Capturing Packets with the Wireshark Network Analyzer
In the first part of this two-part series, you learned the network communication concepts you need to know to understand the operation and data provided by Wireshark. I also covered the installation steps and some very basic configuration. This part will delve more deeply into using Wireshark for analyzing your network.
Specifically, in this part, you will learn details about Wireshark, its operation, features, capturing packets and getting text data, as well as interpretation of packet information. You will also learn how to optimize the configuration of Wireshark so that you can capture not only packets from your computer, but from other computers connected in the network as well.
Capturing Packets and Basic Interpretation
In the first part of the article series you learned how to determine which network interfaces are capturing packets (they are called an “active interface”). To start capturing packets, the easiest method is to click the active network interface under “Interface List.” In the screenshot below, the interface “Realtek RTL8139 Family Fast Ethernet Adapter” (inside the bold red box) is active, so it is clicked.
When clicked, Wireshark will start capturing the packets passing through that network interface. If you have significant network activity (such as from browsing the Internet), Wireshark will monitor a lot of packets. In the screenshot below:
Packets are captured serially in the network interface and shown by Wireshark. In the above screenshot I opened the Firefox browse,r and then Firefox opened the default home page with the address:
The Firefox browsing event has been captured accurately by Wireshark. The first packet transmission event originates from my computer (local / LAN IP address: 192.168.2.100) and is sent to 126.96.36.199, which is an ISP DNS server. The local computer queries the DNS server for www.google.com, which is the default home page I use for the Firefox browser.
Once the DNS has been resolved (not shown in the above packets), the browser will then fetch information. In the above screenshot, you can see six columns in the Wireshark Packet capturing window. The first column is the “No.” which is the packet number. The time (second column) is the number of seconds since the start of capture. It shows that at t=0, the local machine initiated a DNS query (shown in the above screenshot).
The third column is the source IP address (it shows the local IP address, not the WAN IP address). The fourth column is the destination IP address (where the packet will be sent). The fifth column is the protocol that contains the packet (For example, DNS for domain name servers query, TCP for Transmission Control Protocol, and HTTP for browsing).
Finally, the last column (INFO) shows a snippet/description of the packet being monitored. It explains a bit of what the protocol is doing.