Wireshark: An Ethereal Experience

If you love the aroma of network packets, you'll love capturing a snifter full of your favorite network-scented morsels with Wireshark, the world's most popular network protocol analyzer.

Select the network interface that you want to use for packet capture (eth0, for example), the Link-layer header type (Ethernet), promiscuous mode, a capture filter, a capture file, display options and name resolution options. There’s a lot of information on this screen, so let’s take a minute to examine the options.

If you don’t select “promiscuous” mode, then your capture will only see packets addressed to your system. It will see broadcast and multicast packets but you won’t see the bulk of the network traffic as it passes by your system. Promiscuous mode is the default behavior for wire sniffing. Specify a file to collect your captured data for offline viewing and analysis. The display options are a matter of personal preference and you’ll have to find which options suit you. The name resolution options, when checked, instruct Wireshark to attempt name resolution from MAC addresses and from IP addresses. Name resolution makes reading logs easier for those not accustomed to looking at Hex codes and dot notation IP numbers.

Begin your capture by clicking the Start button at the bottom of the Capture Options page. Future captures will use these settings until you return to this page and make changes. Refer to Figure 3 for a sample capture in progress.

Figure 3: Capturing Packets in Wireshark
Figure 3: Capturing Packets in Wireshark

Stop the packet capture by clicking the Stop Capture menu icon or select Capture->Stop from the menu. This halts the packet capture and saves the information to the file specified on the Capture Options page. You can’t read this file in word processing or text processing programs as is. You also can’t read it at the command line with cat, more or less. To read your data in other programs, export the captured data to another format (Plain text, CSV, PostScript, XML).

Simple Wireshark Cases

You installed Wireshark to perhaps figure out where security breach attempts originate or to find some network bottlenecks that affect your systems. Let’s take the first situation, attempts on your system, as an example.

During the packet capture, you noticed some dark red colored entries flash by on the Wireshark screen. Scroll down in the list until you see the red entries. These red entries tell you that there is a serious or error condition in the capture that you need to investigate. Refer to Figure 4.

Figure 4: Wireshark Displaying Red (Error) Entries in a Packet Capture
Figure 4: Wireshark Displaying Red (Error) Entries in a Packet Capture

As the packet info shows, there was an attempt made on the local system running Wireshark ( from xenalive ( in the form of a telnet connection. This is likely someone looking for an easy way into a system that has telnet enabled. You have enough information (system name, MAC address, IP address) to find the culprit and ask him what his purpose is in attempting a connection to your system.

What does a normal connection attempt look like in Wireshark? To answer that question, you have to capture data while such an attempt is in progress. See Figure 5 for an SSH attempt.

Figure 5: Investigating SSH Packets in a Wireshark Capture
Figure 5: Investigating SSH Packets in a Wireshark Capture

You see that the xenalive system made an SSH connection to the local system. SSH is an allowed protocol and you’ll see hundreds of these in a log where you have users connecting to a system.

What about failed attempts on a legitimate protocol? Does Wireshark capture those? Yes and no. Yes, it captures the connection attempts but doesn’t alert or mark them in any special way other than what you saw in Figure 5. Wireshark is not an intrusion detection system. You’ll need to check your system logs for those entries.

# grep Failed auth.log
Oct 28 21:03:25 filer sshd[4740]: Failed none for invalid user fred from port 14066 ssh2
Oct 28 21:03:28 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:30 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:33 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:36 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:39 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2
Oct 28 21:03:42 filer sshd[4740]: Failed password for invalid user fred from port 14066 ssh2

A Word on Filtering

If you don’t enjoy seeing a lot of ARP traffic in your captures, you can filter it by adding a !arp in the Filter field. You don’t want to delete this information but it tends to clutter your view.

Wireshark isn’t the perfect network protocol capture and analysis tool but it comes close. And, you can’t beat the price. Next week, come back for more Wireshark, when we look at some advanced features and actual analysis.

Comments on "Wireshark: An Ethereal Experience"

Hi to every body, it’s my first pay a visit of this weblog; this web
site includes amazing and truly excellent information for visitors.

I am really impressed with your writing skills and
also with the layout on your blog. Is this a paid theme or did you customize it
yourself? Anyway keep up the nice quality writing, it is rare to see a nice blog like this one today.

This will be a excellent web site, would you be interested in doing an interview about just how you designed it? If so e-mail me!

Fantastic blog article.Much thanks again. Want more.

Hello there my mate! I wish to express that this informative article will be wonderful, awesome created accessible together with close to very important infos [terrenos en venta|venta de terrenos|hotel en venta chiclayo]. I’d like to glimpse extra threads in this way .

We prefer to honor lots of other world-wide-web web pages on the internet, even when they aren?t linked to us, by linking to them. Under are some webpages worth checking out.

We prefer to honor several other world wide web web pages on the internet, even when they aren?t linked to us, by linking to them. Below are some webpages worth checking out.

Although web-sites we backlink to beneath are considerably not associated to ours, we feel they may be really really worth a go through, so have a look.

Feel free to visit my web site … Saundra

Although web sites we backlink to beneath are considerably not connected to ours, we really feel they are really really worth a go via, so have a look.

Here are some hyperlinks to web pages that we link to because we assume they are really worth visiting.

Just beneath, are a lot of completely not associated web sites to ours, having said that, they may be certainly worth going over.

I just want to tell you that I’m beginner to blogs and honestly loved you’re web site. Most likely I’m likely to bookmark your website . You really have fantastic article content. Kudos for sharing your blog.

prix viagra viagra prix
viagra viagra 50 mg orodispersible
comprar viagra comprar viagra por internet

 Moving average belongs to the basic and most well liked ind http://www.modelosalaes.com icators in technical analysis. Via the name with this indicator c Converse Pro Star Mujer hances are you may already take into account that this indicator shows the majority of the cost of a security (stock, option,www.modelosalaes.com, bond,Conv gafas de sol baratas erse Pro Star Mujer

We prefer to honor many other net websites on the web, even if they aren?t linked to us, by linking to them. Under are some webpages really worth checking out.

Here is a good Weblog You may Locate Interesting that we encourage you to visit.

We prefer to honor numerous other web web pages around the internet, even if they aren?t linked to us, by linking to them. Beneath are some webpages really worth checking out.

Sites of interest we’ve a link to.

Thanks a lot for providing individuals with a very breathtaking possiblity to read critical reviews from this site. It is always so great plus stuffed with a lot of fun for me and my office co-workers to search the blog no less than 3 times in 7 days to study the latest issues you have. And lastly, I am also actually pleased for the splendid things served by you. Some 1 ideas in this article are essentially the most suitable I have had.

Tremendous issues here. I’m very glad to see your article. Thanks a lot and I’m taking a look ahead to touch you. Will you kindly drop me a e-mail?

We came across a cool internet site that you just could possibly enjoy. Take a search if you want.

Nearly all of the things you state is supprisingly appropriate and it makes me ponder the reason why I hadn’t looked at this with this light previously. Your article really did switch the light on for me as far as this subject matter goes. But at this time there is actually 1 factor I am not necessarily too comfy with and whilst I make an effort to reconcile that with the core idea of the position, permit me observe just what the rest of your visitors have to say.Nicely done.

Here are some hyperlinks to sites that we link to mainly because we believe they may be worth visiting.

I quite like reading a post that can make men and women think.
Also, thanks for allowing me to comment!

cialis acheter cialis
cialis cialis
cialis generique acheter cialis
cialis sin receta precio cialis
comprar cialis cialis

Thanks for discussing your ideas. I would also like to mention that video games have been actually evolving. Better technology and enhancements have made it easier to create authentic and enjoyable games. Most of these entertainment video games were not as sensible when the real concept was first of all being experimented with. Just like other areas of technology, video games way too have had to develop by means of many generations. This itself is testimony towards the fast growth and development of video games.

I additionally believe that mesothelioma is a uncommon form of cancers that is often found in individuals previously subjected to asbestos. Cancerous cells form inside mesothelium, which is a protective lining that covers most of the body’s body organs. These cells ordinarily form inside lining of your lungs, abdomen, or the sac which actually encircles the heart. Thanks for giving your ideas.

Very couple of websites that happen to be comprehensive below, from our point of view are undoubtedly nicely really worth checking out.

I have really learned new things through the blog post. One more thing to I have observed is that in most cases, FSBO sellers can reject you actually. Remember, they might prefer never to use your companies. But if anyone maintain a steady, professional romance, offering aid and keeping contact for around four to five weeks, you will usually have the ability to win an interview. From there, a listing follows. Thanks a lot

Just beneath, are many completely not related web-sites to ours, having said that, they are certainly worth going over.

generate random words

Here is an excellent Weblog You might Locate Fascinating that we encourage you to visit.

Very good post.Thanks Again. Keep writing.

“Appreciate you sharing, great blog article. Really Great.”

hey there and thank you for your information – I have definitely picked up anything
new from right here. I did however expertise some technical issues
using this website, since I experienced to reload the
website a lot of times previous to I could get it to load properly.
I had been wondering if your hosting is OK?

Not that I am complaining, but sluggish loading instances times will sometimes
affect your placement in google and could damage your quality score if advertising and marketing with Adwords.
Well I am adding this RSS to my email and could look out for a lot more of your respective interesting content.

Ensure that you update this again soon.

I just want to tell you that I am just all new to blogging and site-building and definitely enjoyed you’re web page. Most likely I’m planning to bookmark your blog . You surely have fabulous articles and reviews. Cheers for revealing your blog.

Below you?ll locate the link to some web pages that we think you should visit.

Leave a Reply