Wireshark Starter Guide for Beginners

Wireshark is an open source network packet analyzer/sniffer which captures data packets from network interfaces and show then in readable form for analysis.

  • Wireshark supports a wide range of protocols like TCP, UDP, HTTP, IP, ARP, RARP, ICMP etc.
  • Live Network Traffic analysis/sniffing
  • Open Source Project
  • User Friendly Interface

Installation :

You can download wireshark from https://www.wireshark.org/

Wireshark Use example :

Fire-up wireshark and select the interface you want to intercept. In this example we select eth0

For more detailed tutorial about wireshark can be found here : https://www.javatpoint.com/wireshark

Wireshark Filter Basics :

Capture Filters :

  • Capture filter dictates only a specific type of network traffic is captured from selected network interface.
  • Capture filter can be set at the beginning of packet capturing or through the ‘Capture Options’ button, by using the filtering rule.

Setting up Capture filters :

  1. Set capture filters at starting of application

2. Set capture filture using setting Button.

Example of Capture Filters :

  • Capture TCP packets from source port 443 : tcp src port 443
  • Drop all UDP packets : not udp
  • Capture packet from source IP 192.168.1.10 and port 232 : src 192.168.1.10 and port 232
  • Capture traffic from particular host : host 192.168.1.10
  • Capture packets from a CIDR range of IP : net 192.168.1.0/24
  • Capture packets from a CIDR range of IP as a packet source : src net 192.168.1.0/24
  • Capture packets from a CIDR range of IP as a packet destination : dst net 192.168.1.0/24
  • Capture traffic from a particular port : port 53
  • Capture http and smtp traffic from a particular host : host 192.168.110 and port 80 and port 25 or host example.com and port 80 and port 25

Display Filters :

  • Display filters the packets on packet listing window.
  • In display filter we can use display filter comparison operators.

  • Logical operators on wireshark :

Some example of Display filters :

  • Display only tcp port 80 : tcp.port==80
  • Display packet by IP (source or destination) : ip.addr==192.168.1.10
  • Display packet by source IP : ip.src==192.168.1.10
  • Display packet by destination IP : ip.dst==192.168.1.10
  • Filter by IP range : ip.addr >= 192.168.1.10 and ip.addr <= 192.168.1.100
  • Filter by multiple IP addresses : ip.addr == 192.168.1.10 and ip.addr == 192.168.1.100
  • Filter out ip address : !(ip.addr == 192.168.1.100)
  • Filter subnet : ip.addr == 192.168.1.0/24
  • Filter by destination port : tcp.dstport == 80
  • Filter by ip address and port : ip.addr == 192.168.1.10 and tcp.port == 80
  • Filter by url : http.host == "www.example.com"
  • Filter by time stamp : frame.time >= "Aug 30, 2021, 20:00:00"
  • Filter SYN Flag : tcp.flags.syn == 1 and tcp.flags.ack == 0
  • Host name filter : ip.host == hostname
  • MAC Address filter : eth.addr == 00:70:f4:23:18:c4
  • RST flag filter : tcp.flags.reset == 1

Filter Expression :

Filter expression dialog box helps users to create capture and display filters. It can be launched by Right clicking on Capture/Display filter. The expression will be created using below steps :

  1. Select the protocol for which you want to create criteria and extend its options
  2. Once you find desired criteria, you can select the relation such as equal to == or greater then >
  3. Next you can provide the value with which you want to compare.

WireShark CheatSheet :

Some Useful Learning Resources :

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.