Handout Computer Networks Lab: Network Monitoring

What is Wireshark?
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as possible.
You could think of a network packet analyzer as a measuring device used to examine what's going
on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on
inside an electric cable (but at a higher level, of course).

Functionality
Understanding the general idea of how Wireshark works will help you understand how other analyzers
work, as well.

GTK

Dissectors – Plugins – Display Filters

Core Engine

Capture
Engine

Capture Filters
WinPcap – AirPcap - LibPcap

Network
Figure 1

1
Handout Computer Networks Lab: Network Monitoring

Features
The following are some of the many features Wireshark provides:

• Capture live packet data from a network interface.

• Display packets with very detailed protocol information.
• Open and Save packet data captured.
• Import and Export packet data from and to a lot of other capture programs.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.

Here is what the interface looks like:

Applied Display Filter(s)

Filter Toolbar

‘Packet List’ Pane

‘Packet Details’ Pane

‘Packet Bytes’ Pane

Figure 2

Capturing Packets
To begin capturing and select our capture interface there are two places we can go in Wireshark:
1. Going to the Menu bar > Capture
2. Or we can use the first three buttons on the left hand side in the toolbar

2
Handout Computer Networks Lab: Network Monitoring

Figure 3

Let’s look now at the capture options. Go to Capture > Options… or click on the second icon from left to
right in the toolbar.

Figure 4

In the capture field we can define the Interface on which we want to capture traffic, the Buffer size of the
captured data and we can define some Capture Filters.
We can also capture traffic directly to a single or multiple files or we can tell Wireshark, in the Stop
Capture field, to stop the capturing process after certain limit is reached.

3
Handout Computer Networks Lab: Network Monitoring

Capture Filters
Capture filters are used when we want to limit the number of packets that we are capturing.
For example we may want to capture only ARP traffic or HTTP traffic or traffic coming only from our
interface card.

To open the default list of capture filters in Wireshark, go to:

Capture > Capture Filters… or you could also use the corresponding button on the toolbar.

List of Default Filters

Name of
selected filter

Actual Filter string

command of selected
filter
Figure 5

Often used Capture Filters:

[src|dst] host <ip-address|host-name>

This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with
the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not
present, packets where the specified address appears as either the source or the destination address will be
selected.
src host 192.168.1.1 Packets coming from 192.168.1.1
dst host 134.91.90.77 Packets going to 134.91.90.77
host 134.91.90.77 Packets coming from and going to 134.91.90.77
src host www.uni-due.de Packets coming from www.uni-due.de

ether [src|dst] host <ehost>

This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst
between the keywords ether and host to specify that you are only interested in source or destination addresses.
If these are not present, packets where the specified address appears in either the source or destination address
will be selected.
ether src host 00:01:FF:22:B1:32 Packets coming from 00:01:FF:22:B1:32
ether dst host 00:01:FF:22:B1:32 Packets going to 00:01:FF:22:B1:32
ether host 00:01:FF:22:B1:32 Packets coming from and going to 00:01:FF:22:B1:32

4
Handout Computer Networks Lab: Network Monitoring

[tcp|udp] [src|dst] port <port>

This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive
with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or
destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst.
Packets coming from and going to port 80,
port 80
independent if it uses TCP or UDP
tcp dst port 80 Packets going to TCP-Port 80
udp port 4987 Packets coming from and going to UDP-Port 4987

Logical operators used in Capture Filters:

Examples for logical expressions:

ip and less 80 IP-Packets equal or less than 80 Bytes
ether proto \ip && len > 512 Ethernet-Packets transporting IP-Packets, which are
bigger than 512 Bytes
dst host 192.168.1.1 && port 80 Packets which have as destination 192.168.1.1 and are
transmitted over port 80
Logical Operators:
&& Logical AND between 2 expressions
|| Logical OR between 2 expressions
! NOT operator
General declaration of logical output for Capture Filters
*(Everyting in square brackets “[ ]” means it is optional)
[not] primitive (and | or) [not] primitive
[!] primitive ( && | ||) [!] primitive

5
Handout Computer Networks Lab: Network Monitoring

Display Filters

Display filters allow you to concentrate on the packets you are interested in while hiding the currently
uninteresting ones. They allow you to select packets by many different criteria.

Wireshark provides a simple but powerful display filter language. You can compare values in packets as
well as combine expressions into more specific expressions.

Figure 6

We could define filters directly to the Display Filter Toolbar or choose a filter from the “Expression…”
dialog box.

Comparison operators in Display Filters:

Operator Analogue Meaning

eq == Equal
not ! Not
ne != Not Equal
gt > Greater Than
lt < Less Than
ge >= Greater then or Equal to
le <= Less than or Equal to

Syntax of Display Filters:

6
Handout Computer Networks Lab: Network Monitoring

<protocol>.<element>.<subelement> <operator> <value>

An element is an available field name for filtering for the selected protocol. We can take a look at them by
expanding the field for any protocol in the “Filter Expression” dialog box.

Examples: ip.addr eq 134.91.90.77

- displays all IP-Packets that have the address 134.91.90.77 as source or destination.

eth.src eq 00:01:FF:22:B1:32
- displays all Ethernet-Frames that have a source station with MAC 00:01:FF:22:B1:32

Resources:

www.wireshark.org
wiki.wireshark.org
www.wiresharkU.com
www.packet-level.com
www.ieft.org
www.iana.org
www.packet-level.com
www.icir.org/enterprise-tracing/