Wireshark is an open-source network protocol analyzer tool indispensable for system administration and security. It drills down and displays data travelling on the network. Wireshark allows you to either capture live network packets or to save it for offline analysis.
One of the features of Wireshark that you will love to learn is the display filter which lets you inspect only that traffic you are really interested in. Wireshark is available for various platforms including Windows, Linux, MacOS, FreeBSD, and some others.
Some of the tasks one can perform with Wireshark are
- Capturing and finding traffic passing through your network
- Inspection of hundreds of different protocols
- Live capture of traffic/offline analysis
- Troubleshooting dropped packets and latency problems
- Looking at attempts of attacks or malicious activities
In this article, we will explain how to install Wireshark on the Ubuntu system. The installation procedures have been tested on Ubuntu 20.04 LTS.
- We have used the command line Terminal for the installation procedure. You can launch the Terminal via Ctrl+Alt+T keyboard shortcut.
- You must be a root user or have sudo privileges in order to install and use Wireshark to capture data on your system.
For installing Wireshark, you will need to add the “Universe” repository. Issue the following command in Terminal to do so:
$ sudo add-apt-repository universe
Now issue the following command in Terminal to install Wireshark on your system:
$ sudo apt install Wireshark
When prompted for a password, type sudo password.
After running the above command, you might be asked for confirmation, hit y, and then hit Enter, after which installation of Wireshark will be started in your system.
During the installation of Wireshark, the following window will appear asking you if you want to allow non-superusers to capture packets. Enabling it can be a security risk, so it is better to leave it disabled and hit Enter.
Once the installation of Wireshark is completed, you can verify it using the following command in Terminal:
$ wireshark --version
If Wireshark has installed successfully, you will a similar output displaying the version of Wireshark installed.
Now you are ready to launch and use Wireshark on your Ubuntu machine. In order to launch Wireshark, issue the following command in Terminal:
$ sudo wireshark
If you are logged in as a root user, you can also launch Wireshark form the GUI. Hit the super key and type wireshark in the search bar. When the icon for the Wireshark appears, click on it to launch it.
Remember you will not be able to capture network traffic if you launch Wireshark without root or sudo privilege.
When the Wireshark opens, you will see the following default view:
Wireshark is a powerful tool with plenty of features. Here we will just go through the basics of the two important features that are: packet capture and display filter.
In order to capture packets using Wireshark, follow the below simple steps:
1. From the list of available network interfaces in the Wireshark window, select the interface on which you want to capture packets.
2. From the toolbar at the top, click the start button to start capturing the packets on the selected interface as shown in the following screenshot.
If there is currently no traffic, then you can generate some traffic by visiting any website or by accessing a file shared on the network. After that, you will see the captured packets displaying in real-time.
3. To stop capturing the packets, click the stop button as shown in the following screenshot.
In the above screenshot, you can see the Wireshark divided into three panes:
1. The topmost panelist all the packets captured by Wireshark.
2. The middle pane shows packet header details for each selected packet.
3. The third pane shows the raw data of each selected packet.
As you have seen in the above screenshots, the Wireshark displays a large number of packets for single network activity. In a normal network, there are thousands of packets traveling back and forth on your network. It is very difficult to find a specific packet form thousands of captured packets. Here comes the display filtering feature of Wireshark.
With Wireshark display filters, you can only display the types of packets you are looking for. In this way, it narrows down the results and makes it easy for you to find what you are looking for. You can filter the results based on protocols, source and destination IP addresses, port number, and some others.
Wireshark has a lot of pre-defined filters that you can make use of. When you start typing the filter name, Wireshark helps you to auto-complete it by suggesting names. To only show the packets containing a specific protocol, type the protocol name into the “Apply a display filter” field under the toolbar.
To display only the TCP packets from all the captured packets, type tcp. After entering the filter name, you will see only the TCP packets.
That’s how you can install and use Wireshark on Ubuntu 20.04 LTS system. We have just discussed the basics of the Wireshark tool. In order to have a solid grasp on Wireshark, you need to go through all of the features and experiment with them.