10.

Wireshark
i. Packet Capture Using Wire shark
ii. Starting Wire shark
iii. Viewing Captured Traffic iv. Analysis and Statistics & Filters.
Ans: What is Wireshark?
Wireshark is a powerful and widely-used open-source network protocol
analyzer. It allows users to capture and interactively browse the traffic running
on a computer network. It is used for network troubleshooting, analysis,
software and communications protocol development, and education.
Key Features of Wireshark
1. Packet Capture:
o Wireshark can capture live network traffic from various network
interfaces, such as Ethernet, Wi-Fi, and more.
2. Deep Inspection:
o It provides detailed information about network protocols and
packet contents, allowing users to drill down into each packet's
details.
3. Filtering:
o Wireshark includes robust filtering options to display only the
packets of interest, using display filters and capture filters.
4. Rich Protocol Support:
o It supports a wide range of network protocols, making it versatile
for various types of network analysis.
5. User-Friendly Interface:
o Wireshark's graphical user interface (GUI) is intuitive and user-
friendly, making it accessible to both beginners and advanced
users.
6. Offline Analysis:
o Captured network data can be saved to a file and analyzed later,
making it convenient for post-capture analysis.
7. Export Options:
o Wireshark can export captured data to various formats for further
analysis or reporting.
8. Customization:
o Users can customize Wireshark's settings, such as color-coding
packets based on protocol, to suit their specific needs.
Applications of Wireshark
 1. Network Troubleshooting:
o Wireshark helps network administrators diagnose network issues
by capturing and analyzing network traffic.
2. Protocol Development:
o Developers use Wireshark to analyze and debug protocol
implementations during development.
3. Educational Purposes:
o Wireshark is widely used in academic settings to teach students
about network protocols and packet-level communication.
4. Security Analysis:
o Security professionals use Wireshark to detect and analyze
malicious traffic and investigate security incidents.
Example
Wireshark can be used to capture and analyze HTTP traffic between a client
and server. By inspecting the captured packets, users can see details like HTTP
requests and responses, headers, and data payloads.
Summary
Wireshark is a versatile and powerful tool for network analysis and
troubleshooting. Its rich set of features, including packet capture, deep
inspection, and robust filtering, make it an essential tool for network
administrators, developers, educators, and security professionals.

i. Capturing packets using Wireshark is a straightforward process.

Here's a step-by-step guide to help you get started:
Step-by-Step Guide to Packet Capture Using Wireshark
1. Download and Install Wireshark:
o Download Wireshark from the official website and install it on
your system.
2. Launch Wireshark:
o Open Wireshark. You'll see a list of network interfaces on the left
side of the window1.
3. Select a Network Interface:
o Double-click on the network interface you want to capture packets
from (e.g., Ethernet, Wi-Fi). This will start capturing packets on
that interface1.
4. Configure Capture Options (Optional):
 o If needed, you can configure advanced capture options by clicking
on Capture > Options. For example, you can enable promiscuous
mode to capture all traffic on the network1.
5. Start Capturing Packets:
o Click the Start button (a red circle) to begin capturing packets.
You'll see packets start to appear in real-time in the main
window1.
6. Stop Capturing Packets:
o When you've captured enough data, click the Stop button (a red
square) to stop the capture.
7. Filter Packets (Optional):
o Use display filters to narrow down the packets you're interested in.
For example, you can filter by protocol, IP address, port number,
etc1.
8. Analyze Packets:
o Click on any packet in the packet list to view detailed information
about it in the Packet Details and Packet Bytes panes.
9. Save Capture:
o Save the captured packets to a file for later analysis by clicking File
> Save As.
Example
Let's say you want to capture HTTP traffic on your network:
1. Launch Wireshark and select your network interface.
2. Start Capturing and enter a display filter like http to only capture HTTP
traffic.
3. Stop Capturing after a few seconds.
4. Analyze Packets to see details of the HTTP requests and responses.
Wireshark is a powerful tool for network analysis, and capturing packets is just
the beginning. You can use it to troubleshoot network issues, analyze traffic
patterns, and much more.

ii. Starting Wire shark

Here’s a quick guide to starting Wireshark and capturing your first packet:
1. Download and Install Wireshark:
o Download the latest version of Wireshark from the official
website.
o Follow the installation instructions for your operating system.
 2. Launch Wireshark:
o Open Wireshark from your applications menu or by clicking its
icon.
3. Select a Network Interface:
o You will see a list of available network interfaces on the main
screen. These are the network adapters on your machine.
o Double-click on the interface you want to use to start capturing
packets. If you’re unsure, selecting the one with the most traffic
is a good start.
4. Start Capturing Packets:
o Once you’ve selected your interface, Wireshark will start
capturing all the packets that pass through it.
o You'll see live packet data streaming in the main window.
5. Use Filters (Optional):
o You can use capture filters to limit the types of packets you
capture. For example, if you only want to capture HTTP traffic,
you can enter http in the filter bar before starting the capture.
o You can also use display filters to view specific packets in your
capture file. Enter the desired protocol or criteria in the display
filter bar after you start capturing.
6. Stop Capturing Packets:
o When you’ve captured enough data, click the red square button
in the toolbar to stop capturing packets.
7. Analyze the Captured Data:
o Click on any packet in the top pane to see its details in the
middle and bottom panes.
o The middle pane shows the protocol tree, which breaks down
the packet’s structure.
o The bottom pane shows the raw data of the packet.
8. Save Your Capture:
o Save your captured data to a file by going to File > Save As.
o Choose the format and location where you want to save the file.
Wireshark’s user-friendly interface and robust set of features make it an
essential tool for network analysis and troubleshooting.
iii. Viewing captured traffic in Wireshark.
Viewing captured traffic in Wireshark is straightforward and allows you to
analyze the network data in great detail. Here’s a step-by-step guide on how to
view and interpret captured traffic:
Step-by-Step Guide to Viewing Captured Traffic in Wireshark
1. Start Wireshark:
o Open Wireshark from your applications menu or by clicking its
icon.
2. Open a Capture File:
o If you've already captured traffic and saved it, open the capture
file by clicking File > Open, and then select your capture file.
o If you're capturing live traffic, Wireshark will automatically display
the captured packets in the main window.
3. Packet List Pane:
o The top pane shows a list of all captured packets. Each row
represents a single packet and provides information such as the
packet number, timestamp, source and destination addresses,
protocol, and brief info.
o Click on a packet to highlight it and view more details.
4. Packet Details Pane:
o The middle pane provides detailed information about the selected
packet. It breaks down the packet into different protocol layers
(e.g., Ethernet, IP, TCP/UDP, HTTP).
o Click the expand/collapse arrows to view specific details about
each protocol layer.
5. Packet Bytes Pane:
o The bottom pane displays the raw data of the selected packet in
both hexadecimal and ASCII formats. This shows the actual bytes
transmitted over the network.
o This is useful for analyzing the payload and understanding the low-
level data transmission.
6. Using Display Filters:
o Wireshark’s display filters allow you to narrow down the packets
shown in the list.
o Enter a filter expression in the filter bar at the top of the window.
For example, type http to show only HTTP packets or ip.addr ==
192.168.1.1 to show packets involving a specific IP address.
 o Click the Apply button or press Enter to apply the filter.
7. Following a TCP Stream:
o To analyze a specific TCP conversation, right-click on a packet in
the TCP stream, and select Follow > TCP Stream.
o This opens a new window showing the entire conversation
between the client and server, which can be very useful for
debugging and analysis.
8. Statistics and Analysis Tools:
o Wireshark offers various built-in tools for deeper analysis. Click
Statistics in the menu to access features like protocol hierarchy,
endpoint statistics, and IO graphs.
o These tools help visualize traffic patterns and identify potential
issues.
9. Exporting Data:
o You can export the captured data for further analysis or reporting.
Click File > Export Specified Packets, and choose the desired
format and options.
Example Use Case
Suppose you’ve captured traffic while browsing a website. By applying an http
filter, you can isolate HTTP packets. Clicking on an HTTP GET request in the
packet list will show the details of the request in the packet details pane,
including headers, methods, and more.
Wireshark is a powerful tool for network analysis, and understanding how to
navigate its interface and use its features is crucial for effective network
troubleshooting and data analysis.

Iv. Analysis and Statistics & Filters.

Ans:
Wireshark offers a variety of tools for analyzing network traffic and
generating statistics to help diagnose issues, identify patterns, and
understand network behavior. Here are some of the key features:
1. Protocol Hierarchy:
o Navigate to Statistics > Protocol Hierarchy to view a breakdown
of the captured traffic by protocol. This provides insights into the
types of protocols used and their respective proportions.
2. Conversations:
 o Go to Statistics > Conversations to view conversations between
network devices. You can see details for TCP, UDP, IP, and other
protocol conversations, including the number of packets, bytes
transferred, and duration.
3. Endpoints:
o Access Statistics > Endpoints to see a list of all network endpoints
(e.g., IP addresses) involved in the captured traffic. This view
includes statistics for sent and received packets, bytes, and more.
4. IO Graphs:
o Use Statistics > IO Graphs to create visual representations of
traffic over time. This helps in identifying traffic patterns, bursts,
and potential issues.
5. Flow Graph:
o Select Statistics > Flow Graph to visualize the flow of packets
between devices. This is useful for understanding the sequence
of communications in a conversation or session.
6. Service Response Time:
o Go to Statistics > Service Response Time to analyze the response
times for various services and protocols. This is particularly
useful for troubleshooting performance issues.
7. HTTP Statistics:
o Access Statistics > HTTP to view detailed statistics about HTTP
traffic, including requests, responses, methods, and status codes.
Filters in Wireshark
Wireshark's filtering capabilities allow users to focus on specific packets or
traffic patterns, making it easier to analyze large captures. There are two
main types of filters: capture filters and display filters.
1. Capture Filters:
o Capture filters are used to specify which packets should be
captured. These filters are set before starting a capture and are
based on Berkeley Packet Filter (BPF) syntax.
o Example: tcp port 80 captures only TCP packets on port 80 (HTTP
traffic).
2. Display Filters:
o Display filters are used to narrow down the packets displayed in
the packet list after capturing. They allow for more complex and
detailed filtering.
 o Example: http shows only HTTP traffic. ip.addr == 192.168.1.1
displays packets involving a specific IP address.
Common Display Filter Examples
Filter by IP Address:
 ip.addr == 192.168.1.1
Filter by Protocol:
 tcp
 udp
 http
 dns
Filter by Port:
 tcp.port == 80
 udp.port == 53
Filter by MAC Address:
 eth.addr == aa:bb:cc:dd:ee:ff
Filter by TCP Flags:
 tcp.flags.syn == 1
Filter by Specific Packet Content:
 frame contains "HTTP"
Example
Suppose you want to analyze HTTP traffic in a capture file:
1. Capture HTTP Traffic:
o Use a capture filter like tcp port 80 to capture only HTTP traffic.
2. Apply Display Filter:
o After capturing, use a display filter like http to show only HTTP
packets in the capture.
3. Analyze HTTP Statistics:
o Go to Statistics > HTTP to view detailed statistics about the HTTP
traffic captured.
By using these features, Wireshark provides a comprehensive set of tools for
analyzing and understanding network traffic.