Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
emerge --ask net-analyzer/wireshark
To install Wireshark with all of the extra features, the following USE flag should be enabled:
c-ares ipv6 snmp ssl kerberos threads selinux.
Running Wireshark as root can be dangerous and is unnecessary. See the Wireshark Security page for more details.
As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group:
gpasswd -a $USER pcap
To make the session aware of this new group without having to log in again, enter this command before launching wireshark:
Network Name Resolution
To automatically resolve IP addresses to domain names, open the preferences window from Edit -> Preferences, clicking the Name Resolution panel and selecting the Enable Network Name Resolution check box.
Enabling Network Name Resolution will increase the captured traffic due to additional DNS requests.
Filter packets to a specific IP Address
To see all incoming and outgoing traffic for a specific address, enter ip.addr == w.x.y.z in the filter box, replacing w.x.y.z with the relevant IP address. Additionally, to view only incoming traffic, replace ip.addr with ip.src; to view only outgoing traffic, replace ip.addr with ip.dst.
TShark is Wireshark's terminal-based network protocol analyzer. TShark's native file format is pcap. All packet capture options are listed by entering
For example, to capture packets across a specified network interface and save the results, enter
tshark -i wlan0 -w capture-output.pcap
Replace wlan0 with the desired network interface and capture-output with the desired filename.
- Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
- Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
- Tcpdump — a command-line network monitoring and data acquisition tool.
- https://wiki.archlinux.org/index.php/wireshark The Arch Linux Wiki entry on Wireshark.
- https://www.wireshark.org/download/docs/user-guide.pdf Wireshark User's Guide.