Management.
- Identifying error, unusual traffic in networks.
- Access control & Security Management.
- forensic analysis using Traffic logs.
Getting Familiar with UI
I am going to share a few important areas of GUI like Interface selection, Capturing & Saving.
Capture >> Interfaces
- Shows Available network interfaces for capture, Total packets per
interface & Packet rate per interface.
- To capture packets interface must be selected.
Capture >> Options
Used to set various capture parameters like Promiscuous mode
- On — records all packets reaching the interface.
- Off — The packets which are directed to the host are recorded.
Capture >> Start
- Click the start button next to the desired interface.
- The captured traffic will be displayed in the packet list pane.
Analyze >> Follow TCP Stream
- A filter is applied to show single TCP conversation within the trace.
- The reassembled data section of each packet in the conversation is shown.
- Analyzing or debugging of any TCP based application layer protocols like HTTP, FTP, SSH, LDAP, SMTP can be accomplished using the feature.
Statistics >> Flow Graph
- Generates a sequence graph for the selected traffic.
- Useful for understanding seq. and ack calculations.
Capture >> Stop
- Stops capturing packets.
Saving Capture: Select File >> Save As
- The captured packets can be stored for the further Analysis.
Packet List Pane
Packet list – Packets in the trace will be displayed in the order they were recorded.
Time – Displays the timestamp at which the packet crossed the interface.
Source – Origin host of the packet is displayed.
Destination – Host to which the packet was sent will be displayed.
Protocol – Wireshark can detect and display the highest level protocol.
Length – Displays length in bytes of the packet on the wire.
Info – Informational message referring to the protocol in the protocol column.
Packet list Default Coloring Codes
Black with red letters – TCP Packets with errors
Light Blue – UDP Packets
Pale Blue – ARP Packets
Green – HTTP Packets
Lavender – ICMP Packets
Black with green letters – ICMP Packets with errors
Color codes can be changed under — View >> Coloring Rules
Gray – TCP packets
Filters can be composed of multiple tests joined with boolean connectives.
- && – logical conjunction (i.e. AND)
- || – logical disjunction (i.e OR)
- ! – logical negation (i.e. NOT)
Use case examples
Displays only FTP (port 21) and ICMP traffic:
- tcp.port eq 21 or ICMP
Displays only BGP (port 179)
- tcp.port eq 179
Displays only traffic in the LAN (192.168.x.x), between workstations and servers(no Internet)
- ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
The “slice” feature is useful, to filter on the vendor identifier part of the MAC address, restricting the display to only packets from a specific device manufacturer. E.g. for HP machines or Dell Machines only.
Additional filters are given below.