How to use Wireshark

The Ultimate Guide to the Ultimate Network Protocol Analyzer

Comparitech.com
[email protected]
8th February 2022
TABLE OF CONTENTS

1. What is Wireshark and what can

you do with it?

2. How to intall Wireshark

3. 'no interfaces found' Error

Explained & Troubleshooting

4. How to capture data packets

5. How to analyze captured packets

6. How to use Wireshark to analyze

network performance

7. Decrypt SSL with Wireshark

8. Cheat Sheet - Wireshark

commands, captures, filters,
shortcuts

9. Extending Wireshark and common

FAQs
What is Wireshark and what can you
use it for?
Over the past few years, Wireshark has developed a reputation as one of the
most reliable network protocol analyzers available on the market. Users across
the globe have been using this open-source application as a complete
network analysis tool. Through Wireshark, users can troubleshoot network
problems, examine network security issues, debug protocols, and learn network
processes.​

How to Use Wireshark

As mentioned above, Wireshark is a network protocol analysis tool. At its core,
Wireshark was designed to break down packets of data being transferred
across different networks. The user can search and filter for specific packets of
data and analyze how they are transferred across their network. These packets
can be used for analysis on a real-time or offline basis.
The user can use this information to generate statistics and graphs. Wireshark
was originally known as Ethereal but has since established itself as one of the
key network analysis tools on the market. This is the go-to tool for users who
want to view data generated by different networks and protocols.
Wireshark is suitable for novice and expert users alike. The user interface is
incredibly simple to use once you learn the initial steps to capture packets.
More advanced users can use the platform’s decryption tools to break down
encrypted packets as well.

Wireshark Core Features

Below is a breakdown of Wireshark’s core features:
 Capture live packet data
Import packets from text files
View packet data and protocol information
Save captured packet data
Display packets
Filter packets
Search packets
Colorize packets
Generate Statistics

Most users use Wireshark to detect network problems and test their software. As
an open-source project, Wireshark is maintained by a unique team keeping
service standards high.

How to Download and Install Wireshark

Before using Wireshark, the first thing you need to do is download and install it.
You can download Wireshark for free off of the company website. To have the
smoothest running experience, it is advised that you download the latest
version available on your platform from the “stable release” section.

Install on Windows
Once you’ve downloaded the program you can start the setup process.
During installation, you may be prompted to install WinPcap. It’s important to
install WinPcap as without it you will be unable to capture live network traffic.
Without WinPcap you will only be able to open saved capture files. To install,
simply check the Install WinPcap box.
Let’s look at this in more detail.
Select the installer for your Windows architecture (64-bit or 32-bit) click on the
link to download the package.

Once the installer is on your computer, follow these steps:

 1. Click on the downloaded file to run it. Click Yes in the User Account Control window.
2. Click Next in the opening screen of the installer.
3. In the License Agreement screen, click the Noted button.
4. Leave all of the defaults in the Choose Components screen. Click the Next button.
5. Leave all settings as they are in the Additional Tasks screen and click on Next.
6. In Choose Install Location, just click on Next.
7. In the Packet Capture screen, leave the consent box checked and click the Next
button.
8. In the USB Capture screen, check the Install USBPcap box and press the Install button.
9. Let the installation progress. During the process, you will be presented with a consent
screen for Npcap. Click on I Agree.
10. In the NPcap Installation options screen check Restrict Npcap driver’s access to
Administrators only, Support raw 802.11 traffic (and monitor mode) for wireless
adapters, and Install Npcap in WinPcap API-compatible Mode. Click on Install.
11. When the Npcap setup has finished. Click on Next and then Finish to dismiss that
dialogue window. The Wireshark installation will continue.
12. In the Installation Complete screen, click on Next and then Finish in the next screen.

Look in your Start menu for the Wireshark icon. Click on it to run the utility.
Install on Mac
To install Wireshark on Mac you first need to download an installer. To do this,
download an installer such as exquartz. Once you’ve done this, open the
Terminal and input the following command:
<% /Applications/Wireshark.app/Contents/Mac0S/Wireshark>

Then wait for Wireshark to start.

Install on Unix
In order to run Wireshark on Unix, you need a couple of other tools installed on
your system first. These are:
GTK+, The GIMP Tool Kit and Glib, both from the same source.
You will also need Glib. You can get familiar with both tools at https://www.gtk.org/
libpcap, which you get from http://www.tcpdump.org/.

After installing the above supporting software, and downloading the software
for Wireshark, you need to extract it from the tar file.
gzip -d wireshark-1.2-tar.gz

tar xvf wireshark-1.2-tar

Change to the Wireshark directory and then issue the following commands:
./configure

make

make install

You can now run the Wireshark program on your Unix computer.
Wireshark 'no interfaces found' Error
Explained & Troubleshooting

“There are no interfaces on which a capture can be done.”

When you start up Wireshark to capture network packets, the tool has to go
through a series of initialization routines. Towards the end of its startup
procedures, Wireshark scans the host computer for network connections. On
the initial scan, if the program cannot find any networks attached to the
computer on which it is running, it will show the message “No interfaces
found.”
The error message appears in the area of the application window where you
would expect to see a list of available networks. To capture network traffic
packets, you first need to select one of these networks. So, if Wireshark can’t
find any networks at all, you can’t progress to the packet capture phase.

Interface error caused by access permissions

When Wireshark reports that it cannot find any “interfaces”, it means that it
could not detect any networks. There are many possible reasons for this
problem.
“No interfaces found” on Windows 10
Surprisingly, in Windows, you do not need to run Wireshark with administrator
network privileges to give the program access to network functions. This is
because as far as the network procedures of your computer are concerned,
Wireshark is only acting the way any other program that connects to the
network would behave ‒ the Wireshark system only needs access to the
network, which is available to all regular users, not just the administrator.
One element of the Wireshark suite of programs does need administrator
network privileges. This is WinPcap, which is the underlying service that assists in
capturing packets. The setup process of Wireshark will install WinPcap for you.
The installation process sets WinPcap to run on system startup and also writes it
to the register so that it can run with admin rights level. It is this installation
phase that requires you to restart your computer.
“No interfaces found” on Linux
Linux users report a different situation when running Wireshark. It seems that it
needs to be run with the sudo command. This action runs the normal program
with superuser network privileges. This often solves the problem of Wireshark’s
inability to access the network functions on a Linux computer. Again, Wireshark
doesn’t need to run as root on Linux, but there is one element of the program
suite that does. This is dumpcap; you need to run the following command to
get this module set up properly.
Not every flavor of Linux behaves in exactly the same way, so if just nominating
dumpcap as a root process doesn’t work, try the following command:
It may be that the Wireshark code is held in the bin directory instead of sbin. If
the above command returns an error, try:
If the above commands don’t work on your version of Linux, try:
If the code for Wireshark is in bin and not sbin, change “/usr/sbin/” to
“/usr/bin/” in the above command.

Firewall errors
Your firewall shouldn’t be blocking Wireshark’s access to the network because
firewalls generally work to prevent external processes from getting onto your
computer not to prevent processes on your computer getting to the network.
However, just in case the problem lies with your computer’s firewall software try
the following test.
Close down Wireshark and turn off your firewall. Open Wireshark again to get it
to look for networks. If it now manages to find the network, the problem lies
with your firewall. Set Wireshark as an exception in your firewall rules and turn
the firewall back on again.

Network card errors

If none of the above tests on the software running on your computer solve the
problem, you will need to test your network card.
If you only have access to wifi and you have wifi turned off or you have your
network setting in airplane mode, Wireshark should still be able to see the
network adapter. Having wifi turned off or blocked will not invoke the “no
interfaces found” error. Wireshark is just one of many network-enabled
applications on your computer. There is no reason why your network interface
should block Wireshark and allow all other applications to get access to the
network. So, if Wireshark is not getting through to the network, nothing should
be getting through.
Try any other network-active application on your computer to see if it can get
access to the network. If anything can get onto the network, the problem
doesn’t lie with the physical network card or the network adapter software. If
nothing can get onto the internet, you have identified the problem and you
should call in a support specialist to get your network access problems fixed.

General advice for Wireshark problems

If you keep getting communication error messages when opening Wireshark,
you will get frustrated and stressed. It is vital to keep a perspective on the
problem and realize that the error is unlikely to be caused by Wireshark itself. To
fix this error, you need to focus on the underlying services that have more
direct contact with the network interface.
When approaching the problem, keep in mind three important facts:
Your network card won’t block Wireshark and only Wireshark
Your network interface may be to blame, in which case all applications will be affected
Wireshark doesn’t contact the network directly, that job is left to WinPcap, npcap, or
dumpcap

Above all, you need to realize that the problem with visibility of the network is
all down to the data capturing process and not Wireshark. You need to focus
on the health of WinPcap, npcap, or dumpcap rather than Wireshark itself.
When you install the latest version of Wireshark, the installation process will
check for the relevant data capture process that is written to run on your
operating system. If you are prompted to allow the installer to stop, remove,
replace, or install those capture programs, let it. Your problem with Wireshark
may be caused by you missing these messages in the installation wizard and
not allowing the new versions of those programs to be installed. Try uninstalling
the Wireshark program suite, downloading the latest version and installing it
again. Pay attention to the messages about installing supporting software.
Have you experienced problems with Wireshark? Did you manage to find a
solution that is not listed here in this guide? Let the community know about
your solution by leaving a message in the Comments section below.

Wireshark ‘no interfaces found’ error FAQs

Is WinPcap safe to install?
WinPcap is a packet capture utility. It isn’t a virus and so it is safe to install.
However, make sure you get the program from a reputable source.

How do I start Npcap?

It is possible to start Npcap from a command prompt. Open a Command
prompt session, enter net start npcap and press return.
Can I use Wireshark to capture packets in software-defined
networks?
Yes. Wireshark captures packets traveling across the network. It doesn’t matter
what service or application generates or receives those packets. Software-
defined networks just tag packets so that they can be identified distinctly from
all other traffic flowing over the same network.
How to Capture Data Packets

One of the core functions of Wireshark as a network analysis tool is to capture

packets of data. Learning how to set up Wireshark to capture packets is
essential to conducting detailed network analysis. However, it’s important to
note that it can be difficult to capture packets when you’re new to Wireshark.
Before you start to capture packets, there are three things you need to do:
1. Make sure that you have the administrative privileges to start a live capture on your
device
2. Choose the correct network interface to capture packet data from
3. Capture packet data from the correct location in your network

Once you’ve done these three things, you’re ready to start the capture
process. When you use Wireshark to capture packets, they are displayed in a
human-readable format to make them legible to the user. You can also break
packets down with filters and color-coding if you wish to see more specific
information.
When you first open up Wireshark, you’ll be met by the following launch
screen:
The first thing you need to do is look at the available interfaces to capture. To
do this, select Capture > Options. The “Capture Interfaces” dialog box will then
open as shown below:

Check the box of the interface you want to capture and press the Start button
to start. You can select multiple interfaces if you want to capture data from
multiple sources simultaneously.
On Unix or Linux, the dialog box is shown in a similar style like this:
Footer
Header

You can also start Wireshark by using the following command line:
<¢ wireshark -i eth0 —k>
You can also use the shark fin button on the toolbar as a shortcut to initiate
packet capturing. Once you click this button, Wireshark will start the live
capture process.
If you want to stop capturing, click the red stop button next to the shark fin.
Promiscuous Mode
If you want to develop an overhead view of your network packet transfers,
then you need to activate ‘promiscuous mode’. Promiscuous mode is an
interface mode where Wireshark details every packet it sees. When this mode
is deactivated, you lose transparency over your network and only develop a
limited snapshot of your network (this makes it more difficult to conduct any
analysis).
To activate promiscuous mode, click on the Capture Options dialog box and
click promiscuous mode. In theory, this should show you all the traffic active on
your network. The promiscuous mode box is shown below:
However, this often isn’t the case. Many network interfaces are resistant to
promiscuous mode, so you need to check the Wireshark website for
information on your specific hardware.
On Windows, it’s useful to open Device Manager and check whether you
have your settings configured to reject promiscuous mode. For example:
Footer
Header

(Simply click on network and then make sure that your promiscuous mode
setting are set to Allow All).
If you have your settings set to “reject” promiscuous mode, then you’re going
to limit the number of packets Wireshark captures. So even if you have
promiscuous mode enabled on Wireshark check your Device Manager to
make sure that your interface isn’t blocking any data from coming through.
Taking the time to check through your network infrastructure will ensure
Wireshark receives all the necessary packets of data.
How to Analyze Captured Packets

Once you’ve captured your network data, you’ll want to look at your captured
packets. In the screenshot below you’ll see three panes, the packet list pane,
the packet bytes pane, and the packet details pane.
If you want more information, you can click on any of the fields in each
packet to see more. When you click on a packet, you’re shown a breakdown
of its internal bytes in the byte view section.

Packet List
The packet list pane is shown at the top of the screenshot. Each piece is
broken down to a number with time, source, destination, protocol and support
information.

Packet Details
Packet details can be found in the middle, showing the protocols of the
chosen packet. You can expand each section by clicking on the arrow next to
your row of choice. You can also apply additional filters by right-clicking on the
chosen item.

Packet Bytes
The packet bytes pane is shown at the bottom of the page. This pane shows
the internal data of your selected packet. If you highlight part of the data in
this section, its corresponding information is also highlighted in the packet
details pane. By default, all data is shown in hexadecimal format. If you want
to change it to bit format, right-click the pane and select this option from the
context menu.

How to use Wireshark to Analyze Network Performance

If you want to use Wireshark to inspect your network and analyze all active
traffic, then you need to close down all active applications on your network.
This will reduce traffic to a minimum so you can see what is happening on your
network more clearly. However, even if you turn off all of your applications,
you’ll still have a mass of packets being sent and received.
Using Wireshark to filter these packets is the best way to take stock of your
network data. When your connection is active, thousands of packets are
transferring through your network every second. This means it’s vital that you
filter out the information you don’t need to get a clear picture of what’s going
on.
Capture Filters and Display Filters
Capture Filters and Display Filters are two types of distinct filters that can be
used on Wireshark.
Capture Filters and Display Filters are two types of distinct filters that can be
used on Wireshark. Capture Filters are used to reduce the size of incoming
packet capture, essentially filtering out other packets during live packet
capturing. As a result, capture filters are set before you begin the live capture
process.
Capture Filters are used to reduce the size of incoming packet capture,
essentially filtering out other packets during live the packet capturing. As a
result, capture filters are set before you begin the live capture process.
Capture Filters can’t be modified once a capture has been started. On the
other hand, Display Filters can be used to filter data that has already been
recorded. Capture Filters determine what data you capture from live network
monitoring, and Display Filters dictate the data you see when looking through
previously captured packets.
If you want to start filtering your data, one of the easiest ways to do this is to
use the filter box below the toolbar. For example, if you type in HTTP in the filter
box, you will be provided with a list of all HTTP packets captured. When you
start typing, you’ll be met with an autocomplete field. The filter box is shown
below:
You can use hundreds of different filters to break down your packet
information, from 104apci to zvt. An extensive list can be found on the
Wireshark website here. You can also choose a filter by clicking on the
bookmark icon to the left of the entry field. This will raise a menu of popular
filters.
If you choose to set a capture filter, then your changes will come into effect
once you start recording live network traffic. To activate a display filter, simply
click on the arrow to the right of the entry field. Alternatively, you can click
Analyze > Display Filters and choose a filter from the list of defaults.
After choosing a filter, you can view the TCP conversation behind a packet. To
do this, right click on the packet and click Follow > TCP stream. This will show
you the TCP exchange between the client and server.
If you want more information about Wireshark filtering, Wireshark’s guide to
display filters is a good point of reference.

Using Color Coding

In addition to filtering which packets are shown or recorded, Wireshark’s color-
coding facility makes it easier for the user to identify different packet types
according to their color. For example, TCP traffic is denoted by light purple and
UDP traffic is denoted by light blue. It’s important to note that black is used to
highlight packets with errors.
On Wireshark’s default settings, there are around 20 colors you can choose
from. You may edit, disable or delete these. If you want to turn off colorization,
click on the View menu and click Colorize Packet List field to turn it off. If you’d
like to view more information about the color-coding on Wireshark, click View
>Coloring Rules.
Viewing Network Statistics
To view more information on your network, the statistics drop-down menu is
incredibly useful. The statistics menu can be located at the top of the screen
and will provide you with several metrics from size and timing information to
plotted charts and graphs. You can also apply display filters to these statistics to
narrow down important information.
The Wireshark statistics menu is shown below:
In this menu are a variety of options to help you break down your network
information.
Statistics Menu Selections
Here are some of the core sections:
 Protocol Hierarchy – The Protocol Hierarchy option raises a window with a complete
table of all captured protocols. Active display filters are also displayed at the bottom.
Conversations – Reveals the network conversation between two endpoints (For example
exchange of traffic from one IP address to another).
Endpoints – Displays a list of endpoints (a network endpoint is where protocol traffic of a
specific protocol layer ends).
IO Graphs – Displays user-specific graphs, visualizing the number of packets throughout
the data exchange.
RTP_statistics – Allows the user to save the content of an RTP audio stream directly to an
Au-file.
Service Response Time – Displays the response time between a request and the
network’s response.
TcpPduTime – Displays the time taken to transfer data from a Protocol Data Unit. Can be
used to find TCP retransmissions.
VoIP_Calls – Shows VoIP calls obtained from live captures.
Multicast Stream – Detects multicast streams and measures the size of bursts and the
output buffers of certain speeds.

Visualizing Network Packets With IO Graphs

If you want to create a visual representation of your data packets, then you
need to open IO graphs. Simply click on the statistics menu and select IO
graphs. You’ll then be met by a graph window:
You can configure IO graphs with your own settings according to the data you
want to display. By default only graph 1 is enabled, so if you want to activate
2-5 you need to click on them. Likewise, if you want to apply a display filter for
a graph, click the filter icon next to the graph you want to interact with. The
style column allows you to change how your graph is structured. You can
choose between Line, FBar, Dot, or Impulse.
You can also interact with the X and Y axis metrics on your graph as well. On
the X-axis, the tick interval sections allow you to dictate how long the interval
is, from minutes to seconds. You can also check the view as time of day
checkbox to change the time of the X-axis.
Under the Y-axis section, you can change the unit of measurement from any
of the following options: Packets/Tick, Bytes/Tick, Bits/Tick, or Advanced. The
scale allows you to choose the scale of measurement for the Y-axis of the
graph.
Once you press save the graph is then stored in a file format of your choice

How to Use Sample Captures

If you want to practice using Wireshark but your own network is unavailable for
whatever reason, using ‘sample captures’ is a great alternative. Sample
captures provide you with another network’s packet data. You can download
a sample capture by going on the Wireshark wiki website.
The Wireshark wiki website features a variety of sample capture files that can
be downloaded across the site. Once you’ve downloaded a sample capture
you can use it by clicking File > Open and then clicking on your file.
Capture Files can also be found from the following sources below:
ICIR
OpenPacket
PacketLife

How to use Wireshark to Analyze

Network Performance

If you want to use Wireshark to inspect your network and analyze all active
traffic, then you need to close down all active applications on your network.
This will reduce traffic to a minimum so you can see what is happening on your
network more clearly. However, even if you turn off all of your applications,
you’ll still have a mass of packets being sent and received.
Using Wireshark to filter these packets is the best way to take stock of your
network data. When your connection is active, thousands of packets are
transferring through your network every second. This means it’s vital that you
filter out the information you don’t need to get a clear picture of what’s going
on.
Capture Filters and Display Filters
Capture Filters and Display Filters are two types of distinct filters that can be
used on Wireshark.
Capture Filters and Display Filters are two types of distinct filters that can be
used on Wireshark. Capture Filters are used to reduce the size of incoming
packet capture, essentially filtering out other packets during live packet
capturing. As a result, capture filters are set before you begin the live capture
process.
Capture Filters are used to reduce the size of incoming packet capture,
essentially filtering out other packets during live the packet capturing. As a
result, capture filters are set before you begin the live capture process.
Capture Filters can’t be modified once a capture has been started. On the
other hand, Display Filters can be used to filter data that has already been
recorded. Capture Filters determine what data you capture from live network
monitoring, and Display Filters dictate the data you see when looking through
previously captured packets.
If you want to start filtering your data, one of the easiest ways to do this is to
use the filter box below the toolbar. For example, if you type in HTTP in the filter
box, you will be provided with a list of all HTTP packets captured. When you
start typing, you’ll be met with an autocomplete field. The filter box is shown
below:

You can use hundreds of different filters to break down your packet
information, from 104apci to zvt. An extensive list can be found on the
Wireshark website here. You can also choose a filter by clicking on the
bookmark icon to the left of the entry field. This will raise a menu of popular
filters.
If you choose to set a capture filter, then your changes will come into effect
once you start recording live network traffic. To activate a display filter, simply
click on the arrow to the right of the entry field. Alternatively, you can click
Analyze > Display Filters and choose a filter from the list of defaults.
After choosing a filter, you can view the TCP conversation behind a packet. To
do this, right click on the packet and click Follow > TCP stream. This will show
you the TCP exchange between the client and server.
If you want more information about Wireshark filtering, Wireshark’s guide to
display filters is a good point of reference.
Using Color Coding
In addition to filtering which packets are shown or recorded, Wireshark’s color-
coding facility makes it easier for the user to identify different packet types
according to their color. For example, TCP traffic is denoted by light purple and
UDP traffic is denoted by light blue. It’s important to note that black is used to
highlight packets with errors.
On Wireshark’s default settings, there are around 20 colors you can choose
from. You may edit, disable or delete these. If you want to turn off colorization,
click on the View menu and click Colorize Packet List field to turn it off. If you’d
like to view more information about the color-coding on Wireshark, click View
>Coloring Rules.
Viewing Network Statistics
To view more information on your network, the statistics drop-down menu is
incredibly useful. The statistics menu can be located at the top of the screen
and will provide you with several metrics from size and timing information to
plotted charts and graphs. You can also apply display filters to these statistics to
narrow down important information.
The Wireshark statistics menu is shown below:
In this menu are a variety of options to help you break down your network
information.
Statistics Menu Selections
Here are some of the core sections:
 Protocol Hierarchy – The Protocol Hierarchy option raises a window with a complete
table of all captured protocols. Active display filters are also displayed at the bottom.
Conversations – Reveals the network conversation between two endpoints (For example
exchange of traffic from one IP address to another).
Endpoints – Displays a list of endpoints (a network endpoint is where protocol traffic of a
specific protocol layer ends).
IO Graphs – Displays user-specific graphs, visualizing the number of packets throughout
the data exchange.
RTP_statistics – Allows the user to save the content of an RTP audio stream directly to an
Au-file.
Service Response Time – Displays the response time between a request and the
network’s response.
TcpPduTime – Displays the time taken to transfer data from a Protocol Data Unit. Can be
used to find TCP retransmissions.
VoIP_Calls – Shows VoIP calls obtained from live captures.
Multicast Stream – Detects multicast streams and measures the size of bursts and the
output buffers of certain speeds.

Visualizing Network Packets With IO Graphs

If you want to create a visual representation of your data packets, then you
need to open IO graphs. Simply click on the statistics menu and select IO
graphs. You’ll then be met by a graph window:
You can configure IO graphs with your own settings according to the data you
want to display. By default only graph 1 is enabled, so if you want to activate
2-5 you need to click on them. Likewise, if you want to apply a display filter for
a graph, click the filter icon next to the graph you want to interact with. The
style column allows you to change how your graph is structured. You can
choose between Line, FBar, Dot, or Impulse.
You can also interact with the X and Y axis metrics on your graph as well. On
the X-axis, the tick interval sections allow you to dictate how long the interval
is, from minutes to seconds. You can also check the view as time of day
checkbox to change the time of the X-axis.
Under the Y-axis section, you can change the unit of measurement from any
of the following options: Packets/Tick, Bytes/Tick, Bits/Tick, or Advanced. The
scale allows you to choose the scale of measurement for the Y-axis of the
graph.
Once you press save the graph is then stored in a file format of your choice

How to Use Sample Captures

If you want to practice using Wireshark but your own network is unavailable for
whatever reason, using ‘sample captures’ is a great alternative. Sample
captures provide you with another network’s packet data. You can download
a sample capture by going on the Wireshark wiki website.
The Wireshark wiki website features a variety of sample capture files that can
be downloaded across the site. Once you’ve downloaded a sample capture
you can use it by clicking File > Open and then clicking on your file.
Capture Files can also be found from the following sources below:
ICIR
OpenPacket
PacketLife
Decrypt SSL with Wireshark

If you’ve ever tried using Wireshark to monitor web traffic, you’ve probably run
into a problem – a lot of it is encrypted transmissions. In fact, most sites are
using SSL or Transport Layer Security (TLS) encryption to keep their users safe.
Ubiquitous encryption is a good thing if you’re shopping on Amazon, but it’s a
real pain when you’re trying to administer a network. Here’s how I decrypt SSL
with Wireshark.

What are Wireshark and SSL Encryption?

Wireshark is a network traffic analyzer; it’s a core utility that many administrators
use to troubleshoot problems on their networks. Specifically, it captures frames
– the building blocks of packets – and lets you sort through and analyze them.
Using Wireshark, you can look at the traffic flowing across your network and
dissect it, getting a peek inside of frames at the raw data.
SSL is an encryption protocol that operates on the Transport layer of the OSI
model. It uses various encryption methods to secure data as it moves across
networks. Note: In this guide, I’ll mostly be referring to SSL as a catchall term for
SSL and TLS, its successor.
SSL encryption makes using Wireshark more challenging because it prevents
administrators from viewing the data that each relevant packet carries. When
Wireshark is set up properly, it can decrypt SSL and restore your ability to view
the raw data.

Using a pre-master secret key to decrypt SSL and TLS

Using a pre-master secret key to decrypt SSL in Wireshark is the recommended
method.
A pre-master secret key is generated by the client and used by the server to
derive a master key that encrypts the session traffic. It’s the current standard in
cryptography and is usually implemented via Diffie-Hellman.
Your browser can be made to log the pre-master secret key, which Wireshark
uses to decrypt SSL and TLS sessions.
Here are the steps to decrypting SSL and TLS with a pre-master secret key:
Set an environment variable
Launch your browser
Configure Wireshark
Capture and decrypt the session keys

When you’re finished, you’ll be able to decrypt SSL and TLS sessions in Wireshark
without needing access to the target server.
Set a Windows environment variable
In Windows systems, you’ll need to set an environment variable using the
Advanced system settings utility. This variable, named SSLKEYLOGFILE, contains
a path where the pre-master secret keys are stored.
Start by right-clicking on My Computer, and selecting Properties from the
menu. The System menu will open.

Next, click Advanced system settings on the list to the left. The System
Properties window will open.
On the Advanced tab, click the Environment Variables button.
Click the New… button under User variables. You can also create the variable
under System variables if you’d like to log SSL keys for every user on the system,
but I prefer to keep it confined to my profile.

Under Variable name, type the following:

SSLKEYLOGFILE

In the Variable value field, type a path to the log file. You can also click the
Browse file… button and specify the path using the file picker.
As a note, if you’re creating this as a system-wide environment variable, you’ll
need to use appropriate wildcards or store the file in a place accessible by all
users. For instance, you might choose %USERPROFILE%\App Data\ssl-keys.log
or C:\ssl-keys.log.
Once you’ve finished, click OK and move to the next set of steps.

Set a Linux or Mac environment variable

In Linux and Mac, you’ll need to set the SSLKEYLOGFILE environment variable
using nano. In Linux, the variable is stored in ~/.bashrc. On the Mac, you’ll
create the variable in the file ~/.MacOSX/environment
Open a terminal and use this command in Linux:
nano ~/.bashrc

Open Launchpad, click Other, and launch a terminal to run this command in
Mac OSX:
nano ~/.bash_profile

The following steps are the same for both operating systems.
At the end of the file, add this line:

export SSLKEYLOGFILE=~/.ssl-key.log

Press Ctrl+X, Y to save your changes.

Close the terminal window and open another to set the variable, then type the
following to confirm it’s been set successfully:
echo $SSLKEYLOGFILE

After you execute the command, you should see output similar to the image
above. /Users/comparitech/.ssl-key.log is the full path to my SSL pre-master
key log. Note: You’ll want to make a note of yours, which will be different, to
enter in Wireshark.
Now that the variable has been set, you can move on to the next set of steps.
Launch your browser and check for the log file
Before you launch Wireshark and configure it to decrypt SSL using a pre-master
key, you should start your browser and confirm that the log file is being used.

In order to populate the log, it’s important that you visit a site that has SSL
enabled. I’m using my own Apache server for testing, but any site will work.
One of the biggest benefits of using a pre-master shared key is you don’t need
access to the server to decrypt SSL.
After you’ve visited a SSL-enabled website, check the file for data. In Windows,
you can use Notepad. In Linux or Mac, use the following command:
cat ~/.ssl-log.key

On any operating system, your file should look like mine does above. After
you’ve confirmed that your browser is logging pre-master keys in the location
you selected, you can configure Wireshark to use those keys to decrypt SSL.
Configure Wireshark to decrypt SSL
Once your browser is logging pre-master keys, it’s time to configure Wireshark
to use those logs to decrypt SSL.

Open Wireshark and click Edit, then Preferences. The Preferences dialog will
open, and on the left, you’ll see a list of items. Expand Protocols, scroll down,
then click SSL.

In the list of options for the SSL protocol, you’ll see an entry for (Pre)-Master-
Secret log filename. Browse to the log file you set up in the previous step, or just
paste the path.
When you’ve finished setting the (Pre)-Master-Secret log filename, click OK
and return to Wireshark. You’re ready to move on.
Capture the session and decrypt SSL
The final step is to capture a test session and make sure that Wireshark decrypts
SSL successfully.
Start an unfiltered capture session, minimize it, and open your browser.
Visit a secure site in order to generate data, and optionally set a display filter of ‘ssl’ to
minimize the session noise.
Click on any frame containing encrypted data.

In my case, I’ll select one that contains HTTP traffic with text/HTML encoding,
since I’d like to see the source code the web server is sending to my browser.
But any encrypted transmissions that use a pre-master secret or private key will
work with this method. That includes all data utilizing Perfect Forward
Encryption (PFE) through Diffie-Hellman or comparable key exchanges.

Once you’ve selected an encrypted data frame, look at the Packet byte view,
and specifically the tabs underneath the view. You should see an entry for
Decrypted SSL data, among others.
You’ll notice that my session still looks like it’s full of garbage, and no HTML is
visible. That’s because my web server (and most Apache servers) use GZIP
compression by default.

When you click the Uncompressed entity body tab, which only shows up in this
case with SSL decryption enabled, you can view the source code of the site.
For instance, here’s the title element of the default Apache page in plaintext.

Using an RSA key to decrypt SSL

You might have noticed earlier that Wireshark has a field that allows you to
upload your RSA keys and use them to decrypt SSL. In practice, RSA key
decryption is deprecated.

The reason decrypting SSL with an RSA key isn’t commonly used anymore is
that Perfect Forward Encryption (PFE) has made it obsolete. Sessions
negotiated with Diffie-Hellman don’t use the RSA key directly; instead they
generate a one-time key, stored only in RAM, that is encrypted using the key
on disk.
If you were previously using an RSA key to decode traffic, and it stopped
working, you can confirm that the target machine is using Diffie-Hellman
exchanges by enabling SSL logging.
To turn on logging, click Edit from the toolbar menu and select Preferences.
Expand the Protocols menu item on the left and scroll down to SSL. From here,
you can click the Browse button and set the location of your SSL log.
Once the location is set, all SSL interactions will be logged in the specified file.

Capture a session with your SSL-enabled host, then check the logs. Specifically,
you should scroll until you find the frame that the TLS handshake was
negotiated on. It’s likely that you’ll see a telltale DHE entry in the cipher string.
That means Diffie-Hellman key exchanges are enabled. In my case, Apache is
specifically using Diffie-Hellman with elliptic-curve keys, which is denoted by
the string ECDHE.
Scroll a little further and you’re likely to see that the master secret cannot be
found.
If your logs look like that, and you can’t decrypt data using an RSA key, you
have no choice but to switch over to the pre-master secret method above.
Since PFE is becoming standard practice, with TLSv1.3 likely forcing the issue,
simple RSA key decryption is deprecated and should not be used.

Wireshark makes decrypting SSL traffic easy

I really like the way Wireshark handles the SSL decryption process.
Cryptography is complicated, and the standards are constantly changing to
be more secure. But once Wireshark and your environment are set up properly,
all you have to do is change tabs to view decrypted data. It doesn’t get any
easier than that.

Wireshark Decrypt SSL FAQs

How do I read TLS packets in Wireshark?
Follow these steps to read TLS packets in Wireshark:
1. Start a packet capture session in Wireshark.
2. In the top menu bar, click on Edit, and then select Preferences from the drop-down
menu.
3. In the Preferences window, expand the Protocols node in the left-hand menu tree.
4. Click on SSL. The main panel of the window will show protocol settings.
5. Enter a file name and select a location for SSL debug file.
6. Click in RSA keys list and then select Edit and then New.
7. Fill out the information fields in the pop-up window: IP address, Port, Protocol (which will
be HTTPS), Key File, and Password. Press OK.
8. Click OK in the Preferences screen.

The data field at the bottom of the main Wireshark page will show the
decrypted contents of the packet.

How does a 2 way SSL handshake work?

The two-way SSL handshake authenticates both the server and the client. Here
are the steps that are carried out in this process:
1. Client hello: sent from the client to the server and includes its supported cipher suites and
TLS version compatibilities.
2. Server hello: sent from the server to the client in response. It contains a link to the server’s
public certificate and a request for the same back from the client.
3. The browser validates the server certificate and if all is OK, sends a link to its own
certificate.
4. The server checks out the client’s certificate. If all is OK, session establishment continues.

Is it possible to decrypt passively sniffed SSL/TLS traffic?

Yes. However, you will always need the RSA key in order to decrypt traffic. That
could be acquired through legitimate methods and with permission or could
be tricked out of the source of the traffic through a “man in the middle”
strategy.
Wireshark Cheat Sheet – Commands,
Captures, Filters & Shortcuts
All the information that has been provided in the cheat sheet is also visible
further down​this page in a format that is easy to copy and paste.
The cheat sheet covers:
Wireshark Capturing Modes
Filter Types
Capture Filter Syntax
Display Filter Syntax
Protocols – Values
Filtering packets (Display Filters)
Logical Operators
Default columns in a packet capture output
Miscellaneous Items
Keyboard Shortcuts
Common Filtering Commands
Main Toolbar Items

View or Download the Cheat Sheet JPG image

Right-click on the image below to save the JPG file ( 2500 width x 2096 height
in pixels), or click here to open it in a new browser tab. Once the image opens
in a new window, you may need to click on the image to zoom in and view
the full-sized jpeg.
View or Download the cheat sheet JPG image
Click on the link to download the Cheat Sheet PDF. If it opens in a new browser
tab, simply right click on the PDF and navigate to the download selection.

What’s included in the Wireshark cheat sheet?

The following categories and items have been included in the cheat sheet:
Wireshark Capturing Modes
Wireshark Capturing Modes
Sets interface to capture all packets on a network segment to which it is
associated to

setup the Wireless interface to capture all traffic it can receive (Unix/Linux only)

Filter Types
Filter packets during capture

Hide Packets from a capture display

Capture Filter Syntax

Display Filter Syntax
Protocols – Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp

Filtering packets (Display Filters)

Filtering packets (Display Filters)

Miscellaneous Items
Logical Operators
All the conditions should match

Either all or one of the condition should match

exclusive alternation – Only one of the two conditions should match not both

Filter a specific word or text

Default columns in a packet capture output

Default columns in a packet capture output

Frame number from the beginning of the packet capture

Seconds from the first frame

Source address, commonly an IPv4, IPv6 or Ethernet address

Protocol used in the Ethernet frame, IP packet, or TCP segment

Length of the frame in bytes

Keyboard Shortcuts
Keyboard Shortcuts – main display window

Move between screen elements, e.g. from the toolbars to the packet list to the
packet detail.

Move to the next packet in the selection history.

Move to the next packet or detail item.

In the packet detail, opens the selected tree item.

Move to the previous packet or detail item.

In the packet detail, opens the selected tree item and all of its subtrees.

Move to the next packet, even if the packet list isn’t focused.
In the packet detail, opens all tree items.

Move to the previous packet, even if the packet list isn’t focused.

In the packet detail, closes all tree items.

Move to the next packet of the conversation (TCP, UDP or IP).

In the packet detail, jumps to the parent node.

Move to the previous packet of the conversation (TCP, UDP or IP).

In the packet detail, toggles the selected tree item.

Common Filtering Commands

Filter by Destination IP

ip.addr >= 10.10.50.1 and ip.addr

ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100

Filter out/ Exclude IP address

!(ip.addr == 10.10.50.1)

ip.addr == 10.10.50.1/24

Filter by multiple specified IP subnets

ip.addr == 10.10.50.1/24 and ip.addr == 10.10.51.1/24
 dns
http
ftp
ssh
arp
telnet
icmp

Filter by destination port (TCP)

Filter by ip address and port

ip.addr == 10.10.50.1 and Tcp.port == 25

http.host == “host name”

frame.time >= “June 02, 2019 18:04:00”

tcp.flags.syn == 1

tcp.flags.syn == 1 and tcp.flags.ack == 0

wlan.fc.type_subtype = 0x08

Wireshark broadcast filter

eth.dst == ff:ff:ff:ff:ff:ff

WiresharkMulticast filter

eth.addr == 00:70:f4:23:18:c4
Main Toolbar Items

Uses the same packet capturing options as the previous session, or uses
defaults if no options were set

Stops currently active capture

Restarts active capture session

Opens “Capture Options” dialog box

Opens "File open" dialog box to load a capture for viewing

Save current capture file

Close current capture file

Reloads current capture file

Find packet based on different criteria

Jump back in the packet history

Jump forward in the packet history

Jump to first packet of the capture file

Jump to last packet of the capture file

Auto Scroll in Live Capture

View → Auto Scroll in Live Capture

Auto scroll packet list during live capture

Colorize the packet list (or not)

Zoom into the packet data (increase the font size)

Zoom out of the packet data (decrease the font size)

Set zoom level back to 100%

Resize columns, so the content fits to the width

Extending Wireshark’s capabilities

Although Wireshark is a great packet sniffer, it isn’t the be-all and end-all of
network analysis tools. You can expand Wireshark and support it with
complementary tools. A wide community of supporting plugins and platforms
can enhance Wireshark’s capabilities.
Try out these Wireshark additions to improve your analytical capabilities:
Elastic Stack with Wireshark Use Wireshark as a feed to Elasticsearch and its related data
management modules to create a better analysis environment than Wireshark provides
by itself. The Elastic Stack products are free to use.
NetworkMiner is another analytical tool that acts on feeds from Wireshark. This tool
comes in both a free and paid version.
Show Traffic displays live traffic data, identifying packets by protocol.

Can Wireshark see all network traffic?

Wireshark will see all traffic intended for the port that it is connected to. It won’t
see traffic on a remote part of the network that isn’t passed through the switch
being monitored. It will only pick up traffic sent to the monitored port. However,
it is possible to get the switch to replicate all the traffic on all of its connections
and forward that onto one switch port, which will be where you should
connect the device hosting Wireshark.

Does Wireshark affect network performance?

No. Wireshark is a listener, it doesn’t generate traffic. However, if you set a
switch on the system to duplicate all passing traffic to send to the Wireshark-
monitored port then network traffic will be increased and performance could
be impaired.
Is it illegal to use Wireshark on a public wifi?
It is not illegal to use Wireshark anywhere, however, there are some illegal
activities that can be facilitated by Wireshark. Think of Wireshark as being like a
telescope. It is not illegal to look through the air with a telescope at passing
cars, but it is illegal to use it to look through someone’s window.