Wireshark

From Gentoo Wiki
Jump to: navigation, search
This article is a stub. You can help by expanding it.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Emerge

root #emerge --ask net-analyzer/wireshark
Note
To install Wireshark with all of the extra features, the following USE flag should be enabled: c-ares ipv6 snmp ssl kerberos threads selinux.

Configuration

Permissions

Warning
Running Wireshark as root can be dangerous and is unnecessary. See the Wireshark Security page for more details.

As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the wireshark group:

root #gpasswd -a $USER wireshark

To make the session aware of this new group without having to log in again, enter this command before launching wireshark:

root #newgrp wireshark

Usage

Techniques

Network Name Resolution

To automatically resolve IP addresses to domain names, open the preferences window from Edit -> Preferences, clicking the Name Resolution panel and selecting the Enable Network Name Resolution check box.

Note
Enabling Network Name Resolution will increase the captured traffic due to additional DNS requests.

Filter packets to a specific IP Address

To see all incoming and outgoing traffic for a specific address, enter ip.addr == w.x.y.z in the filter box, replacing w.x.y.z with the relevant IP address. Additionally, to view only incoming traffic, replace ip.addr with ip.src; to view only outgoing traffic, replace ip.addr with ip.dst.

Terminal-based Wireshark

TShark is Wireshark's terminal-based network protocol analyzer. TShark's native file format is pcap. All packet capture options are listed by entering

user $tshark -h

For example, to capture packets across a specified network interface and save the results, enter

user $tshark -i wlan0 -w capture-output.pcap

Replace wlan0 with the desired network interface and capture-output with the desired filename.

See also

  • Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
  • Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
  • Tcpdump — a command-line network monitoring and data acquisition tool.

External resources