Before you can really grasp WireShark you need to know how to get around Wireshark. Today, I’m going to show you:
- The Main menu and Toolbar
- Display Filters
- Packet View Pane
- PDU Details Dane
- Bytes Pane
- Status Bar
Let’s check out the sexy anatomy of this extremely useful protocol analyzer
Here is Wireshark in the nude:
Now I’ll be the first to say that this looks like 100% chaos.
What the heck is going on here?
The Main Menu
So let’s break down each section – step by step.
Across the top of the screen, we have the Main Menu. This is where you can find:
- File (saving and opening captures)
- Edit (finding and marking packets)
- View (panels, colors and zooms)
- Go (walking through each packet)
- Capture (starting, stopping and filtering the output)
- Analyze (advanced filters)
- Statistics (graphs, facts and charts)
- Telephony (analyzing and playing back captured VoIP calls)
- Tools (Firewall rules)
- Internals (dissector and hash tables)
- Help (you know what this is!)
This contains a collection of the most frequently accessed items found in the menu bar.
First we have the capture controls: From left to right we have:
- Show available capture interfaces
- Show capture options
- Start capture (Ctrl + e)
- Stop capture (Ctrl + e) it toggles it.
- Restart capture (Ctrl + r)
Then you have your file options:
- Open capture file
- Save capture file
- Close capture file
- Reload capture file
And next you have quick tools for moving through the packets:
- Find packet (This displays the first match in the PDU list pane but doesn’t change the entire view like a Display Filter)
- Go back in Packet History (If you selected PDU 1, 5, and 20 you could revisit each one in reverse by clicking this)
- Go forward in Packet History
- Go to the Packet with number…
- Skip to first packet
- Skip to the last packet
Then you have the stylistic options:
- Toggle colorful rows on or off
- Toggle autoscrolling of live packets as they are captured in realtime. This is a crucial option when you start your capture you’ll see a zillion colors whirl down the screen. Quickly clicking this stops the scrolling and lets you take command of the window.
The next section with the magnifying glasses applies to zooming
- Zoom in
- Zoom out
- Zoom to 100%
- Resize all columns to display all text
Filters and preferences are next:
- Edit Capture Filter (Capture Filters stop certain data from ever entering the file. Display filters capture all data but let you adjust what’s shows up in the PDU list pane. Since you rarely want to stop certain stuff from ever entering the file I wouldn’t use this. Display filters get the job done just as easily. I guess if you’re worried about file sizes you might use the Edit Capture Filter but I never use it.)
- Edit or Apply Display Filter
- Edit coloring rules
- Edit Preferences
And finally, the little life raft icon is there for…
you guessed it…
But who needs the help file when you have me! Here’s the main tool bar in all its glory
The Display Filter Bar
Under the main toolbar we have the Display Filter Section.
Any text you type in the filter box refines the results in the Packet List pane below it.
For example, if you typed HTTP into the filter field you would only see HTTP Protocol Data Units (PDUs) below it. Just don’t forget to click the Apply button or else nothing will happen. I’ve made that mistake too many times.
PDU List Pane
Heres were you’ll find all the capture data. The first column shows the PDU number. The Time column shows how much time has elapsed in seconds since the first capture. Source, Destination and Protocol are obvious. Length is the PDU length in bytes. And the Info column contains a snapshot of the PDU details you can get from clicking a row.
PDU Details pane
This is were you’ll spend most of your time doing research.
It breaks the PDU out by each layer of the TCP/IP model starting with a summary of the PDU called Frame.
Next it moves up the layer stack as follows:
- Data Link
You can expand any layer to read the juicy details about the frame, packet, segment or PDU header. Or better yet just right click a row and choose Expand All.
PDU Bytes Pane
This is probably the most confusing pane. It shows the output for the selected PDU as a hexidecimal dump. The left column shows the offset from the first PDU. The middle column shows the hexidecimal data dump and the right pane shows the ASCII equivalent. If you don’t know what this means, don’t worry – we don’t need to know anything here yet.
The Status Bar
The status bar shows you the size in bytes of the selected PDU. It also shows you the total packets in the capture and the number displayed (based on any filters you have). It also shows you the percentage of dropped frames.
If you had a display filter set to “HTTP” and only two packets were displayed in the PDU list pane, the Status Bar would only display information relevant to those two packets.
A quick note about layers…
So by now you should already feel a little more comfortable with Wireshark but first I need to underscore an assumption I have:
Layers 7 through layer 5 are known as the Application Layer and any data here is technically known as a Protocol Data Unit. (PDU) Wireshark displays the Application Layer as the last row in the PDU details pane.
- Data at the Layer 4 Transport Layer is known as a Segment.
- Data at the Layer 3 Network Layer is called a Packet.
- Data at the Layer 2 Data Link Layer is called a Frame.
- Data at the Layer 1 Physical Layer is simple the pattern of zeros and ones known as bits.
When you select a row in the PDU List Pane it displays all the Segments, Packets, and Frames for the given data piece. Wireshark technically calls this a Packet List Pane and Packet Detail Pane but I’m using the more generic term PDU since it comprises the other three.
Looking at your Capture Options
Let’s look at your capture options in the Main Tool bar for a sec.
If you click the left most icon, you’ll display all the Capture Interfaces on your computer.
If you had multiple interfaces you would see those here. You can see I only have a single Ethernet adapter but if my computer had Wi-Fi you would see a Wi-Fi capture interface too.
You can start a capture from here but let’s look at the second button from the left: Capture Options.
The top section shows a lot of stuff but the only thing you need to know is that if you had multiple interfaces you could select a default from the list.
The next part is super cool
Instead of collecting all your data into one voluminous file you can tell Wireshark how to slice up the capture.
You can tell it select a new file based on files size or time.
And you can tell Wireshark to stop the capture after it collects a specific number of packets.
If you select more than two options then the first match applies.
In other words, if you said:
Stop Capture Automatically After…
- 1000 packet(s)
- 1 file(s) 1 minute(s)
This means the capture will stop either when it hits 1000 packets or when it’s been capturing for a full minute. Isn’t that cool?
I bet you didn’t know you could do that!
One note about Checksum errors
If you’re seeing a bunch of black rows with red text about IP checksum offload errors you should tell Wireshark to ignore it.
Your NIC is complaining because packet processing is being done in software by Wireshark before it ever hits the NIC. The NIC is like:
Yo, this is inefficient so I’m going to barf up a bunch of annoying errors to let the user know how I feel about this.
Let’s tell Wireshark to cool it.
Hit up Shift + Ctrl + p, click Protocols in the left pane and scroll down to IPv4.
In the right pane, Uncheck Validate the IPv4 checksum if possible and click OK. This will tell Wireshark to calm down lol.
The Bottom Line
What can I say?
After this you should have a pretty solid understanding of Wireshark.
Let me know what you think in the comments below!