Sometimes when using the Internet there are situations in which there is a traffic leak or an unexpected consumption of system resources. To quickly analyze and identify the source of the problem, use special network tools. One of them, WireShark, will be discussed in an article.
general information
Before using WireShark, you need to familiarize yourself with its scope, functionality and capabilities. In short: the program allows you to intercept packets in real time in wired and wireless network connections. It is used in Ethernet, IEEE 802.11, PPP and similar protocols. You can also use the interception of traffic VoIP calls.
The program is licensed under the GNU GPL, which means - free and open source. You can run it on many Linux, MacOS distributions, and there is also a version for the Windows operating system.
How to use WireShark?
Firstly, you should first install it in the system. Since one of the most commonly used Linux distributions is Ubuntu, then all the examples will be shown in it.
To install, just type the command in the console:
sudo apt-get install wireshark
After that, the program will appear in the main menu. You can run it from there. But itβs better to do this from the terminal, since she needs superuser rights. This can be done like this:
sudo wireshark
Appearance
The program has a convenient graphical interface. The user will see a friendly window, broken into 3 parts. The first is directly related to the capture, the second relates to opening files and samples, and the third relates to help and support.
The Capture block contains a list of network interfaces available for capturing. If, for example, eth0 is selected and the Start button is pressed, the interception process will start.
A window with intercepted data is also logically divided into several parts. At the top is a control panel with various elements. Following him is a list of packages. It is presented in table form. Here you can see the serial number of the packet, the time of its interception, the address of departure and receipt. You can also retrieve data about the protocols used, length and other useful information.
Below the list is a window with the contents of the technical data of the selected package. And even lower there is a display in hexadecimal.
Each view can be expanded in a large window for easier reading of data.
Applying filters
In the process of running the program, dozens or even hundreds of packages will always run before the user. Sifting them out manually is quite difficult and time consuming. Therefore, the official WireShark manual recommends the use of filters.
For them there is a special field in the program window - Filter. To configure the filter more precisely, there is an Expression button.
But for most cases, a standard set of filters is enough:
- ip.dst - ip address of the packet destination;
- ip.src - sender address;
- ip.addr - just any ip;
- ip.proto - protocol.
Using filters in WireShark - instructions
To try how the program works with filters, you need to enter a specific command in the Filter field . For example, such a set - ip.dst == 172.217.23.131 - will show all flying packets to the Google website. To view all traffic - both incoming and outgoing - you can combine the two formulas - ip.dst == 172.217.23.131 || ip.src == 172.217.23.131. Thus, it turned out to use two conditions in one line at once.
You can use other conditions, for example ip.ttl <10. This command will display all packets with a life expectancy of less than 10. To select data by their size, you can use this approach - http.content_length> 5000.
Additional features
For convenience, there is a way in WireShark to quickly select the package parameters as the analyzed field. For example, in the field with technical data, you can right-click on the desired object and select Apply as Column. What does it mean transferring to the field as a column.
Similarly, you can select any parameter and as a filter. For this, there is an Apply as Filter item in the context menu.
Separate session
You can use WireShark as a monitor between two network nodes, for example, a user and a server. To do this, select the package of interest, call the context menu and click Follow TCP Stream. A new window displays the entire log of the exchange between the two nodes.
Diagnostics
WireShark has a separate tool for analyzing network problems. It is called Expert Tools. You can find it in the lower left corner, in the form of a round icon. By clicking on it, a new window will open with several tabs - Errors, Warnings and others. With their help, you can analyze in which nodes failures occur, packets do not reach, and detect other problems with the network.
Voice traffic
As already mentioned, WireShark can intercept voice traffic. For this, a whole Telephony menu is reserved. This can be used to find problems in VoIP and solve them quickly.
The VoIP Calls item in the Telephony menu allows you to view completed calls and listen to them.
Export Objects
This is probably the most interesting functionality of the program. It allows you to use WireShark as an interceptor of files that were transmitted over the network. To do this, stop the interception process and export the HTTP objects in the File menu. In the window that opens, a list of all files transferred during the session that can be saved in a convenient place will be presented.
Finally
Unfortunately, the current version of WireShark in Russian on the network will be difficult to find. The most accessible and often used is in English.
The situation is also with the detailed instructions for WireShark in Russian. The official one from the developer is presented in English. There are many small and concise wireshark tutorials for beginners on the net.
However, those who have been working in the IT field for a long time will not be particularly difficult to deal with the program. A great opportunity and rich functionality will brighten up all the difficulties in learning.
It is worth noting that in some countries, using a sniffer, such as WireShark, may be illegal.