Network tracing applications provide real-time routing information & help you in identifying any errors or issues encountered with your servers such as timeouts and blocked UDP or TCP packets. Tracing will specifically show the latency information for a packet to get from one Internet host to another.

A network analysis tool known as Wireshark captures packets in real-time and provides them in human-readable format. It includes filters, color coding and other features that allow an analyst to deep dive into network traffic and performs precise packet inspection.

https://www.wireshark.org/

Wireshark can be used for the following.

  • Network Monitoring & Management.
  • Identifying error, unusual traffic in networks.
  • Access control & Security Management.
  • forensic analysis using Traffic logs.

Getting Familiar with UI 

 

I am going to share a few important areas of GUI like Interface selection, Capturing & Saving.

Capture >> Interfaces

  • Shows Available network interfaces for capture, Total packets per
    interface & Packet rate per interface.
  • To capture packets interface must be selected.

Capture >> Options

Used to set various capture parameters like Promiscuous mode

  • On — records all packets reaching the interface.
  • Off — The packets which are directed to the host are recorded.

Capture >> Start

  • Click the start button next to the desired interface.
  • The captured traffic will be displayed in the packet list pane.

Analyze >> Follow TCP Stream

  • A filter is applied to show single TCP conversation within the trace.
  • The reassembled data section of each packet in the conversation is shown.
  • Analyzing or debugging of any TCP based application layer protocols like HTTP, FTP, SSH, LDAP, SMTP can be accomplished using the feature.

Statistics >> Flow Graph

  • Generates a sequence graph for the selected traffic.
  • Useful for understanding seq. and ack calculations.

Capture >> Stop

  • Stops capturing packets.

Saving Capture: Select File >> Save As

  • The captured packets can be stored for the further Analysis.

Packet List Pane 

Packet list – Packets in the trace will be displayed in the order they were recorded.
Time – Displays the timestamp at which the packet crossed the interface.
Source – Origin host of the packet is displayed.
Destination – Host to which the packet was sent will be displayed.
Protocol – Wireshark can detect and display the highest level protocol.
Length – Displays length in bytes of the packet on the wire.
Info – Informational message referring to the protocol in the protocol column.

Packet list Default Coloring Codes 

Black with red letters – TCP Packets with errors
Light Blue – UDP Packets
Pale Blue – ARP Packets
Green – HTTP Packets
Lavender – ICMP Packets
Black with green letters – ICMP Packets with errors
Color codes can be changed under  — View >> Coloring Rules
Gray – TCP packets

Filters

Filters can be composed of multiple tests joined with boolean connectives.

  • && – logical conjunction (i.e. AND)
  • || – logical disjunction (i.e OR)
  • ! – logical negation (i.e. NOT)

Use case examples

Displays only FTP (port 21) and ICMP traffic:

  • tcp.port eq 21 or ICMP

Displays only BGP (port 179)

  •   tcp.port eq 179

Displays only traffic in the LAN (192.168.x.x), between workstations and servers(no Internet)

  • ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

The “slice” feature is useful, to filter on the vendor identifier part of the MAC address, restricting the display to only packets from a specific device manufacturer.  E.g. for HP machines or Dell Machines only.

Additional filters are given below.