If you love the aroma of network packets, you'll love capturing a snifter full of your favorite network-scented morsels with Wireshark, the world's most popular network protocol analyzer.
On a scale of one to ten, where one is dental surgery and ten is winning a $100 million Powerball lottery, network protocol analysis falls somewhere in the range of three or four. It isn’t exactly painful but it certainly doesn’t arouse any fireworks or thoughts of fireworks in your soul. Wireshark, however, makes network packet sniffing and analysis easy and almost fun.
Wireshark is a network protocol analyzer tool, which means that it captures and interprets live network traffic data for offline analysis. Sometimes referred to as packet sniffing, packet analysis helps you understand what’s going on network-wise so that you can assess and mitigate problems with bandwidth, security, malicious activity and normal network usage.
Wireshark is free software licensed under the GPL.
To install Wireshark and its dependencies on Debian-based systems, enter the standard apt-get bandy.
$ sudo apt-get install wireshark
For rpm-based systems, enter the equivalent yum command.
$ sudo yum install wireshark
On some systems, you might be surprised when you look for Wireshark under Applications ->Internet and you don’t find it. Nor do you find it by entering wireshark & in a terminal window. These systems install the non-GUI applications such as tshark, editcap and rawshark sometimes known as wireshark-common components. To install the familiar Wireshark GUI, refer to wireshark-gnome or wireshark-gtk+ in your install command.
Download the source code from the Wireshark Download page and compile in the usual way, if you’re not satisfied with pre-built binaries. There are a few dependencies needed for a source code compilation but the configure script informs you of these as it proceeds and fails.
Once installed, you’ll want to jump right in and start sniffing away at your network traffic. You might run into a roadblock or two if you “jump this shark” too quickly. For one, you have to use a privileged account, such as root, that has the ability to place one or more of your network interfaces into promiscuous mode. Second, you must perform a bit of configuration prior to gathering your data. Let’s look at a simple session.
Open Wireshark by locating its icon under Applications->Internet (GNOME). As Figure 1 shows, Wireshark is a typical-looking GUI application.
Figure 1: Getting Started with Wireshark Capture Options
To configure a capture, click Capture from the menu and then select Options to launch the Capture Options entry screen. See Figure 2.
Figure 2: Configuring Wireshark for a Capture Session