Wireshark Packet Analyzer Quick Start Guide
Wireshark
Quick-Start
Guide
Instructions on Using the Wireshark Packet Analyzer
July 2, 2008
Table of Contents
Chapter 1: Getting Started .............................................................................................................. 3
I) Current Version................................................................................................................... 4
II) Installation........................................................................................................................... 4
III) Specifying the Default Network Adapter ........................................................................... 5
Chapter 2: Using Wireshark............................................................................................................ 7
I) Two ways to capture some packets:.................................................................................... 7
II) Examining the Capture ..................................................................................................... 10
III) What if I can’t find any packets? ...................................................................................... 11
IV) Looking at Packets Captured by Wireshark...................................................................... 12
V) Some Options to Analyze Captured Packets .................................................................... 13
VI) Saving Captures ................................................................................................................ 15
Appendix 1: Packets Captured: Explanation and Troubleshooting .............................................. 16
I) Switches or Routers versus Hubs...................................................................................... 16
II) Your Network Adapter ..................................................................................................... 17
III) Comment on Cable Modems ............................................................................................ 18
IV) Problem with Wireless LANs and Windows.................................................................... 18
V) Other Problems and Issues................................................................................................ 18
Appendix 2: Filters in Wireshark.................................................................................................. 20
Appendix 3: Hits Versus Page Views........................................................................................... 22
Wireshark Quickstart Guide
3
Figure 1: Wireshark lets you see the
network traffic entering and leaving
your computer.
Chapter 1: Getting Started
Wireshark is a network packet analyzer, known previously as
Ethereal. It lets you examine the network traffic flowing into
and out of your Windows or Unix machine. Network
professionals use Wireshark to troubleshoot networking
problems, but it is also an excellent way to learn exactly how
the network protocols work. For example, it allows us to see the
data that your system sends and receives when you type a web
address into a web browser (e.g., Internet Explorer or Mozilla’s
Firefox).
As a metaphor for Wireshark’s
operation, pretend that you could
take a special magnifying glass
and look into the network cable
coming out of the back of your
personal computer. You would
see the bits of information,
encoded as electrical pulses,
flowing into and out of your
computer.
If Wireshark stopped there, it
would only be of limited
use – it is difficult to
make sense out of a raw
stream of data.
However, Wireshark also contains a protocol analyzer that
understands a massive number of protocols, containing over
78,000 filters. It converts the data stream to a listing of packets
flowing in and out of the computer. It allows you to examine an
individual packet, and drill down through the layers of
encapsulation until the application-level payload is revealed.
Wireshark is developed as open source software. This means
that the software is developed as a community effort, and the
source code is freely available. Furthermore, it is licensed under
the GNU General Public License
(http://www.gnu.org/licenses/gpl.html). This license gives you
the right to use the software for free. However, you may not sell
the software, or a derivative of it. Also, if you modify the
program code, you must be willing to submit the changes back
to the open source community.
You can find more
information on the
Wireshark web site at
www.wireshark.com .
Wireshark may not
work on Windows
computers using
wireless network
adapters. Try
switching off
Promiscuous mode
(Edit / Preferences /
Capture). For more
discussion of what
Wireshark can or can
not capture, refer to
Appendix 1
Wireshark Quickstart Guide
4
Refer to Appendix 1 for a discussion of the type of packets that
Wireshark captures. This discussion also explains how your
particular network configuration may affect the type of packets
you see.
I) Current Version
This documentation is based on Wireshark version 1.0.1
(released 30 June 2008), running on Windows Vista and XP.
Although you may find a newer release available when you
download the software, the concepts in this manual should still
be relevant.
Wireshark was in a “beta” mode for a very long time. The
maturity of the software might surprise many who may expect
software with such a low version number to be less than
complete. Far from being a recent development, Wireshark
(under the earlier name of Ethereal) was first released in 1998,
and has been in continuous development since that time.
Wireshark is supported in Unix (including Mac OSX), Linux,
and Windows (from Win9x and NT4 through to Vista and
Server 2008). The installation process will, of course, be
different for each operating system. But once installed the
operation should be very similar if not identical.
More detailed documentation can be found on the Wireshark
web site at: www.wireshark.com .
II) Installation
Wireshark can be downloaded directly from the Wireshark web
site at www.wireshark.com . The download is an exe file of
approximately 20MB. Save the file to an appropriate location,
such as your desktop. When the file is downloaded, double click
on it to start the installation process. The default installation
settings should work fine. WinPcap may need to run as
administrator, especially on Vista. There is a setting called
“NPF” which by default is turned on during the installation on
Vista, but not on XP. It would be unwise to change this setting
– keep the default installation settings unless you fully
understand the implications of changing something.
One option that is pre-selected is “WinPcap”. This is a required
component of Wireshark, and it must be installed for Wireshark
to work properly. WinPcap is essentially a driver which allows
the network packets to be intercepted and copied before the
The Wireshark web
site is a rich source of
help for both
beginners and experts.
Although this
QuickStart guide
recommends specific
items on the web site,
the reader is asked to
use the Wireshark
menu system to locate
the referenced items.
The Wireshark menu
system will remain
current as changes are
made to the web site.
The Wireshark
installation package
will also install
WinPcap unless you
override the settings.
Wireshark will not
work unless WinPcap
is also installed.
Wireshark Quickstart Guide
5
windows network stack processes the data. Without WinPcap,
you may still use Wireshark to analyze previously captured data
but you will not be able to perform the actual data capture.
While WinPcap allows the capture of “raw” data, there will be
some slight differences between the data that is provided to
Wireshark, and the data which actually exists “on the wire”.
This is because the network card may process the datagram
within its firmware and not pass all of the data to the operating
system. One example is that most network cards do not deliver
802.3 preamble or CRC fields to the operating system.
III) Specifying the Default Network Adapter
When you first start Wireshark you must tell it which network
adapter to use. You can make this selection before beginning a
capture, but doing so every time is tedious. If you want to preconfigure the default network adapter then go to the Edit menu
and choose “Preferences”.
Figure 2: Choose Preferences from the Edit Menu
When the preferences screen appears you must
1) Click on the “Capture” menu;
2) Click on the down arrow and select the correct network card
(you may see several alternatives including generic devices
which will not work), and
3) Click on the “OK” button.
Wireshark Quickstart Guide
6
Figure 3: Preferences Dialog
Note: The apply button may be hidden. On many displays, the
dialog box runs off the bottom of the screen. If you can not see
the apply button, click on the blue bar at the top of the window
and drag the box upward.
Many other settings may be configured within the preferences
dialog box. If you find that you are regularly changing settings
before starting a capture, then you may benefit from setting
your preferred settings as defaults. For now, this guide will
leave all defaults in their initial state.
Wireshark Quickstart Guide
7
Chapter 2: Using Wireshark
I) Two ways to capture some packets:
i) A Simple capture
You are now ready to capture packets coming to and from your
machine. Begin the capture process by selecting the “Capture”
menu and then clicking “Start”.
Wireshark will immediately begin capturing data from the
network adapter you selected earlier, or give an error message
that no adapter is selected if you didn’t perform the preconfiguration.
You can stop the capture by selecting “stop” from the capture
menu.
ii) Selecting “Capture Options” before
Capturing
Many people prefer to take an extra step before beginning the
capture which lets a number of features be configured. Click the
“Capture” menu then select “Options”. You should see a dialog
as in Figure 4. A number of options are available in this dialog.
Some, such as “capture filter”, are for more advanced use.
However, a number of options are available which are very
useful even during basic captures. A number of these items are
highlighted in Figure 4, including:
1) Update list of packets in real time: This tells Wireshark to
displays packets as they captured rather than waiting until
the capture is stopped (default is on).
2) Automatic scrolling in live capture: If the previous item is
selected, this tells Wireshark to scroll the packets so that
you are viewing the most recent (default is on).
Loading...