First Time Running Wireshark

.

102 First Time Running Wireshark

1) Welcome to Wireshark

If this is the first time you run Wireshark, you will see the above window containing a Welcome page.

In Linux system, Wireshark may advise you to log as a non-root user. Wireshark may display interface device permission error shown below.     The capture session could not be initiated on interface 'xxxxxx' (You don't have permission to capture on that device).     Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified. This requires you to run the following superuser command. sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

2) Wireshark Network Analyzer

The graph shows active network interfaces.

If you hover the mouse on the graph, you will see the Address (MAC and IP)

You can test the addresses by pinging them in console window.

3) Capturing from selected network

The following screenshot shows a capture of a selected network.

4) Packet List Pane

Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the “Packet Details” and “Packet Bytes” panes.

While dissecting a packet, Wireshark will place information from the protocol dissectors into the columns. As higher level protocols might overwrite information from lower levels, you will typically see the information from the highest possible level only.

There are a lot of different columns available. Which columns are displayed can be selected by preference settings.

The default columns will show:

No. The number of the packet in the capture file. This number won’t change, even if a display filter is used. Time The timestamp of the packet. The presentation format of this timestamp can be changed. Source The address where this packet is coming from. Destination The address where this packet is going to. Protocol The protocol name in a short (perhaps abbreviated) version. Length The length of each packet. Info Additional information about the packet content.

The first column shows how each packet is related to the selected packet.

Related packet symbols.

Read further: https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html 

5) Packet Details Pane

The packet details pane shows the current packet (selected in the “Packet List” pane) in a more detailed form.

This pane shows the protocols and protocol fields of the packet selected in the “Packet List” pane. The protocols and fields of the packet shown in a tree which can be expanded and collapsed.

There is a context menu (right mouse click) available.

Some protocol fields have special meanings.

• Generated fields. Wireshark itself will generate additional protocol information which isn’t present in the captured data. This information is enclosed in square brackets (‘[’ and ‘]’). Generated information includes response times, TCP analysis, GeoIP information, and checksum validation.
• Links. If Wireshark detects a relationship to another packet in the capture file it will generate a link to that packet. Links are underlined and displayed in blue. If you double-clicked on a link Wireshark will jump to the corresponding packet.

Refer: https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html 

6) Packet Bytes Pane

The packet bytes pane shows the data of the current packet (selected in the “Packet List” pane) in a hexdump style.

The “Packet Bytes” pane shows a canonical hex dump of the packet data. Each line contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are replaced with a period (‘.’).

Refer: https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketBytesPaneSection.html 

TERMS

A media access control address (MAC address), also called a physical address, of a computer which is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and WiFi. MAC address - Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/MAC_address Wikipedia

What is IP address (Internet Protocol)? Webopedia Definition www.webopedia.com › TERM › I An IP address is an identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination.

What is an IP address? | HowStuffWorks computer.howstuffworks.com/internet/basics/question549.htm There are two standards for IP addresses: IP Version 4 (IPv4) and IP Version 6 (IPv6).

SSDP Simple Service Discovery Protocol - The Wireshark Wiki https://wiki.wireshark.org/SSDP Wireshark Mar 14, 2016 - Simple Service Discovery Protocol (SSDP) The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP uses unicast and multicast adress (239.255.255.250). SSDP is HTTP like protocol and work with NOTIFY and M-SEARCH methods.SSDP can be used over IPv4 and IPv6.

UDP User_Datagram_Protocol - The Wireshark Wiki https://wiki.wireshark.org/User_Datagram_Protocol Wireshark Jul 24, 2011 - User Datagram Protocol (UDP). The UDP layer provides datagram based connectionless transport layer (layer 4) functionality in the ...

HTTP Hyper_Text_Transfer_Protocol - The Wireshark Wiki https://wiki.wireshark.org/Hyper_Text_Transfer_Protocol Wireshark The HTTP protocol header is text-based, where headers are written in text lines. HTTP/1.1 allows for client-server connections to be pipelined, whereby multiple ...

Wireshark · Display Filter Reference: Canon BJNP https://www.wireshark.org/docs/dfref/b/bjnp.html Wireshark Protocol field name: bjnp ... bjnp.code, Code, Unsigned integer, 1 byte, 1.2.0 to 2.0.4 ...bjnp.session_id, Session Id, Unsigned integer, 2 bytes, 1.2.0 to 2.0.4.

.