View page as slide show

Packet sniffing with Wireshark

Wireshark can be used to capture all network traffic for further analysis from the local or remote computer. In both cases, when using Linux, root access is required in order to gain direct access to the network interfaces. The captured traffic can be filtered by address, protocol type or port number, either for capture or for display.

There are two filter types:

    • Filter what traffic is captured.
    • By protocol, address and/or port:
      • Only TCP traffic: tcp
      • Only UDP traffic: udp
      • All TCP traffic from address 10.1.1.8:
        • tcp src host 10.1.1.8
      • All DNS traffic:
        • port 53
  1. Display filters, see Display filters:
    • For limiting the view on wireshark
      • Only from IP address 10.1.1.8:
        • ip.src==10.1.1.8
    • All HTTP traffic to 10.1.1.8:
      • ip.dst==10.1.1.8 && http

On Debian style Linux Wireshark can be installed (as root) with:

apt-get install wireshark

To enable remote capture on Linux install tshark with:

apt-get install tshark

and then start Wireshark and connect it to remote computer capture interface with (a public key authentication without password is preferred and, of course, root ssh access has to be enabled):

wireshark -k -i <( ssh root@remote-address-here /usr/bin/tshark -i listening-interface -w - wireshark-options-here )

Or if you have rpcapd daemon running somewhere you can connect to that remote interface with GUI options in Wireshark (e.g., router with Tomato firmware and custom rpcapd).

Try Wireshark on virtual computer located at

/opt/VMWARE/Wireshark Ubuntu/

Launch it with vmware player (open existing virtual machine). See what information can be gathered by just listening to DNS requests while browsing the Internet.

Wireshark

Wireshark user manual

Last modified: 2014/01/10 16:12