Wireshark Beginner guide

Wireshark/Ethereal is a free network protocol analyzer for almost all operating systems (including Unix, Linux and MS Windows). It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark/Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

The installation of Wireshark is easy so I will not mention here, you can find newest Wireshark version at http://www.wireshark.org/download.html

Using of Wireshark/Ethereal

1. Capturing
Normally it is possible to use Ethernet hub with ethereal or some better switch on which one Ethernet port can be configured as monitoring portTo capture Ethernet traffic start Wireshark/Ethereal, select Capture menu and click to Options. Following screen will appear:

Capture Options

In interface selection select Ethernet interface from which you would like to capture traffic. In some configurations default selection can be for example Generic NdisWan Adapter – which is not physical network card from which Wireshark/Ethereal is able to capture. This adapter can be founded in configurations with enabled terminal services. If capture for some specific host is needed it is possible to define filter. Examples of some filters related to hosts:

It is possible to capture just some low-level protocol. Here a few examples:

2. Filtering (during capture session)

It is possible, during capture session, to define another filter which will apply to captured information. See following example

(Wireshark/Ethereal in action)

In filter field is string: “ldap” which means that Wireshark/Ethereal will show just transactions which are using ldap protocol. It is possible to change value of this filter during capturing session.
Some simple examples:

More complicated examples:

Note: Filtering is case sensitive!