Wireshark II: The Analysis
Find out if those TCP streams on your network are filled with C monsters or if it's smooth sailing for your Internet surfers.
Sunday, November 7th, 2010
Sometimes it’s helpful, to grab a quick capture while you’re observing an event in progress. For example, if you see that a network attack is underway. The quickest way to bring up a Wireshark capture is with your excellent command line skills. Rather than wrestling with a GUI, you can use a simple command to start Wireshark and start that packet capture as soon as you notice something fishy happening with your system.
Enter the following in a terminal window.
# wireshark -i eth0 -k
Wireshark starts up and immediately (Using the -k switch) begins capturing packets on eth0 with no interaction needed from you. Click the Stop Capture button when finished. You’re correct if you noticed that this capture had no filters. And, you’re also correct if you wondered if command line captures can include filters. Look at the following example discussed earlier.
# wireshark -i eth0 -k "not arp"
This launches Wireshark on eth0 immediately (-k) with no ARP messages included in the capture. The command line alternative allows a rapid response to those rapidly changing conditions and when timing is important.
Collaborative Analysis
What happens when you’ve captured thousands of packets and you still can’t figure out what’s going on? A second, third or fourth set of eyes on a problem couldn’t hurt. There is a collaborative method that allows you and your colleagues to ponder over Wireshark packet captures simultaneously and offline.
You can upload your packet capture to one of the free online services for that efficient and collective view. One such site is CloudShark. See Figure 4. CloudShark is a free service that allows you to upload your packet captures without the need for user registration. Connect, upload, distribute the URL for your capture and while away the hours on this worthy pursuit.
Figure 4: Using CloudShark to View a Packet Capture Online
One reader shared Network Timeout as an alternative capture upload and analysis site.
Wireshark offers you one method for packet capture and analysis for your networks. It is a powerful tool that can help you maintain a safe and well-running network. A word of caution for those of you who want to use Wireshark for unsavory purposes: Most corporate networks frown upon port scanning and packet sniffing unless you have a job title that includes such activities. Please don’t allow your use of Wireshark to take you down hook, line and sinker.
Kenneth Hess is a Linux evangelist and freelance technical writer on a variety of open source topics including Linux, SQL, databases, and web services. Ken can be reached via his website at
http://www.kenhess.com. Practical Virtualization Solutions by Kenneth Hess and Amy Newman is available now.
Comments on "Wireshark II: The Analysis"
Free capture upload and analysis: http://www.networktimeout.com
Thanks! I have to use Wireshark sometimes, but I didn know a couple of things you pointed out.
I use Wireshark a lot but I still cannot find any information on detecting viruses and malware. if it’s out there it would be much appreciated if I can be pointed in the correct direction. e-mail me at jlmiller@mmtnetworks.com.au