Wireshark (capturing traffic)


Given that you have already downloaded and installed Wireshark on your PC (here's the link if you have not  https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html), this is the screen where you will end up once you open Wireshark.


    Image source: Wireshark interface

 Arrow 1: From here you can choose the interface you want to capture the traffic from, in my case I only have traffic on my WIFI interface (as you can see the spikes, right next to it), the bottom one is the loopback traffic interface it shows traffic going from your device to itself. The other options are LAN (Ethernet options). 

Arrow 2: Once you click your interface (WIFI), click the blue shark fin, and this will start your network traffic capture. 



    Image source: Wireshark interface


After clicking the blue shark fin button, it will bring you to this screen, and you can see all the traffic generating.  

  • You can see the frame/packet number.
  • The time since the capture was initiated (like the packet #350 clocks in 15 seconds after we started the capture.
  • Source and destination IP address.
  • Protocol (http, arp, etc.), length (in bytes), and general info for that packet.
Once you are done with capturing the traffic, you can hit the red square, which will stop the capture.
  
Note: This traffic is only between your device and the network. If you want to see traffic for the entire network, there are some configurations that we need to do (we will talk about it in our next class). We will also cover the black box you see (the packet details pane) in our next classes.



    Image source: Wireshark interface

You can save the capture by going to File > Save As.  Name it and save it as a pcap file, you can also save it as a pcapng (packet capture next generation), this file type adds more advanced metadata and info to your file.  

This was a short tutorial on using Wireshark for a basic capture. We will go deep in the next classes.


See you guys in the next session :)

   
    Follow          


Comments

Post a Comment

Popular posts from this blog

Extracting JPEG Images from the network (Wireshark)

Image
 We work with image formats like JPEG all the time—for example, when uploading pictures to a server, downloading them from the internet, or sending photos to friends through email and other platforms. Using Wireshark, we can easily monitor our network traffic and see who is sending or receiving image files across the network. This is especially useful for analyzing data transfers and understanding how files move over HTTP or other protocols. Below is a sample capture that includes JPEG images. While you may not immediately see the image packets, they will become visible once we apply the appropriate filters in Wireshark.             Image source: Wireshark interface Once you apply the filter command, you'll see results similar to the example below—showing only HTTP traffic that contains JPEG image content.             Image source: Wireshark interface Keep in mind that JPEG files can be transferred using variou...
Read more
Image
 Wireshark (What is middle pane in Wireshark?) As we mentioned in the previous post, we would cover the middle pane in Wireshark. In this post, I’ll briefly go over a few elements in each section of that pane. But before that, I’d like you to review the OSI model (shown below). You may be surprised, but the middle pane in Wireshark is actually organized in the same sequence as the OSI model — from bottom to top.                   Image source: Wireshark interface I have randomly selected this packet — it’s a TCP packet. The packet is highlighted in red because the connection was reset (as indicated by the RST flag in the Info column). There could be a variety of reasons for this, but most commonly, it’s due to latency issues or an application crash.  Image source: Wireshark interface The first section is the Frame, which corresponds to the Physical layer of the OSI model. This is where the actual conversion of bits into electr...
Read more