O Wireshark is one of the best protocol analysis tools, which allows real-time capture of network traffic. Today we leave here some tips for using this sniffer.
Wireshark: 5 tips to get started
#1 – Choice of Interface
Using Wireshark is relatively simple. To get started, just choose the interface by which traffic is intended to be sniffed. Then just do it start and all traffic will be displayed in the application.
#2 – Color scheme in the lines
When a user sees how Wireshark works for the first time, they will wonder what the colors in the output mean. In general and by default, the lines:
- Verde – means TCP traffic
- Dark blue – DNS traffic
- Light blue – UDP traffic
- Black – TCP segments with problem
If the user wants to see the complete wireshark color scheme, simply access View->Coloring Rules
#3 – Follow TCP Stream
One of the interesting features of Wireshark is the Follow TCP Stream. This functionality allows you to view complete TCP streams, that is, with this option the user can follow the entire communication from the first SYN to FIN-ACK.
#4 – Hierarchy Protocol
In addition to real-time traffic analysis, we can also know usage statistics for a given protocol. To do this, let's Statistics > Protocol Hierarchy
#5 – Filters
As the name suggests, filters allow us to select, from a set of information, what we want. We can filter by protocol, by network address, by port, by MAC address, etc. Here are some examples:
- Filter by IP – In the case of searches by IP, we can, for example, search by the origin address (ip.addr) and destination address (ip.dst).
- Filter by logical port – Filtering by port is similar to the previous examples. We can simply filter by a TCP port (e.g. tcp.port), but we can also be more specific and filter by port of origin (tcp.srcport) or port of destination (tcp.dstport).
- Filter by MAC – The search by MAC is done using the parameter eth.addr followed by the MAC address.
It should also be noted that it is possible to use logical operators. This allows us to improve the filter in case we want information from more than one protocol.