A Brief History of Wireshark

Wireshark has a very rich history. Gerald Combs, a computer science graduate of the University
of Missouri at Kansas City, originally developed it out of necessity. The first version of Combs’s
application, called Ethereal, was released in 1998 under the GNU Public License (GPL). Eight
years after releasing Ethereal, Combs left his job to pursue other career opportunities.
Unfortunately, his employer at that time had full rights to the Ethereal trademarks, and Combs
was unable to reach an agreement that would allow him to control the Ethereal “brand.”
Instead, Combs and the rest of the development team rebranded the project as Wireshark in
mid-2006 thereafter it continued.

The Benefits of Wireshark

Supported protocols: Wireshark excels in the number of protocols that it supports more than
850 as of this writing. These range from common ones like IP and DHCP to more advanced
proprietary protocols like AppleTalk and Bit Torrent..
User-friendliness: The Wireshark interface is one of the easiest to understand of any packet-
sniffing application. It is GUI-based, with very clearly written context menus and a
straightforward
layout. It also provides several features designed to enhance usability, such as protocol-based
color coding and detailed graphical representations of raw data. Unlike some of the more
complicated command-line-driven alternatives, like tcpdump, the Wireshark GUI is great for
those who are just entering the world of packet analysis.
Cost: Since it is open source, Wireshark’s pricing can’t be beat: Wire-shark is released as free
software under the GPL.
Program support: A software package’s level of support can make or break it. When dealing
with freely distributed software such as Wireshark, there may not be any formal support, which is
why the open source com-munity often relies on its user base to provide support.
Operating system support: Wireshark supports all major modern operating systems, including
Windows, Mac OS X, and Linux-based platforms.
2.3 Installing Wireshark
The Wireshark installation process is surprisingly simple. However, before you install Wireshark,
make sure that your system meets the following requirements:
 More than 400 MHz processor or faster
 More than 512 MB RAM
 At least 75 MB of available storage space
 NIC that supports promiscuous mode

WinPcap capture driver

The WinPcap capture driver is the Windows implementation of the pcap packet-capturing
application programming interface (API). Simply put, this driver interacts with your operating
system to capture raw packet data, apply filters, and switch the NIC in and out of promiscuous
mode.

First Packet Capture

1. Open Wireshark.
2. From the main drop-down menu, select Capture and then Interfaces. You should see a dialog
listing the various interfaces that can be used to capture packets, along with their IP addresses.
3. Choose the interface you wish to use, as shown in Figure-3, and click Start, or simply click the
interface under the Interface List section of the welcome page. Data should begin filling the
window.
4. Wait about a minute or so, and when you are ready to stop the capture and view your data,
click the Stop button from the Capture drop-down menu.
Once you have completed these steps and finished the capture process, the Wireshark main
window should be alive with data. As a matter of fact, you might be overwhelmed by the
amount of data that appears, but it will all start to make sense very quickly as we break down
the main window of Wireshark one piece at a time.
The three panes in the main window depend on one another. In order to view the details of an
individual packet in the Packet Details pane, you must first select that packet by clicking it in the
Packet List pane. Once you’ve selected your packet, you can see the bytes that correspond with a
certain portion of the packet in the Packet Bytes pane when you click that portion of the packet in
the Packet Details pane.
Here’s what each pane contains:
Packet List: The top pane displays a table containing all packets in the current capture file. It has
columns containing the packet number, the relative time the packet was captured, the source and
destination of the packet, the packet’s protocol, and some general information found in the
packet.
Packet Details: The middle pane contains a hierarchical display of information about a single
packet. This display can be collapsed and expanded to show all of the information collected about
an individual packet.
Packet Bytes: The lower pane perhaps the most confusing displays a packet in its raw,
unprocessed form; that is, it shows what the packet looks like as it travels across the wire. This is
raw information with nothing warm or fuzzy to make it easier to follow.

Wireshark’s preferences are divided into six major sections:

1. User Interface: These preferences determine how Wireshark presents data. You can change
most options here according to your personal preferences, including whether or not to save
window positions, the layout of the three main panes, the placement of the scroll bar, the
placement of the Packet List pane columns, the fonts used to display the captured data, and the
background and foreground colors.
2. Capture These preferences allow you to specify options related to the way packets are
captured, including your default capture interface, whether to use promiscuous mode by default,
and whether to update the Packet List pane in real time.
3. Printing The preferences in this section allow you to specify various options related to the way
Wireshark prints your data.
4. Name Resolution Through these preferences, you can activate features of Wireshark that
allow it to resolve addresses into more recognizable names (including MAC, network, and
transport name resolution) and specify the maximum number of concurrent name resolution
requests.
5. Statistics This section provides a few configurable options for Wireshark’s statistical features.
6. Protocols The preferences in this section allow you to manipulate options related to the
capture and display of the various packets Wireshark is capable of decoding. Not every protocol
has configurable preferences, but some have several options that can be changed.
Packet Color Coding

Each packet is displayed as a certain color for a reason. These colors reflect the packet’s
protocol. For example, all DNS traffic is blue, and all HTTP traffic is green. The color coding
allows you to quickly differentiate between various protocols so that you don’t need to read the
protocol field in the Packet List pane for each individual packet. You will find that this greatly
speeds up the time it takes to browse through large capture files. Wireshark makes it easy to
see which colors are assigned to each protocol through the Coloring Rules window. To open this
window, select View from the main drop-down menu and click Coloring Rules.
Study of working with captured packets
To save a packet capture, select File - Save As. You should see the Save File As dialog, as shown
in Figure-1. You’re asked for a location to save your packet capture and for the file format you
wish to use. If you do not specify a file format, Wireshark will use the default. pcap file format.
One of the more powerful features of the Save File As dialog is the ability to save a specific
packet range. This is a great way to thin bloated packet capture files. You can choose to save
only packets in a specific number range, marked packets, or packets visible as the result of a
display filter

Merging Capture Files

Certain types of analysis require the ability to merge multiple capture files. This is a common
practice when comparing two data streams or combining streams of the same traffic that were
captured separately.
To merge capture files, open one of the capture files you want to merge and choose File - Merge
to bring up the Merge with Capture File dialog, shown in Figure-2. Select the new file you wish
to merge into the already open file, and then select the method to use for merging the files. You
can prepend the selected file to the currently open one, append it, or merge the files
chronologically based on their timestamps.