Wireshark is a protocol analyser available for download. This week’s post provides a brief introduction to wireshark and shows two basic filters that can be used to extract two different classes of traffic.

Wireshark can be started from the command line, but it usually needs to be run as root or as sudo. Figure A shows the capture screen.

Figure A

Click to enlarge.

Starting a capture is simply a matter of clicking on the icon shown circled in green on Figure A. Clicking on the icon next it (circled in red) stops the capture. As Figure A shows, wireshark output consists of two panes: the top pane shows the packets, while the bottom pane shows details of packets highlighted in the top pane. When you stop a wireshark session you can save the output to a file. This allows you to analyse the traffic captured in more detail.

The wireshark capture used for the first part of this post is taken from a session running iperf. The iperf session was a 30-second continuous transmission. There was other traffic on the network in addition to the iperf traffic.

In Figure B, you can see circled the TCP three way handshake for initiating a connection.

Figure B

Click to enlarge.

Highlighting a packet in the upper frame shows a summary of the packet in the lower pane, as Figure B indicates. You can expand the sections in the lower pane to examine in more detail the contents of the packet. Figure C, for example, has the IP and TCP sections expanded. You could also expand the data section or the Ethernet section.

Figure C

Click to enlarge.

Wireshark will indicate whether the packet was fragmented in order to fit within the Maximum Transmission Unit (MTU). In this case the MTU is 1514 bytes. As an aside, you can also see the protocol overhead on each transmitted frame. In this case, we can see that the protocol overhead for the frame is 54 bytes. This comprises Ethernet header information (14 bytes), IP headers (20 bytes) and TCP headers (20 bytes). This leaves 1460 bytes for data.

The second part of this post looks at using a couple of basic filters to separate out traffic classes. In this case, rather than running iperf, a capture was made during a normal use period. The first class we look at is http traffic. This type of traffic uses TCP in the transport layer and operates on port 80. The filter used in this case is tcp.port==80. The filter used and the output is shown in Figure D.

Figure D

Click to enlarge.

The other type of traffic looked at (and this may be of some interest when troubleshooting network issues) is DNS traffic. DNS uses port 53 and uses UDP for the transport layer. To filter DNS traffic, the filter udp.port==53 is used. As can be seen in Figure E, four queries were made to DNS over the course of this capture. It is possible to track the queries and see whether there are any issues associated with DNS lookups.

Figure E

Click to enlarge.

Wireshark is a powerful tool when you want to check on what is actually happening on a network. It provides the tools to dig deeper into the data provided. In this case, we have looked at two basic filters that show how to look at TCP traffic and UDP traffic.