Wire-shark
is a network analysis tool which captures network packets in real time. They
are captured in human readable format. The tool is formally called as Ethereal.
Wire-shark
includes filters, color indicators and many other features that lets admin to
dig into the network traffic and see what’s going on
This
article is a brief introduction of how wire-shark is installed and how one can
use to dig the network details.
1. Install the package.
In
order to install the Wire-shark package, go to http://www.wireshark.org/download.html
Select the Correct
packages for the installation. I will be explaining how to build the wire-shark
in Red hat Linux 6.
Download the Source Code and unzip it a location and execute
yum install
bison flex gtk2-devel libpcap-devel c-ares-devel libsmi-devel gnutls-devel
libgcrypt-devel krb5-devel GeoIP-devel ortp-devel portaudio-devel*
Linux then tries to install the packages which are dependent for wire-shark
Linux then tries to install the packages which are dependent for wire-shark
2.Once the packages are installed ,run the following
commands
cd
wireshark-1.8.11
./autogen.sh
./configure --enable-setcap-install
make
make install
wireshark &
./configure --enable-setcap-install
make
make install
wireshark &
If everything
goes fine, we can now see the Wire-shark console on the screen.
3. Start Using Wire-Shark
Click
on the Interface, in this case consider “eth0”.Once we click the interface it starts capturing packets on that
interface.
As
soon as you click the interface’s name, you’ll see the packets start to appear
in real time. Wireshark captures each packet sent to or from your system. It
captures all sorts of packets on tcp,udp,http and many more.
Click
the stop capture button near the top left corner of the window when you want to
stop capturing traffic.
Wire-shark
follows colors to represent different information from the above screen. We can
see packets highlighted in green, blue and black. Wire-shark uses colors to
help you identify the types of traffic at a glance. By default, green is TCP
traffic, dark blue is DNS traffic, light blue is UDP traffic and black
identifies TCP packets with problems — for example, they could have been
delivered out-of-order.
Wire-shark
can also allow us to filter packet information based on criteria. We can use
the filter option available on the top to select the packet information like
Wire-shark also provides options to select filter. Click on the Analyze menu and select Display Filters to create a new filter.
Another
important feature with wire-shark is that it allows you to follow the Packet
Stream.
Just
right click on a packet and select “Follow TCP Stream” or “Follow UDP Stream”. We
can get more information like the full conversation between Client and Server
in this request.
Close
the window and you’ll find a filter has been applied automatically — Wire shark
is showing you the packets that make up the conversation.
We
can also inspect packet information by just right clicking on the packet and
selecting “view its Details”.
This
article is basically an introduction for wire shark.I will be providing more
details on the usage of this tool
Happy
learning, more To Come J
