Wireshark also offers some really great tools that help to make your network analysis much easier. Two of these tools (Filters and Expert Infos) I will highlight in this tutorial.

Getting and installing

Wireshark can be found in your distribution repositories. To install it follow these steps:

1. Open up your Add/Remove Software tool.
2. Search for “wireshark” (no quotes).
3. Mark Wireshark for installation.
4. Click Apply to install.

Once installed you will find Wireshark in your Internet sub menu of your Applications or Start menu. You will notice there are two entries for Wireshark: “Wireshark “and “Wireshark (as root)”. The problem with the non-root version is that the standard user might not have access to the networking interface. Because of this you have two choices: give the standard user access to the interface, or run the root version of Wireshark. I generally just use the root version of Wireshark.

Starting a capture

Figure 1

When you first open up Wireshark you will be greeted by the main window (see Figure 1).

In this main window you will find everything you need to start a capture. Take a look at the row of icons under the menu toolbar. The second icon from the left is the icon you want to click to set up a capture. Clicking this button will

Figure 2

open up the Capture Options window (see Figure 2). In the Capture Options window you must configure, at minimum, an interface which to use for the capture. All available interfaces will be listed in the Interface dropdown.

Once you have selected your interface you can then go through the rest of the options window and set up your capture to fit your needs. After you have taken care of your configuration needs click the Start button and your capture will begin.

Filter your capture

Figure 3

As you can see, in Figure 3, for some people the capture information can be a bit overwhelming. There is a lot of data streaming by.

But say you only want to follow traffic going to and from your internal gateway. To do this click on the Filter button to open up the filter dialog. In this dialog you

Figure 4

are going to set up a filter that will filter out all traffic but that traffic seen by your gateway (see Figure 4). What you need to do is give the filter a name and then set the string. The best way to figure out the expression to use is to look at some of the examples. So for watching only a gateway at IP address 192.168.1.254 the filter string would be:

ip.addr == 192.168.1.254

With the configuration in place click the OK button and the filter will immediately be in place.

Expert Infos

Figure 5

During your capture you might not be able to discern what is going on with your network. That’s okay. There’s a tool available that will help you with that. If, during a capture, you click the Analyze menu and select the Expert Infos entry a new window will open up. This new window (see Figure 5) will give you a clearer picture as to what is going on with your network.

If this window doesn’t help out you can also go to the Expert Infos Composite which organizes Errors, Warnings,  Chats, and Details into separate tabs.

Final thoughts

Wireshark should be a tool you use. And after using this analyzer you most likely will find it becoming your “go-to analyzer” for day-to-day needs. Wireshark is simple, powerful, and free.

Three Network Monitor Experts have been released so far, the last less than two weeks ago. Available are the Simple Search, Top Users and TCP Analyzer Experts. Here is a short summary of what these Experts do:

• Simple Search Lets you search frames and comments for raw ASCII text case-insensitively or with regular expressions.
• Top Users Lets you determine the heaviest users of network bandwidth.
• TCP Analyzer This tool analyzes network traces of Transmission Control Protocol (TCP) connections.

The Experts can be downloaded separately and need to be installed before they can be used. It is recommended to close the Network Monitor before installing the add-ons. The Experts become then available in the Experts menu on top of the program.

Microsoft Network Monitor is offered as a free download for 32-bit and 64-bit editions of the Windows operating system.

The actual capturing process does not start before the user clicks on the Start button of the application. Another possibility would be to load a previously saved session which can be displayed as well in the interface. The network traffic will be captured continuously until the user decides to stop the capturing process.

Filters can be used to narrow down the results. About 25 default filters are available like filtering by IPv4 addresses but the user can also define his own filters. Each frame is displayed listing the process name, source and destination IP, protocol name and description. Another pane is displaying details about the currently selected frame.

The network monitor runs on Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008 and is available for 32-bit and 64-bit editions of the selected operating systems.