• ARTICLES
SEARCH

How-To Geek

How to Use Wireshark to Capture, Filter and Inspect Packets

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.

This tutorial will get you up to speed with the basics of capturing packets, filtering them and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network or troubleshoot network problems.

Getting Wireshark

You can download Wireshark for Windows or Mac OS X from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.

Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you have permission.

Capturing Packets

After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.

As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.

Click the stop capture button near the top left corner of the window when you want to stop capturing traffic.

Color Coding

You’ll probably see packets highlighted in green, blue and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.

Sample Captures

If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect.

Opening a capture file is easy; just click Open on the main screen and browse for a file. You can also save your own captures in Wireshark and open them later.

Filtering Packets

If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.

The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.

You can also click the Analyze menu and select Display Filters to create a new filter.

Another interesting thing you can do is right-click a packet and select Follow TCP Stream.

You’ll see the full conversation between the client and the server.

Close the window and you’ll find a filter has been applied automatically — Wireshark is showing you the packets that make up the conversation.

Inspecting Packets

Click a packet to select it and you can dig down to view its details.

You can also create filters from here — just right-click one of the details and use the Apply as Filter submenu to create a filter based on it.


Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 01/30/12

Comments (24)

  1. Stijn Verwaaijen

    Or get a life instead…

  2. Asgaro

    @ Stijn Verwaaijen
    Don’t like it, don’t read it.

    I will definitely check out this tool, since I recently learned about TCP and UDP protocols, packets, frames, destination ports, acknowledgement numbers, headers, window size, etc. in school!

  3. Iszi

    This is a must-have for any network engineer’s toolbox, and for some levels of power users as well.

  4. Andreas

    An amazing tool i use it to read SIP on the protocol, few things can hide from Wireshark

  5. Rajesh.Selvaraj

    Best tool to understand networking in depth.
    Every Network Admin should have this installed in his machine.

  6. Bob-El

    When I click Interface List all I get is a little tiny window that says “Device Description IP Packets Packets/s. There’s a greyed out Stop button, a Help button and a Close button.

  7. Bob-El

    Ah! I figured it out. It has to be run with admin rights otherwise you don’t get any interfaces listed.

  8. Mmmmmm

    @ Stijn Verwaaijen

    This is an amazing tool for ACTUAL technologically advanced people unlike yourself. And secondly, you posted at 5:27am. But thanks for sharing!

  9. TM

    what a hack …..

  10. ¥en

    Absolutely magic tool! STIJN VERWAAIJEN
    Not to mention the program, it’s also a tool, but unlike STIJN VERWAAIJEN, it is a useful tool…
    If you had any real sense about you, you’d now have all the info you needed to start packet sniffing and detecting abnormalities that have surpassed AV.
    Also worth a mention, script kiddies like yourself need steer well clear of sites like this, you simply havn’t the cognitive thought process or imagination to drive an article like this into good use…
    Thanks for another great article HTG, your still the best… x

  11. Kev

    This is a great article. Please post follow-up articles on this with more in depth functionality. Thanks for this and I hope there’s more to follow.

  12. Josh B.

    I second Kev. More indepth articles would be wonderful.

  13. bobby.tables

    Just a warning here: quite a few companies don’t allow Wireshark in their networks (for obvious security reasons). At my former employer we could even be fired for using it – even the IT support dept wasn’t allowed but had to use a different, “certified” tool. So before you try it at work check your IT security policy / department …

  14. Tony

    yallpostinginatrollthread.jpg

  15. Chris Hoffman

    Thanks Bobby, very true. This sort of tool is meant for your own networks and any network you have permission to use it on. I added a little warning to the article so readers know what they’re getting into.

    @Kev and Josh B

    Thanks for the idea. I’ll see what I can do with in-depth Wireshark usage in the future.

  16. RonV

    I have been using Wireshark for a long time and it’s really great for inspecting packets that show up on your network switch’s port. I just wish that I could put one port on my 8 port switch into promiscuous mode so all packets on the switch can be seen. I know on more expensive switches you can setup mirroring but for a price that most folks would want to invest in network hardware.

  17. Karan Suthar

    actually i would suggest to write up an article with Http codes and difference of protocols,
    this tool is useless without that. If you guys found it really important than you should look into their short tutorials, it will be fun.
    Also there is a command line version, for absolute mind exploding. HTG should introduce that.
    But all in all great article.

    ALSO ANYONE WHO USES LINUX, THERE ARE EXTRA STEPS TO ADD THE WIRELESS ADAPTER.
    it wont work without it.

  18. christopher

    I’ll second (or third or fourth) the more in-depth usage guide request. :)

    As a network admin, I use this at work a ton but am sure there are a number of features that I just haven’t tapped into yet.

  19. Slomem

    Be very careful whose network you attempt to sniff.

  20. David Bridges

    The Netgear Prosafe gs108t 8-port gigabit smart switch does mirroring and I bought mine for less than $100.

  21. Svend

    Thanks Chris, It’s been a long time since I’ve needed to use a ‘sniffer’. The last one I used was in fact Ethereal. I didn’t know it had changed names.

    We used to have to make sure we had a network card capable of ‘promiscuous’ mode. This meant it would also see the corrupted packets that floated around on a network, rather than filtering them out before the application could see them. I think store & forward switches pretty much block these at the switch port so you would not see as many as you used to on an older hub. It used to be a good way of finding problem network cards that were flooding the network with rubbish packets.

    Using it can teach you a lot about how the networ works but be careful not to waste days staring at it looking for problems that were never really a problem to anyone except the people who looked for them.

  22. Prajwal kumar G

    This is the best tool to monitor the network, in fact I am using this tool from a long time, its a must tool for all system or network admin…

  23. D84

    I would like to see more articles on this topic. Next time a little more in depth. Perhaps create a series on this topic which shouldn’t be difficult to do. Professional training and books on Wireshark are expensive and I prefer to learn on my own. So this type of tutorial is perfect.

  24. Chris Hoffman

    I plan on writing a post with a few more advanced Wireshark tricks today. Readers seem to want it, so I’ll try to do regular posts with more Wireshark content.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!