WireShark 101: Basics

Man, Wireshark is awesome but it’s intimidating!

It took me years before I actually sat down and started tackling the monster known as Wireshark.  You can use it for entertainment (learning how networks work) for troubleshooting real world problems or even for helping you nail your next networking certification.

Let’s investigate the beauty of the Shark!

Let’s say you a have a computer talking to a server on your Local Area Network. (LAN)  The computer sends a request to a server but it takes 5 long minutes to get the response.  Why is it taking so long?

Is the PC slowing things down?  Or maybe the server is overloaded? Perhaps the network is congested?  How would you know for sure?

With Wireshark, you can get between both devices and capture the frames  passing between them and then filter the output for clues.

For example, if it takes a few milliseconds for the response to arrive at your packet capture machine then you can reasonably deduce that the problem is endemic to the PC.  Conversely, if it the response still takes 5 minutes to arrive then the problem is probably located on the server.  It could be the network itself  but most modern networks don’t get congested in this way.

The point is that Wireshark can help you isolate the root cause, save you a lot of time and make you look smart in the process!

It can also help you understand how devices communicate because you can see exactly what’s going on at different layers of the network stack.  It takes all the frames and packets coming to and from your host and gives you everything you could possibly ever need to know about the communication path.

Installing Wireshark.

The first thing you need to do right now is grab the installer.

Download Wireshark

Just “Next your way” through the wizard so you can get all the goodies.  Keep the defaults, including WinPcap which is the driver that actually captures your frames.

Capturing packets with Wireshark

The easiest way to get started is to just start capturing on your local computer.  We’re going to start, stop and save a capture and then analyze the output.

All your interfaces are listed in the interface list in the left pane.

Just double click the interface you want to start capturing on. (either the Gigabit Ethernet adapter if you’re plugged into a wired connection or your Wi-Fi adapter if you’re using wireless)

Wireshark Interface ListOnce you start the capture, you’ll start collecting thousands of packets.  It fills up fast.

Check this out.

Click OK on the Edit Interface Settings box.

Edit Interface Settings

Then press Ctrl + e to start capturing everything.

Refresh this webpage (and a few of your favorites) and then go back to Wireshark.

There will be a myriad of colorful HTTP requests and responses waiting for your analysis.  You’ll also see a butt load of other background protocols running.

It’s a mess!

And it can be really hard to understand what’s going where and which packets belong to which session.  It’s overwhelming right now – but don’t worry because I’ll show you how to setup filters.  You can also change color codes and even save a segment of the traffic so we only have the traffic we want in a tidy little file.

Saving the capture

Go ahead and stop the capture if it’s still running (Ctrl + e again) then create a new folder called Wireshark Captures and save your capture there by press Ctrl + Shift + s.

Saving wireshark captures

Quick Analysis

Let’s start by looking for all the ARP traffic.

In TCP/IP, ARP refers to the Address Resolution Protocol.  ARP has the noble task of resolving MAC addresses from IP addresses so that data frames can get properly forwarded throughout the network.

The sole purpose of ARP is to keep asking this question:

Hey everyone, do you know who has IP address blah.blah.blah.blah?  If so, tell computer bleh.bleh.bleh.bleh.

It’s a broadcast sent out to all hosts in the current broadcast domain (basically the VLAN the virtual local area network).  If ARP were a party goer he would be the most gregarious person there because he’s always shouting to everyone asking for MAC addresses.

ARP is responsible for getting the data frame to the next device.  Data transmissions start with ARP so we’ll start there in our Wireshark analysis.

Type “arp” into the Filter field near the top of the Wireshark window and press enter.  The bar should turn green and immediately shrink the data set in the top pane.

ARP filters in Wireshark

When you click a frame in the top pane, the details get updated in the middle pane.  Click through a few to see what I mean.

If you expand the Address Resolution Protocol (request) row in the middle pane, you’ll see the actual layer 2 frame being sent to your default gateway. (the router that gets you out to the internet)  In other words, you can see the fields of the protocol data unit and other delicious goodies like who sent the frame and where it went.

Wireshark frame details

I masked out some of the IP addresses for the sake of security but it’s still really easy to see what’s going on.

The last line in the ARP request is the Target IP address.  This is the IP address that ARP was trying to get the MAC address for.  ARP basically stood up in the party and shouted to all the computers in the room (in the same VLAN)

Hey, yo everyone listen up!  What’s the MAC address for the host with this Target IP address?

The output is showing us that Synology Network Attached Storage (NAS) sent the request.  And you can’t see it in the graphic above because I blurred it out, but the Target IP address is actually the default gateway on my network.

Let’s try it again with a different set of data.  Supposed you want to find the DNS server of a workstation but you can’t use IPCONFIG to get that data.

In Wireshark, just type “dns” in the filter field and press enter.  The address in the destination column that corresponds with the IP address of the host is the DNS Server.

DNS Servers in Wireshark

If you scroll to the right in the info column you can see the hostname that was accessed during the request.

If you click the packet and look in the details pane you can see the details of the query.  The Response In: link shows you the frame that contains the DNS response to this frame.  It helps you trace the packet.

frame details

Done. Quick and fast.

The Bottom Line

Wireshark is a great tool.  Today I showed you:

  • How to install Wireshark
  • Select a capture interface
  • Save a capture
  • and Analyze the output

I hope this helped make Wireshark a little more palatable to you!  If you have any questions please share in the comments below.  I know this tutorial felt abridged so I’ll probably augment it with future tutorials down the road.

About

Connect with Vonnie on Twitter

Posted in Linux, Mac OS X 10.10 Yosemite, Mac OS X 10.8 Mountain Lion, Mac OS X 10.9 Mavericks, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , ,