Network Packet Analyzer::Wireshark Installation Guide

Wireshark: Wireshark is a network packet analyzer that sniffs the network packets and display the details of the packets. Wireshark is available in linux and windows. It capture live network packet data from network interface card in promicious mode and open,save,export and import the packets in various file format(*.cap,*.pcap,*.enc,*.trc,*.snoop,including the *.txt). Wireshark can also filter and search for a packets on various criteria,colourised the packets based on filters and create various packets statistics.
Wireshark is used for various purposes:
1) network administrators use it to troubleshoot network problems,2) network security engineers use it to examine security problems,3) developers use it to debug protocol implementations4) people use it to learn network protocol internals

Installation of Wireshark:
The current stable release of wireshark is 1.4.3. Wireshark can be downloaded from the site http://www.wireshark.org/download.html. For windows, click on the Windows Installer (32-bit), save the wireshark-win32-1.4.3.exe file in appropriate location. Now double click the save file,the actuall installation procedure of wireshark will start. If you are using Debian Linux then Wireshark can be found on it and can be install directly from Debian. Before the installation procedure be sure that your system is updated. If your computer is connected with the Internet, your system can be updated by doing the following steps.1) open the terminal and go to the superuser mode.2) run the command apt-get update
After the system updated,first click on the System then go to the Administration and select the Synaptic Package Manager. Search for the package wireshark,rightclick on it,select for installation and then click on apply of the Synaptic Package Manager. After completation of the installation,open the terminal and go to the superuser mode.Type wireshark on the terminal. It will displays the Wireshark network analyzer in a graphical window.
Now,to capture network packets and see the details of the packet data do the steps as follows--select the capture tabclick on the option or press Ctrl+Kthe option will display the Interface name along with its IP address and MAC addresschoose the link header type as Ethernetselect the ethernet card is in promicious modego to the display option, select all the option such as update list of packets in real time which will display the captured packets immediately on the main screen,automatic scrooling in live capture will scroll the packets list automatically to the lattest captured packets and hide capture info dialog will hide the capture info dialog while capturing.On name resolution options,select the option Enable MAC name resolution which will perform MAC layer name resolution,enable network layer name resolution performs network layer mane resolution and enable transport layer name resolution that performs transport layer name resolution while the packets are capturing.Click on start
Whenever you click on the start button it displays all the network traffic coming over the interface card on the wireshark main window. A very common problem in wireshark is default setting is that you could get too much information on the screen. Sometimes you could not get the information what are you looking for. Wireshark introduce a very interesting part know as filtering of packets. The wireshark window will display all the traffic coming from different layer at level wise. It is sometimes necessary to know which packets is coming particularly from which layer that is,what type of protocal it has,from which source IP address or destination IP address the packets are coming. Thats why filters are so important to get the target information. In wireshark, there are two types of filter:
1) capture filter : The capture filter used before lunching the capturing. The steps to configure
capture filter are the following:select the capture->options.Fill the "capture filter" field or click on the "capture filter" button to give a name to your filter to reuse it for subsequent captures.Click on Start to capture data.
Syntax: Protocol Direction Host(s) Value Logical Operations Other expressionFor example: tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128where
Protocol:Values:ether,fddi,ip,arp,rarp,decnet,lat,sca,moprc,mopdl,tcp and udp .If no protocolis specified,all the protocols are used.
Direction:Values: src, dst, src and dst, src or dstIf no source or destination is specified, the "src or dst" keywords are applied.For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".Host(s):Values: net, port, host, portrange.If no host(s) is specified, the "host" keyword is used.For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
Logical Operations:Values: not, and, or.Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.For example,"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23"."not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".
2)display filter : The display filter is used to search inside captured data packets obtained through capture filter.Its search capabilities are more extended than those of the capture filter and it is not necessary to restart the capture when you need to change your filter. The syntax is given bellow-Syntax: Protocol.String1.String2.ComparisionOperator Value Logical Operation Other- expressionexample: ftp passive ip == 10.2.3.4 xor icmp.type

Protocol: A large number of protocols, located between layers two and seven of the OSI model, is available. They can be seen when you click on the "Expression..." button in the main screen.Some examples are: IP,TCP,DNS,SSH.String1,String2(Optional settings):Sub protocol categories inside the protocol.To find them, look for a protocol and then click on the "+" character.
Comparison operators: There are six comparision operator namely eq, ne, gt, lt, ge and le. The meaning of the above operator are given bellow in a tabular form.English FormatC like formatMeaningeq'=='Equalne'!='Not equalgt'>'Greater thanlt'<'Less thange'>='Greater than or equalle'<='Less than or equal
Logical operators: Four logical operator can be used in display filter syntax.The following is used as an exclusive alternatives in a display filter:
English FormatC like formatMeaningand&&Logical ANDor||Logical ORxor^^Logical XORnot!Logical NOT
The logical XOR expresion is used between two condition in the display filter,the desired result will be printed on the main screen if one of the condition is true but not both like for the logical OR expression.
Lets take some example used in the display filter as shown bellow:tcp.dstport 80 xor tcp.srcport 1028 ------- ''It will display only packets with TCP destination port 80 or TCP source port 1028 on the screen but not both''snmp || dns || icmp ------- ''Display the snmp or dns or icmp traffic on the screen''ip.addr==192.168.0.75 --------''display the packets with source or destination IP address equals to 192.168.0.75''ip.src!=10.10.127.55 or ip.dst!= 10.10.127.89-------''display the packets with a source IP address different from 10.10.127.55 or with a destination IP address different from 10.10.127.89. In other sence it displayed packets that will have source IP address anything but not 10.10.127.55 or destination IP address anything but not 10.10.127.89.tcp.flags --------''displays the TCP packets flags''tcp.port==25---------''display packets with TCP source or destination port 25''tcp.dstport==80 -------''display packets with TCP destination port 80''

whenever you writing the display filter,if the syntax is correct it will be highlighted in green colour otherwise for wrong syntax displyed in red colour.

Packet Statistics: Wireshark provides a lot of packets statistics mechanisim which can be get by clicking on the statistics field on the main screen. Its include the following:
1)summary : It is used to get all captured packets summary inlcuding file name,time of the first and last captured packet,capturing interface details,capture filter name, total number of dropped packets,average time needed to capture packets per sec,average packet size etc.
2)protocol hiearcy: The protocol hierarchy displayed the details as per OSI layer of the captuired network packet data.
3)conversions: Conversion is useful for TCP/IP suit protocol. A conversion represents the network traffic between two hosts. If you are using TCP/IP suit application, the conversion provides four active tabs for Ethernet ,IP ,TCP,UDP conversion.

4)endpoints: The endpoints provides the statistics about transmitted and received packets data on per host basis. The number after the protocol indicates that the total number of endpoints. For example, in case of ethernet endpoints the name ''Ethernet:19''. Similarly for IP endpoints is ''Ipv4:14'',TCP endpoints is ''TCP:212'' and UDP is ''UDP:43''.
IO Graph: This section provides basic graphics of the captured network traffics. Multiple graphics can be added using multiple filter on the same window according to the user requirements. You can add in the graphs filter name as tcp,http,udp etc to create multiple graphs using IO Graph.