Wireshark

Wireshark is Article description::a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Permissions
As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group (note, replace ${LOGNAME} by the user's actual login name):

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

Wireshark over SSH
Source system (the server you want to capture packets on) that you have SSH access to, with tcpdump installed, and available to your user (either directly, or via sudo without password). Destination system (where you run graphical Wireshark) with wireshark installed and working, and mkfifo available. Procedure:

Network Name Resolution
To automatically resolve IP addresses to domain names, open the preferences window from, clicking the panel and selecting the Enable Network Name Resolution check box.

Filter packets to a specific IP Address
To see all incoming and outgoing traffic for a specific address, enter ==  in the filter box, replacing  with the relevant IP address. Additionally, to view only incoming traffic, replace with ; to view only outgoing traffic, replace  with.

Terminal-based Wireshark
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is pcapng format, which is also the format used by Wireshark and various other tools.

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.

For example, to capture packets across a specified network interface and save the results, enter

Replace with the desired network interface and  with the desired filename.

Example Usage

 * Show only filetypes that begin with "text":
 * Show only javascript:
 * Show all http with content-type="image/(gif|jpeg|png|etc)":
 * Show all http with content-type="image/gif":
 * Do not show content http, only headers:
 * To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
 * To match odd frame numbers:
 * To see just the file header for any capture type, capture no packets and send to xxd: An easy way to capture no packets is to filter by unused ipx in the capture filter. This example uses -F pcap for the pcap file type.

Print http data in a tree
{{Cmd|tshark -q -i any -Y http -z http,tree|output=

=
========================================================================================================================== HTTP/Packet Counter: Topic / Item           Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start --- Total HTTP Packets     1                                                                     100%          0.0100        2.255 HTTP Request Packets  1                                                                     100.00%       0.0100        2.255 GET                  1                                                                     100.00%       0.0100        2.255 Other HTTP Packets    0                                                                     0.00%         -             - HTTP Response Packets 0                                                                     0.00%         -             - ???: broken          0                                                                                   -             - 5xx: Server Error    0                                                                                   -             - 4xx: Client Error    0                                                                                   -             - 3xx: Redirection     0                                                                                   -             - 2xx: Success         0                                                                                   -             - 1xx: Informational   0                                                                                   -             -

--- }}

Wireguard
WireGuard was initially started by in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.

Filter WireGuard traffic while capturing
Assuming that your WireGuard traffic goes over the wlan0 interface using port 51820

download extract-handshakes.sh

Step-by-step instructions for these are not yet available for the version merged in Linux v5.6. What you basically have to do is to build offset-finder.c with the headers from drivers/net/wireguard/ and kernel headers and config matching your current kernel.

Dumpcat
Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.

By default, Dumpcap uses the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets’ time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.

Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing:

Example Usage

 * Capture packets from interface any interface until 60s passed into output.pcapng:
 * Another example that will capture packets by size, duration, packets and files:

External resources

 * https://tshark.dev - tshark.dev


 * https://wiki.wireshark.org/DisplayFilters - Display Filters
 * https://wiki.wireshark.org/Development/LibpcapFileFormat - Libpcap File Format
 * https://www.wireshark.org/download/docs/user-guide.pdf Wireshark User's Guide.