Description

This is a beginner-friendly guide to downloading, installing, and using Wireshark for basic network traffic analysis. This tutorial covers step-by-step instructions and tips. Additionally, Wireshark is a free and open-source program used to capture and analyze network traffic. Furthermore, this program allows you to see data being sent and received across a network in real-time. Wireshark is often used by network administrators, security professionals, and developers to troubleshoot issues, monitor network performance, and analyze potential security threats. This program is almost like a "magnifying glass" for understanding what is happening behind the scenes when devices communicate over the internet or within a local network.

Applications Used

• Wireshark

Tutorial Portion

Go to the Wireshark's webpage to download the application. For ease of use, I added a hyperlink to the webpage in this tutorial. Next, Select the appropriate download link for your computer.

Once the program finishes downloading, run the program, click noted on the license aggreement and make sure you have Install Npcap checked in the installasion wizard. Additionally, if you already have Npcap installed in your system and want to update it, you must uninstall it before downloading wireshark. If your version is the same, you can just leave the option unchecked. If you had checked Install Npcap, the Npcap installation wizard will pop up and just click next and install the program.

Once opening Wireshark, you will see all the interfaces your system has available to choose from. Within the Enter a capture filter ... field, you are able to specify which type of packets you want to capture. For example you can specify which port to use, such as port 80, which will only capture HTTP packets or tcp to only show TCP packets. Within the Apply a display filter...., you can filter through the packets, but will capture all the packets which match the capture filters. This option is different from the capture filters. The blue shark fin is what you will press to start the packet capture, when done you will press the square which will turn red during the packet capture to show where to click when done capturing packets.

To open a packet capture (any .pcap file, Click here for some sample files.), which you may need to do is go to file, then open or Ctrl+O. Then go to the file where the .pcap file is located. Once you open the packet capture, you will notice that the program changes and shows all the packet captures within that file, starting with the first one, which is shown in the first column (No.). The (Time) column show when the packet was captured when starting the packet capture. The (source) and (Destination) columns shows the packet's IP source and Destination address respectively. The (Protocol) column shows what type of packets they are such as HTTP, TCP, UDP, DNS, ARP.The (Length) shows you the amount of bytes within each packet. Lastly the (info) column is just a quick description of each packet, for example a TCP packet's info column will indicate if it is a SYN or ACK packet. In the packet details pane, which is the bottom portion of the Wireshark program, shows each the structure of each and every packet. Formated into 'layers' where you can see from the Network layer to the Application layer. In this example, you can see the HTTP (Hypertext Transfer Protocol) layer showing that the packet requested to connect to microsoft.com