Use Wireshark to track your network behavior
Any time I need network analysis I turn to Wireshark. Wireshark is, in my opinion, the defacto standard for network protocol analyzers. Not only is it incredibly powerful, useful, and user-friendly it is also FREE! But what exactly is Wireshark?
Simple: Wireshark is a network protocol analyzer that watches and logs all incoming and outgoing traffic as defined by your needs. This tool can not only read traffic live, it can read traffic from a previous dump. And it can read files from other applications such as tcpdump and Microsoft Network Analyzer.
Wireshark also offers some really great tools that help to make your network analysis much easier. Two of these tools (Filters and Expert Infos) I will highlight in this tutorial.
Getting and installing
Wireshark can be found in your distribution repositories. To install it follow these steps:
- Open up your Add/Remove Software tool.
- Search for "wireshark" (no quotes).
- Mark Wireshark for installation.
- Click Apply to install.
Once installed you will find Wireshark in your Internet sub menu of your Applications or Start menu. You will notice there are two entries for Wireshark: "Wireshark "and "Wireshark (as root)". The problem with the non-root version is that the standard user might not have access to the networking interface. Because of this you have two choices: give the standard user access to the interface, or run the root version of Wireshark. I generally just use the root version of Wireshark.
Starting a capture
When you first open up Wireshark you will be greeted by the main window (see Figure 1).
In this main window you will find everything you need to start a capture. Take a look at the row of icons under the menu toolbar. The second icon from the left is the icon you want to click to set up a capture. Clicking this button will
open up the Capture Options window (see Figure 2). In the Capture Options window you must configure, at minimum, an interface which to use for the capture. All available interfaces will be listed in the Interface dropdown.
Once you have selected your interface you can then go through the rest of the options window and set up your capture to fit your needs. After you have taken care of your configuration needs click the Start button and your capture will begin.
Filter your capture
As you can see, in Figure 3, for some people the capture information can be a bit overwhelming. There is a lot of data streaming by.
But say you only want to follow traffic going to and from your internal gateway. To do this click on the Filter button to open up the filter dialog. In this dialog you
are going to set up a filter that will filter out all traffic but that traffic seen by your gateway (see Figure 4). What you need to do is give the filter a name and then set the string. The best way to figure out the expression to use is to look at some of the examples. So for watching only a gateway at IP address 192.168.1.254 the filter string would be:
ip.addr == 192.168.1.254
With the configuration in place click the OK button and the filter will immediately be in place.
During your capture you might not be able to discern what is going on with your network. That's okay. There's a tool available that will help you with that. If, during a capture, you click the Analyze menu and select the Expert Infos entry a new window will open up. This new window (see Figure 5) will give you a clearer picture as to what is going on with your network.
If this window doesn't help out you can also go to the Expert Infos Composite which organizes Errors, Warnings, Chats, and Details into separate tabs.
Wireshark should be a tool you use. And after using this analyzer you most likely will find it becoming your "go-to analyzer" for day-to-day needs. Wireshark is simple, powerful, and free.Advertisement