First packet capture
Let's get started with our first packet capture using Wireshark by following these steps:
- Launch Wireshark
- Select the correct interface to capture traffic. This can be done by navigating to the Menu bar and clicking on Capture | Interfaces (As a shortcut, we may choose Ctrl + I). Once we have the Wireshark: Capture Interfaces window open, perform the following steps:
- Select the Internet-facing interface (for example, Wi-Fi in my case). A good indication of the active interface is the Packets and Packets/s column on the right-hand side of the window as shown in the following screenshot:
- After selecting the interface, click on the Options button, as highlighted in the screenshot, and the Wireshark: Capture Options window pops up as shown in the following screenshot:
Tip
Enter
host example.comin the Capture Filter field, as we only want to capture traffic to and from the domainexample.com, and click on the ENTER key. We will discuss capture filters in detail in the next chapter.
- Select the Internet-facing interface (for example, Wi-Fi in my case). A good indication of the active interface is the Packets and Packets/s column on the right-hand side of the window as shown in the following screenshot:
- The next step is to let Wireshark run in the background and open a browser of your choice (for example, Mozilla Firefox in my case) and browse
example.com. -
Once
example.comloads, navigate to Wireshark, and stop the packet capture, by clicking on the Stop button
in the main toolbar.
Once stopped, the capture appears as shown in the following screenshot:
In the preceding screenshot, we can see Wireshark's menu bar, main toolbar and filter toolbar followed by three different panes and the Status bar. The three panes are as follows:
- Packet List pane: This pane reflects the packets captured by Wireshark and some basic details about those packets. For example, the first packet in our capture is an SYN packet of the three-way handshake from the client to the server.
Note
Please note that the packets displayed under this pane could be affected by the display filter, if any, used in the filter toolbar.
- Packet Details pane: If we select any packet in the Packet List pane, its details are shown under this pane. For example, after selecting the first packet in our capture, we can look at the packet at a more granular level, that is, the changes it undergoes at different layers of networking (for example, source and destination ports under the Transmission Control Protocol (TCP), that is, the Transport layer of the TCP/IP model).
This pane shows the protocols and protocol fields in a tree format and also displays any links when the current packet in question has a relationship to another packet in the same capture (for example, a request and response relationship for a single communication).
- Packet Bytes pane: This pane displays the bytes of the selected packet in a hex dump format and is affected by what is selected in the previous pane, that is, the Packet Details pane.
- Packet List pane: This pane reflects the packets captured by Wireshark and some basic details about those packets. For example, the first packet in our capture is an SYN packet of the three-way handshake from the client to the server.
- The final step is to save the captured packets. We can do this by navigating to the menu bar, clicking on File | Save and saving it with an appropriate name in the directory of your choice.
Congratulations! With this, we have successfully captured and saved our first trace file.
