Wireshark

Archived

This page has been archived and will receive no further updates.

Install Wireshark

Install Wireshark on Ubuntu

sudo apt install wireshark

If Wireshark cannot see network traffic

  1. In a terminal, run sudo dpkg-reconfigure wireshark-common

    1. Should non-superusers be able to capture packets? > __

  2. Run sudo usermod -a -G wireshark $USER

Then to apply the changes immediately without logging out:

  1. In a terminal, run

    newgrp wireshark
wireshark

Use Wireshark

Clear the list of captured packets

  1. Stop the packet capture

  2. Start a new capture and select Continue without Saving

Capturing packets using tcpdump for viewing using Wireshark

https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html

Filtering

  • Type your filter in the text box near the top that says Apply a display filter and press Enter

  • Filter by source IP:

    ip.src==192.168.0.1

  • Filter by destination IP:

    ip.dst==192.168.0.1

  • Combine filters using and/or:

    ip.src==192.168.0.1 and ip.dst==192.168.0.1
ip.src==192.168.0.1 or ip.dst==192.168.0.1

Add a new column (e.g. destination port)

  1. Right click the column headers > Column Preferences…

  2. Click the plus sign near the lower left to add a new column (don’t worry about title or type yet) > OK

  3. Right click the new column > Edit Column

  4. Select the column Type, e.g. Destination Port

  5. Change the column Title as desired

  6. OK

View absolute dates/times instead of relative

View > Time Display Format > Date and Time of Day

Traffic flow graph

Statistics > Flow Graph

Show one specific connection/session from start to finish

  1. Right-click one of the packets in the connection > Follow > TCP Stream

  2. A window will pop up with the TCP stream contents, which you can close

Decrypt HTTPS traffic

  1. Start a capture in Wireshark

  2. The client will need to dump its TLS key to a file

    For example, with curl, use SSLKEYLOGFILE, e.g.

    SSLKEYLOGFILE=deleteme-tlskey-curl curl ...

  3. Configure Wireshark with the location of the TLS key file

    1. Edit > Preferences > Protocols > TLS

    2. Configure (Pre)-Master-Secret log filename to point to the TLS Key file location

  4. The list of captures should immediately be updated with the decrypted packets, which should be highlighted green and the protocol should start with HTTP