What is Wireshark?

Wireshark is an open-source packet analyzer, which is used for education, analysis, software development,
communication protocol development, and network troubleshooting.

It is used to track the packets so that each one is filtered to meet our specific needs. It is commonly called as a sniffer,
network protocol analyzer, and network analyzer. It is also used by network security engineers to examine security
problems.

Wireshark is a free to use application which is used to apprehend the data back and forth. It is often called as a free packet
sniffer computer application. It puts the network card into an unselective mode, i.e., to accept all the packets which it
receives.
Uses of Wireshark:
Wireshark can be used in the following ways:

1. It is used by network security engineers to examine security problems.

2. It allows the users to watch all the traffic being passed over the network.
3. It is used by network engineers to troubleshoot network issues.
4. It also helps to troubleshoot latency issues and malicious activities on your network.
5. It can also analyze dropped packets.
6. It helps us to know how all the devices like laptop, mobile phones, desktop, switch, routers, etc., communicate in a
local network or the rest of the world.

What is a packet?
A packet is a unit of data which is transmitted over a network between the origin and the destination. Network packets are
small, i.e., maximum 1.5 Kilobytes for Ethernet packets and 64 Kilobytes for IP packets.

The data packets in the Wireshark can be viewed online and can be analyzed offline.

What is color coding in Wireshark?

The packets in the Wireshark are highlighted with blue, black, and green color. These colors help users to identify the
types of traffic. It is also called as packet colorization. The kinds of coloring rules in the Wireshark are temporary
rules and permanent rules.
 o The temporary rules are there until the program is in active mode or until we quit the program.
o The permanent color rules are available until the Wireshark is in use or the next time you run the Wireshark. The
steps to apply color filters will be discussed later in this topic.

Features of Wireshark
o It is multi-platform software, i.e., it can run on Linux, Windows, OS X, FreeBSD, NetBSD, etc.
o It is a standard three-pane packet browser.
o It performs deep inspection of the hundreds of protocols.
o It often involves live analysis, i.e., from the different types of the network like the Ethernet, loopback, etc., we can
read live data.
o It has sort and filter options which makes ease to the user to view the data.
o It is also useful in VoIP analysis.
o It can also capture raw USB traffic.
o Various settings, like timers and filters, can be used to filter the output.
o It can only capture packet on the PCAP (an application programming interface used to capture the network)
supported networks.
o Wireshark supports a variety of well-documented capture file formats such as the PcapNg and Libpcap. These
formats are used for storing the captured data.
o It is the no.1 piece of software for its purpose. It has countless applications ranging from the  tracing down,
unauthorized traffic, firewall settings, etc.
The Wireshark software window is shown above, and all the processes on the network are carried within this screen only.

The options given on the list are the Interface list options. The number of interface options will be present. Selection of
any option will determine all the traffic. 

For example, from the above fig. select the Wi-Fi option. After this, a new window opens up, which will show all the
current traffic on the network. Below is the image which tells us about the live capture of packets and our Wireshark will
look like:
The above arrow shows the packet content written in hexadecimal or the ASCII format. And the information above the
The Wireshark interface has five major components:
The command menus are standard pulldown menus located at the top of the window.
o Of interest to us now are the File and Capture menus. The File menu allows you to save
captured packet data or open a file containing previously captured packet data, and exit
the Wireshark application.
o The Capture menu allows you to begin packet capture.

The packet-listing window displays a one-line summary for each packet captured, including
the packet number (assigned by Wireshark; this is not a packet number contained in any
protocol’s header),

the time at which the packet was captured,

the packet’s source and destination addresses,

the protocol type, and protocol-specific information contained in the packet.

The packet listing can be sorted according to any of these categories by clicking on a
column name.

The packet-header details window provides details about the packet selected (highlighted) in
the packet-listing window. (To select a packet in the packet-listing window, place the cursor
over the packet’s one-line summary in the packet-listing window and click with the left mouse
button.).
o These details include information about the Ethernet frame (assuming the packet was
sent/received over an Ethernet interface) and IP datagram that contains this packet.
o The amount of Ethernet and IP-layer detail displayed can be expanded or minimized by
clicking on the plus minus boxes to the left of the Ethernet frame or IP datagram line in
the packet details window.
o If the packet has been carried over TCP or UDP, TCP or UDP details will also be
displayed, which can similarly be expanded or minimized. Finally, details about the
highest-level protocol that sent or received this packet are also provided.

The packet-contents window displays the entire contents of the captured frame, in both ASCII
and hexadecimal format.

Towards the top of the Wireshark graphical user interface, is the packet display filter field,
into which a protocol name or other information can be entered in order to filter the
information displayed in the packet-listing window (and hence the packet-header and packet-
contents windows).

In the example below, we’ll use the packet-display filter field to have Wireshark hide (not
display) packets except those that correspond to HTTP messages.