From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.



root #emerge --ask net-analyzer/wireshark
To install Wireshark with all of the extra features, the following USE flag should be enabled: c-ares ipv6 snmp ssl kerberos threads selinux.



Running Wireshark as root can be dangerous and is unnecessary. See the Wireshark Security page for more details.

As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group:

root #gpasswd -a $USER pcap

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

root #newgrp pcap



Network Name Resolution

To automatically resolve IP addresses to domain names, open the preferences window from Edit -> Preferences, clicking the Name Resolution panel and selecting the Enable Network Name Resolution check box.

Enabling Network Name Resolution will increase the captured traffic due to additional DNS requests.

Filter packets to a specific IP Address

To see all incoming and outgoing traffic for a specific address, enter ip.addr == w.x.y.z in the filter box, replacing w.x.y.z with the relevant IP address. Additionally, to view only incoming traffic, replace ip.addr with ip.src; to view only outgoing traffic, replace ip.addr with ip.dst.

Terminal-based Wireshark

TShark is Wireshark's terminal-based network protocol analyzer. TShark's native file format is pcap. All packet capture options are listed by entering

user $tshark -h

For example, to capture packets across a specified network interface and save the results, enter

user $tshark -i wlan0 -w capture-output.pcap

Replace wlan0 with the desired network interface and capture-output with the desired filename.

See also

  • Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
  • Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
  • Tcpdump — a command-line network monitoring and data acquisition tool.

External resources