LinuxCommandLibrary

wireshark

Analyze network traffic

SYNOPSIS

wireshark [ options ] [ filter ]

Common invocation examples:
wireshark -i eth0
wireshark -r captured.pcap -Y "http.request"
wireshark -k -i any -f "port 80 or port 443"

PARAMETERS

-i
    Specifies the network interface to capture packets from (e.g., eth0, wlan0, any).

-f
    Sets a capture filter using libpcap syntax (e.g., "port 80", "host 192.168.1.1"). This filters packets before they are written to the capture buffer, reducing overhead.

-Y
    Applies a display filter to the captured packets using Wireshark's display filter syntax (e.g., "tcp.port == 80", "ip.addr == 192.168.1.1 and http"). This filters what is shown in the GUI after capture.

-r
    Reads packet data from a previously saved capture file (e.g., .pcap, .pcapng).

-w
    Writes captured packet data to a file. This can be used for live captures or when saving an opened file to a new location.

-k
    Starts the capture immediately upon launch, bypassing the capture options dialog. This is useful for scripting or quick starts.

-v
    Prints the Wireshark version information to the console and then exits.

-h
    Displays the help message, listing all available command-line options and their descriptions.

DESCRIPTION

Wireshark is a free and open-source packet analyzer that provides a graphical user interface (GUI) for deep inspection of network protocols.

It allows users to capture live network traffic from various interfaces, such as Ethernet, Wi-Fi, and virtual interfaces, and then analyze the captured data in detail. Each packet can be drilled down to multiple layers, from the physical layer up to the application layer, revealing intricate details of the communication.

Wireshark is widely used by network administrators, security professionals, developers, and educators for network troubleshooting, analysis, software and protocol development, and security auditing. It supports hundreds of protocols and offers powerful filtering capabilities, both for live capture and post-capture analysis, making it an indispensable tool for understanding network behavior and diagnosing complex issues.

CAVEATS

To capture live network traffic, Wireshark often requires elevated privileges, typically root or membership in a specific user group (e.g., 'wireshark'). Running as root poses security risks; it's recommended to configure user groups for safe packet capture.

Wireshark is a GUI application and therefore requires an X display server to function. For command-line-only packet capture and analysis, the console-based counterpart tshark is the preferred tool.

Capturing large volumes of traffic on high-speed networks can consume significant system resources (CPU, RAM, disk I/O) and may lead to dropped packets if the system cannot process them quickly enough.

CAPTURE FILTERS VS. DISPLAY FILTERS

It's crucial to understand the difference between capture filters and display filters.
A capture filter (applied with -f) is set at the packet capture engine level (libpcap on Linux) and determines which packets are saved to the capture file or buffer. These filters are applied before the packets are fully processed by Wireshark, making them efficient for reducing file size and system load.
A display filter (applied with -Y) is applied after packets have been captured and loaded into Wireshark's memory. They control which packets are visible in the GUI, allowing for complex, multi-layered filtering without discarding any raw captured data.

PERMISSIONS FOR PACKET CAPTURE

To capture live network traffic, Wireshark needs to access network interfaces in promiscuous mode. On most Linux systems, this typically requires root privileges. However, it's safer and recommended to configure your system to allow non-root users to capture packets. This is usually done by adding the user to a special group (e.g., 'wireshark' or 'pcap') and setting appropriate permissions on the dumpcap executable (which Wireshark uses internally for capturing). For example:
sudo usermod -a -G wireshark YOUR_USERNAME
sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod 4755 /usr/bin/dumpcap
Remember to log out and back in for group changes to take effect.

HISTORY

Wireshark's origins trace back to 1998 when Gerald Combs started developing Ethereal as a side project to troubleshoot network issues. Ethereal quickly gained popularity due to its powerful features and intuitive GUI. In June 2006, due to trademark issues, the project was officially renamed Wireshark. The development continued under the new name, maintaining its open-source nature and community-driven contributions, solidifying its position as the industry-standard network protocol analyzer.

SEE ALSO

tshark(1), tcpdump(1), netstat(8), ss(8), ifconfig(8)

Copied to clipboard