Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Wireshark Network Security

You're reading from   Wireshark Network Security A succinct guide to securely administer your network using Wireshark

Arrow left icon
Product type Paperback
Published in Jul 2015
Publisher
ISBN-13 9781784393335
Length 138 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Piyush Verma Piyush Verma
Author Profile Icon Piyush Verma
Piyush Verma
Arrow right icon
View More author details
Toc

The Wireshark interface – Before starting the capture

Let's get started with various aspects of the Wireshark interface.

Title

This contains the default title of Wireshark along with the current version in use. To enable or disable the title, navigate to Edit | Preferences | User Interface and modify the option Welcome screen and title bar shows version to suit your requirement. To modify the title, navigate to Edit | Preferences | User Interface | Layout and enter a suitable title in the Custom window title field as shown in the following figure:

Title
Title

Note

Note: This will be appended to the current title as shown in the preceding screenshot.

Menu

The Menu bar hosts the features of Wireshark, all categorized under suitable titles. These options will be taken up as and when required during the course of this book. As an example, you can look at the authors involved in the development of Wireshark by navigating to Help | About Wireshark and selecting the Authors tab.

Menu

This is how it will look:

Menu

Main toolbar

The main toolbar contains the icons for more frequently used items in Wireshark. You will note that some options are grayed out. This is because not all the options are available in the current context. Once we start the capture, we will see most of them highlighted and available for use.

Main toolbar

Filter toolbar

Filter toolbar

Filtering the traffic can help analysts find a needle in a haystack. There are two types of filtering options available in Wireshark. One is called capture filters, and the second is called display filters.

Capture filters define which frames will be captured and sent to Wireshark's capture engine for processing and later displayed in Wireshark, while display filters define which frames are displayed after they are captured. We can redefine display filters without restarting the capture, which is not the case for capture filters; hence, we need to be cautious with their usage. The Expression option on the side helps us create the filter expressions in an easy way, as there is a huge list of filters, and we don't need to waste our time memorizing them.

Wireshark aids by providing visual indicators whether or not a filter used by us is correct (accepted by Wireshark), by changing the background color to red (wrong filter expression) and to green (correct filter expression) as shown in the following screenshot:

Filter toolbar

Wrong filter

This is the correct filter will look something like this:

Filter toolbar

Correct filter

Note

You may notice that sometimes the filter shows a yellow background. This might be due to the fact that the filter expression which you entered is not working as expected. An example could be using Filter toolbar instead of the correct filter, that is, Filter toolbar.

Once the filter expression is ready, you can either press ENTER, or click on Apply for that filter to be applied on the selected list of packets, and you can remove the current filter expression by clicking on Clear.

Note

Applying display filters on a large capture might take some time, and the progress is visible.

After spending some time creating filters, you will notice that you are combining a lot of them using multiple AND (&&) and OR (||) statements and would also want to use the same filter expression in another capture file. For this purpose, you can save your filters in Wireshark, using the Save button at the extreme right of filter toolbar.

Filter toolbar

Filter to see only HTTP GET requests made by 192.168.20.130

Capture frame

This frame helps in identifying the interface to start capturing packets from and the associated options with those interfaces.

Capture frame

Here, at the capture frame, we have three ways to start capturing:

  • Interface List: If you're not sure about the active interface to use for capture, selecting this option is a good choice as it gives you a complete list of the available interfaces, IP addresses in use, and the number of packets transmitted per interface. Using this information, we can easily figure out which interface to use to capture traffic.
    Capture frame
    Simply Capture frame the interface, and click on Start to begin the capture.

    Note

    You may choose to click on Options before starting the capture. However, this will open the same capture options discussed in Capture Options.

  • Start: This is the simplest and quickest way to start the capture if you know the network interface(s) in question. All you need to do is select the interface(s) from the available list of interfaces and click on Start.
  • Capture Options: This is an advanced way to start a capture, as it provides tweaking capabilities before a capture is even started.
    Capture frame
    Here you can Capture frame an individual interface to capture or Capture frameCapture on all interfaces, to do exactly what it says.

    By clicking on Capture Filter, you can select/create any filter before capturing begins. After this, you have some options that can be tweaked to perform unattended captures. For example, we want to create multiple files of 200 KB and stop the capture automatically after 2 minutes. The following screenshot shows how this is done:

    Capture frame

    Configuring for multiple files

    The following are the resultant files:

    Capture frame

    Multiple files

Note

Wireshark saves the filename in FileName_FileNumber_YEARMMDDHRMINSEC.pcap format.

For details regarding the other options on this frame please go to https://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureOptions.html.

Capture Help

The following is how the Capture Help menu looks and later on we will see a description of the available options under this menu.

Capture Help

Here, we have two options that can help us with capturing using Wireshark in an efficient manner. Clicking on these options will redirect the user to:

The Files menu

The following is how the Files menu looks and later on we will see a description of the available options under this menu.

The Files menu

This menu provides options to:

  1. Browse and open an already captured trace file.
  2. Click and open any recently opened file. The number of recent files to be listed here can be modified by going to Edit | Preferences | User Interface and then editing the Maximum recent files option to the value of choice.
    The Files menu
  3. Download sample capture files available at the official site (http://wiki.wireshark.org/SampleCaptures).

Online

As the name suggests, clicking on the options listed under this category redirects us to Wireshark's online resources.

The Status bar

The Status bar is used to display informational messages. It is divided into the following three sections:

  • The left side of the Status bar shows context-related information, which includes the colorized bullet indicating the current expert-info level and an option to edit or add capture comments.
  • The middle part shows the current number of packets and the load time.
  • The right side of the Status bar shows the current configuration profile in use. By default, there are three profiles present [Default, Bluetooth, and Classic], and one can always create and use new configuration profiles as required.
    The Status bar

    Status bar

You have been reading a chapter from
Wireshark Network Security
Published in: Jul 2015
Publisher:
ISBN-13: 9781784393335
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image