How to Monitor Network Traffic with Wireshark?

There is a dramatic increase in network traffic these days due to more and more users switching to online services.

It becomes necessary for SMEs and large enterprises to monitor the overall health of the network. Wireshark is the most trusted tool to make sure that network communication is running smoothly between systems.

Wireshark helps network administrators in troubleshooting network problems, security engineers to examine security issues and debug protocols.

Network monitoring becomes easier with Wireshark as you can capture live data packets, verify network applications, analyze network performance, check bottlenecks, and latency issues.

What is Wireshark?

Wireshark is an open-source and foremost network protocol analyzer. It is in fact considered as a standard by many non-profit organizations, commercial enterprises, educational institutions, and government agencies. Wireshark is an industry leader since 1998 and was developed by Gerald Combs.

It helps you to analyze minute details of the network and dive deep into network issues such as security breaches and outages. It is used by network experts and developers throughout the world for checking network performance as bandwidth and latency.

Wireshark is a free tool, so doesn’t have customer support as in other paid tools. But it has many user-friendly forums, discussion platforms, and QA websites that cover issues related to handling this tool. The practical knowledge of networking helps in the efficient usage of Wireshark.

What are the main features of the Wireshark?

Wireshark contains many attributes but some of its important features are:

  1. It works on many systems like Windows, UNIX, macOS, Solaris, NetBSD, etc.
  2. Live capture and offline analysis.
  3. Rich VoIP analysis.
  4. Read/ Write on many different capture file formats like Microsoft Network Monitor, Network General Sniffer, and tcpdump.
  5. Decryption support for many protocols including WEP/WEP2, IPsec.
  6. Live data can be read from Ethernet, Bluetooth, USB, Frame Relay, Token Ring, and others
  7. Show detailed information about packets and protocols.
  8. Make traffic statistics and export output to XML, Postscript, CSV, or plain text.

How to install Wireshark on different platforms?

Visit Wireshark’s official page and download it according to the operating system you have. There are prior system requirements that need to be checked before installation otherwise, Wireshark software may crash or not work properly. After that, there are certain steps that need to be followed to install Wireshark on your system.

All platforms require specifications comparable to:

  1. The latest versions of Wireshark can be installed on Windows 10, 8.1/ MacOS 10.12, and later.
  2. Windows Server 2019.
  3. 64-bit or 32-bit processor.
  4. 500 MB of free disk space, and RAM.
  5. Wireshark provides extended support to the older version of Windows/MacOS/Linux

Microsoft Windows

After downloading the source and the binary package of Wireshark, run its executable file. The installation process leads to NPcap install permission. Make sure to install NPcap prompt, it enables Wireshark to capture a live stream of network traffic on windows.

MacOS

All the necessary and optional libraries, tools are in macosx-setup.sh in the source directory.

The third-party installation makes the installation process easier. To install with Homebrew, run this command in the command prompt:

 ruby -e “$(curl -fsSL https://raw.github.com/Homebrew/homebrew/go/install)

Get source from a git repository and build in the source directory by opening terminal prompt and running

mkdir build && cd build && cmake ../ && make and run: ./run/qtshark

You can now use the Wireshark system.

Linux

Download Binary packages of Wireshark from the official site and unpack the source by

gzip -d wireshark-1.2-tar.gz

tar xvf wireshark-1.2-tar

For building and installing Wireshark, run these commands

mkdir build > cd build > cmake ../wireshark-2.9.0> make > (in the final destination) make install

Start Wireshark to begin capture packets.

How to Capture Packets on Wireshark?

Packets are the units of data that are transferred between systems to communicate with each other. Wireshark allows you to capture live data as well as save it later on inspection.

Wireshark provides the following capture options:

Network interface: It includes the incoming or outgoing data. You can select interfaces whether local, remote, or pipes with a “manage interfaces” dialog box.

Promiscuous mode: Disabled promiscuous mode lets you see broadcast packets, and multicast packets transmitted to the multicast address. Enable Promiscuous mode to see all network packets by

Open “capture options dialog box” > “capture packets in promiscuous mode”.

Display options: You can enable various features in the display options in capture options. Select to update packet list in real-time or not, automatic scroll to view the most recent packet, showing capture information during live capture or not.

You can start capturing data packets from many different network media. Double click on an interface on the welcome screen. Then

Select Capture > Start > First toolbar button > Start capturing packets > Capture interface from the command line

$ wireshark -i eth0 –k

Click on the red Stop button to stop capturing data. Save packets to a file for future use by

Selecting the destination folder > File name > Save

Analyzing and Inspecting Network Traffic on Wireshark

You can open and analyze packets anytime. Inspecting data is an important part of troubleshooting.

Wireshark contains three different panes having packet list, packet details, and packet bytes. After clicking on a certain packet in the packet list, properties in other panes change, according to the packet information.

Packet list:

The packet list contains the list of the captured packets. It displays other important features like numbers of the captured packets, after how long a packet was captured, the source and destination address of the packet, its protocol, and its length in bytes.

The info shown on the screen displays additional information about the packet content and varies from packet to packet.

Packet Details:

It is displayed under the packet list pane. It has a special feature to create filters by right-clicking on the packet. It enables the user to see detailed information about the packet.

Packet Bytes:

This is the third pane and gets modified according to a combination of the above panes. When you want to find detail about a particular packet, click on the packet in the first pane, its further detail in the second pane will appear, and hexadecimal representation in the third pane.

How to track network performance with Wireshark?

You can track network performance by data segregation in the form of capture filter and display filter:

Capture filter: It is used for filtering relevant packets from incoming data. You can easily track required packets and extract important information from them.

Display filter: It allows you to filter already recorded data like name of protocols, value of fields, comparison between fields, and others in the display filter toolbar.

To see performance parameters with different packets, duration, and other features, create and save new files in the output capture options.

How to use packet color-coding in Wireshark

Wireshark has a special feature of packet colorization which allows you to get an instant idea about different traffic types. By default, ICMP Traffic is light pink, data with error in black, and so on

There is a temporary or permanent attribute of coloring packets. Temporary features allow a one-time coloring rule. Temporary coloring property can be activated by

Right-click packet detail pane > Colorize with filter > Color X

To apply permanent settings on packets: View > Coloring Rules. You can modify, edit, disable, add, and delete the setting depending upon your requirements.

What are the special features of Wireshark?

Command Line interface or TShark

It enables you to capture and display packets in absence of a proper GUI. It has similar features as that of Wireshark. The output has the ‘time’, ‘destination’, ‘protocol’, ‘length’, and ‘info’ fields.

You can see information about different types of data packets as TCP, SCTP traffic. You can even employ data filters and use other properties by using different commands.

Statistics and Graphs

Metrics enable you to work on improving the efficiency of the system. You can see the present situation, issues in the network, and get direction about required measures to address the problem.

Wireshark provides you a variety of network statistics, and use statistics menu display to see:

  1. Summary: Displays the information about packet count and captured time period.
  2. Conversations: Show the traffic data between two terminals.
  3. IO graphs: Gives all metrics about packets.
  4. Endpoints: Tells data is originating and ending from which locations.
  5. VoIP calls: This shows the VoIP calls from live capture.
  6. Service Response Time: Displays the time period between request and response of a protocol.

IO graphs feature to let you analyze packet data in visual form. Wireshark provides flexible features to change graph parameters. Represent data in many forms of graphs like line, bar, circle, etc.

Customize different parameters on Y-axis. Calculate minimum, maximum, average, and sum of the values. To view packet data properly, use zoom, set intervals or time of the day, and use different colors.

Final Words

Wireshark is a popular, yet easy tool to analyze and monitor network traffic. Many issues as network congestion, jitters, network downtime, and packet loss can be easily found. It lets you get exact information about network data by:

  1. Inspecting packets by list, details, and understandable output format.
  2. Filtering relevant packets and displaying required information.
  3. Getting an idea about different traffic types at a glance.
  4. Visual graphic representation of packet data.

It is quite a productive tool that helps you in the efficient working of your online services like websites, web and mobile applications.

Author Bio:

Ravi Sharma, CEO of Webomaze is a highly enthusiastic entrepreneur. He has got a great grip on the idea of effective eCommerce Strategies, SEO processes, and tactics that are vital for virtual exposure. He is a fun-loving person and a keen traveler who always hunts to find adventure in new places.

Yashik Patelhttps://bloggingdart.com
Yashik Patel is a Google Certified, Digital Marketing and professional Blogger. He has 5+ years experience in SEO, SEM and ORM (Online Reputation Management) field.

Related Stories

Popular Categories

Comments

LEAVE A REPLY

Please enter your comment!
Please enter your name here

DMCA.com Protection Status