Sep 222010

wiresharkOn the Internet there are hundreds of excellent open source tools and utilities that can be used for network analysis, but not many technicians use them. Indeed, several open source solutions are truly effective and can help the specialist networks in daily work.

In this first article i’ll show you Wireshark an useful tool for network analysis.


Wireshark (formerly known as Ethereal) has become the defacto, open-source standard for protocol analysis. It provides low-level packet filtering and analytical capability. Trace files captured from your network can be opened in Wireshark and analysed right down to individual packet level.

Here are some examples people use Wireshark for:

  • network administrators use it to troubleshoot network problems
  • network security engineers use it to examine security problems
  • developers use it to debug protocol implementations
  • people use it to learn network protocol internals

Beside these examples, Wireshark can be helpful in many other situations too.

Wireshark it’s available in official repository of Ubuntu 10.04, so to install it just do a : sudo aptitude install wireshark

Once installed run it from terminal typing sudo wireshark , yes this way it’s run as user root, not the safer option but the alternative is much longer to configure, check it here, under Linux

You’ll get this screen:


Under Interface list you should see all your interfaces, just click on the one you want to start capture and you’ ll get a new screen where you’ll be able to see packets moving through that interface.

wireshark 2

A very common problem when you launch Wireshark with the default settings is that you will get too much information on the screen and thus will not find the information you are looking for.

Too much information kills the information.

That’s why filters are so important, they will help us to target, in the prolific logs, the data you are looking for.

  • Capture filters: Used to select the data to record in the logs. They are defined before starting the capture
  • Display filters: Used to search inside the captured logs. They can be modified while data is captured.

So should I use the capture or the display filter?

The goals of the two filters are different.

The capture filter is used as a first large filter to limit the size of captured data to avoid generating a log too big.

The display filter is much more powerful (and complex); it will permit you to search exactly the data you want.


The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before launching the Wiershark capture, which is not the case for the display filters that can be modified at any time during the capture.

The steps to configure a capture filter are the following:

– select Capture -> options.

wireshark 3

– Fill the “capture filter” field or click on the “capture filter” button to give a name to your filter to reuse it for subsequent captures.

– Click on Start to capture data.


If you need a capture filter for a specific protocol, have a look for it at the ProtocolReference.

For making otehr filters the basic syntax to know is:

Protocol Direction Host(s) Value Logical_Operations Other_expression


Capture only traffic to or from IP address

  • host

Capture traffic to or from a range of IP addresses:

  • net


  • net mask

Capture traffic from a range of IP addresses:

  • src net


  • src net mask

Capture traffic to a range of IP addresses:

  • dst net


  • dst net mask

Capture only DNS (port 53) traffic:

  • port 53

Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):

  • host and not (port 80 or port 25)host and not port 80 and not port 25

Capture except all ARP and DNS traffic:

  • port not 53 and not arp

Capture traffic within a range of ports

  • (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

or, with newer versions of libpcap (0.9.1 and later):

  • tcp portrange 1501-1549

Displays packets with source IP address or source network, the result is then concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP network

  • (src host or src net and tcp dst portrange 200-10000 and dst net

Display Filters

Wireshark uses display filters for general packet filtering while viewing and for its ColoringRules.

The basics and the syntax of the display filters are described in the User’s Guide.


Show only SMTP (port 25) and ICMP traffic:

  •  tcp.port eq 25 or icmp

Show only traffic in the LAN (192.168.x.x), between workstations and servers — no Internet:

  • ip.src== and ip.dst==

TCP buffer full — Source is instructing Destination to stop sending data

  •  tcp.window_size == 0 && tcp.flags.reset != 1

Match HTTP requests where the last characters in the uri are the characters “gl=se”:

  •   http.request.uri matches "gl=se$"

Note: The $ character is a PCRE punctuation character that matches the end of a string, in this case the end of http.request.uri field.

Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:

  ip.src != && ip.dst != && sip

See here for the official guide.

This is just an introduction on wireshark, for more info check their wiki plenty of useful informations.

Check also:

Popular Posts:

Flattr this!

  One Response to “Wireshark for Network analysis”

  1. […] abbiamo visto due strumenti che offrono un output delle nostre analisi in formato grafico (ntop e wireshark), oggi invece vedremo alcuni strumenti utilizzabili da linea di comando: Ping, telnet, dig, […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>