Through the Wireshark

L.D. Gowin

Exploring the software’s power and potential.

Wireshark is software that allows you to X-ray the traffic moving through your computer network.  Its own website calls it a “network protocol analyzer”…a popular one.  In fact, that definition sells it just a little bit short; it also has the ability to capture packets (aka:  packet sniffing).  Wireshark is ubiquitous in the technology sector for capturing network packets and for being able to view packet traces to a granular level.

WHY WOULD YOU EVER NEED TO SEE YOUR NETWORK TRAFFIC?

Wireshark is used by admins and technicians alike to troubleshoot network issues.  For example, if latency is a problem for your network, Wireshark can help to determine the root cause.  Once the cause is determined, then actions can be taken to rectify the situation.  (This is a good time to touch on the software’s limitations:  Wireshark cannot solve any problems; it simply observes and, if you ask the right questions (via display filters), it will show you what it has observed.  That’s it.  It’s not an IPS (not even an IDS), it’s just a tool for you to “look and see.”)

Cyber security uses it to investigate events and perform defensive actions.  If an analyst notices a large volume of unwanted traffic is coming from a particular IP address, that information can then be used to configure the firewall to block that suspicious address.

Developers use it to test protocols and it is also a valuable educational tool, providing the opportunity to see different protocols operate in real time.

IT’S ALL IN THE FAMILY

Wireshark is just one of many packet/analyzer applications (tcpdump, NetworkMiner, Capsa, etc. are some others).  What accounts for its popularity?

  1. It’s free!  It costs absolutely nothing to download and use. (The install is incredibly fast and painless!)
  2. It is open source and has a loving, devoted community that keeps it updated.  Spawned from a project that began in 1998, it now hosts an annual conference, Sharkfest, to bring Wireshark developers, users, and enthusiasts together for educational lectures, labs, and networking.
  3. The sheer amount of display filters; “over 285000 fields in 3000 protocols as of version 4.0.7,” according to the website.
  4. The file types it can analyze.  Wireshark does more than just pcap and pcapng.
  5. Compatibility with multiple OS such as Windows, macOS, Linux, and more.
  6. The amount (and quality) of tutorials and training material available.  Typing “Wireshark” into YouTube’s search engine returns videos like, “Hacker Hunting with Wireshark,” “Top 10 Wireshark Filters,” and “Learn Wireshark in 10 minutes” as a few examples.  Online learning platforms offer classes, with Coursera offering a Wireshark Guided Project that is a solid introduction for those who are brand-spanking new to using the tool.
Wireshark can read numerous file types. Above is a screenshot of just some of the files it can process. Screenshot taken at www.wireshark.org.

Get Wireshark and start playing with it today.  There’s no good reason not to!