How to Use Wireshark

Wireshark is an open-source packet analyzer that is typically used for network troubleshooting and data analysis. This software is a tool that most cybersecurity defense teams use to analyze packets.

You could use Wireshark to know what you are sending to other devices, as well as who you are sending it to. Other information that Wireshark can give you is very important to the security field. It is like Google Maps for networks. Now you can analyze the network traffic in real-time.

Wireshark can be used on all types of operating systems. Such as Windows, Linux, and macOS to name a few. Now, using Wireshark is not for most beginners, since you will need to know some networking knowledge.

One of the biggest things about Wireshark it shows layers two through five in the network model (Link layers, Network layer, transport layer, Application Layer). This can be great for monitoring your home security.

Let’s get started, first, you would want to go download Wireshark from a reliable source. Since Wireshark has a website, we will download it from HERE. Now choose based on your (OS) operating system. If you do not know your OS, you can type into your search bar on your computer and look up “system information”, Which will tell you what OS you have. After installing Wireshark, create a shortcut for the application so it is on your desktop.

*Note, if you are using a corporate computer, that is not your personal computer you will face an install problem. For corporate computers, you will need ADMIN privileges to install the application. Please contact your local IT support for this part.

When the install is finished, we would like to open up Wireshark (Wireshark logo. (left side).

This would be on your computer’s desktop. Now double left-click the application and start it up. You will then see the main page (Top right).

If you want to start capturing packets, you need to know how you are connected to the network. This will be different for each user. For simplicity’s sake, we will stick with the main two, Wi-Fi and Ethernet. If you do not know what traffic is being sent, you can see the traffic activity next to the name. The one that is moving the most vertically, is the one you are using.

For this one, I am using an ethernet connection. (bottom right)

As soon as you click on your connection, your computer is going to start capturing packets. This will give you a lot of information and is a lot to digest. We would like to stop the capture, by hitting the red square button on the top left counter underneath File and Edit(Picture on the bottom). This will stop the packages from being received.

If you would like to start capturing packets again you can hit the Wireshark icon next to the stop Icon to start the process. You will be prompted to either save the packets that you have already captured or continue without saving.

If the work you have done is worth saving then save the work. This can be saved anywhere on your desktop. This will save all the packets saved onto a PCAPNG file. Which can be reopened at any time.

To break down the process a bit more, we would want to read packets with filters. This would allow you to digest the information much better. We will use gaia.cs.umass.edu as our example case.

We will want to start capturing packets, so click the start button from step 3 and then enter gaia.cs.umass.edu to any internet search engine, like Google Chrome. Since we are testing how to connect to the server and how to read packages. After entering the website. Click on any of the tabs, afterward close the Gaia tab on chrome. We will then stop capturing packets(step 3) to see what we have done so far.

The first thing we want to know is, if we are connected with Gaia and how can we do that if we are getting all numbers in Wireshark? We look for the IP. IP is an internet protocol that is assigned to every device and server. To confirm we are getting the right address. If we use the command prompt and type in “NSlookup gaia.cs.umass.edu “(Figure 6). This will give you, your IP and Gaia’s IP. This can make it easier for us to make sure that we are talking to the right server.

After confirming the IP address, we would like to lookup IP and the best way to do is with Filters.
Since the IP of Gaia is 128.119.254.12 we can start using Filters.

The first and most important filters are Source filters and Destination filters. This can make the information easier to read and understand. Now to use source and destination filters, we would type in “ip.src == Your IP ” for the source IP and “ip.dst == IP destination ” for the destination IP (Left picture). We use this so we know that our computer is sending to the destination and gets rid of all the other information that we do not need. You can see all Destination IPs are 128.119.245.12.

Note* all IP addresses are on IPV4. Some sites will give you an IPV6 address which will be hexadecimal. We would like to make sure we stay on IPV4 until IPV6 is mainstream.

You can also have multiple filters like ip.src == (source IP) OR ip.dst == (Destination IP). This can be helpful if you are looking for a specific protocol. If you would like a specific Protocol like TCP. You can type in (tcp && (ip.dst ==128.119.245.12|| ip.src ==128.119.245.12)) where it will give you the TCP AND the IP from and to sources. (Figure on the right)

Now the question is, what do we want to know? The first thing I look at is if I am able to establish a connection to the server. To find the established connection we want to see the Three-way Handshake. This is when the Source IP sends an SYN to the server, and the server responds with SYN-ACK. Finally, the source IP will send an ACK. SYN stands for synchronizing and ACK stands for acknowledged. (Figure 9) will give a better look at what I am talking about. The three-way handshake is highlighted in dark blue.

After knowing the established connection is made. Everything else is what is being communicated to the server. Some servers have FTP servers or TCP servers. FTP servers are file transport protocol servers, while TCP is Transmission Control Protocol. Each one of these protocols has a source port number. These source port numbers are there waiting and listening until it is called. All of this would be found in the info section of Wireshark.
Lastly, we need to know when we are disconnecting from a server with a TCP connection. At this part, the source(US) is going to send a FIN request, which stands for Finish, So the source sends a FIN, the server will respond with FIN-ACK. Which the source will respond with the final ACK. Which acknowledge the acknowledgement of their server.

To sum up everything we did in this instructable, we were able to install Wireshark and set it up. Then we were able to start the application and learn how to read TCP packets. We were also able to learn how to save data from Wireshark. We also went into depth on how to read Wireshark packets and use useful filters that you can use to understand protocols and communication among a server and host.

This should give you enough information on understanding the basics of Wireshark. As well as to understand what is being presented to you in the future. If you would like to learn more, start looking at documentation from Wireshark, as well as GitHub.