Wireshark: the tool that lets you see things on the network you've never seen before!

O Wireshark is one of the best protocol analysis tools, which allows real-time capture of network traffic. Today we leave here some tips for using this sniffer.

Wireshark: 5 tips to get started

#1 – Choice of Interface

Using Wireshark is relatively simple. To get started, just choose the interface by which traffic is intended to be sniffed. Then just do it start and all traffic will be displayed in the application.

#2 – Color scheme in the lines

When a user sees how Wireshark works for the first time, they will wonder what the colors in the output mean. In general and by default, the lines:

• Verde – means TCP traffic
• Dark blue – DNS traffic
• Light blue – UDP traffic
• Black – TCP segments with problem

If the user wants to see the complete wireshark color scheme, simply access View->Coloring Rules

#3 – Follow TCP Stream

One of the interesting features of Wireshark is the Follow TCP Stream. This functionality allows you to view complete TCP streams, that is, with this option the user can follow the entire communication from the first SYN to FIN-ACK.

#4 – Hierarchy Protocol

In addition to real-time traffic analysis, we can also know usage statistics for a given protocol. To do this, let's Statistics > Protocol Hierarchy

#5 – Filters

As the name suggests, filters allow us to select, from a set of information, what we want. We can filter by protocol, by network address, by port, by MAC address, etc. Here are some examples:

• Filter by IP – In the case of searches by IP, we can, for example, search by the origin address (ip.addr) and destination address (ip.dst).
• Filter by logical port – Filtering by port is similar to the previous examples. We can simply filter by a TCP port (e.g. tcp.port), but we can also be more specific and filter by port of origin (tcp.srcport) or port of destination (tcp.dstport).
• Filter by MAC – The search by MAC is done using the parameter eth.addr followed by the MAC address.