Wireshark for MOREnet Members

Getting Started

Installing Wireshark for Windows

Installable binaries are located at http://www.wireshark.org/download.html.

Preliminary Considerations

Customers using Wireshark on switched networks will only capture packets going to/from the local machine and any broadcast traffic. In this configuration, customers must install a hub between the router Ethernet port and the uplink port on the switch. The Wireshark machine will be plugged into the hub. (see Figure 1). Alternatively, if the switch is a smart switch, customers can set up port spanning/port mirroring. Check the switch's documentation to see if this option is supported.

 Switched network

Also remember that packet captures, especially all packets to/from a network, can take up a lot of storage space. Large packet captures can also require lots of memory to open. Large packet captures sent to MOREnet for analysis may be rejected by MOREnet's mail server or may be too large to open. Try to keep the size of cature files small by capturing small amounts of traffic during the troubleshooting process. Capture filters also help keep capture sizes manageable.

Basic Packet Captures

Wireshark has three panes (see Figure 2).

  1. The first pane is the packet list pane. This pane displays a summary of each captured packet. Click a packet in this pane to display more detail in the other two panes.
  2. The second pane is the tree view pane. This pane displays more detail about the packet selected in the packet list pane.
  3. The third pane is the data view pane. This pane displays data from the packet selected in the packet list pane and highlights the field selected in the tree view pane.

 The Wireshark Window

Basic Capture Filters

Capture filters can be used to capture only a particular type of network traffic.

Example: To only capture SMTP (mail) packets:

  1. Go to Capture > Capture Filters.
  2. Enter the filter name: SMTP filter
  3. Enter the filter string: dst port 25
  4. Click New.
  5. Click Save.
  6. Click Close.

Example: To only capture packets from a specific IP address:

  1. Go to Capture > Capture Filters.
  2. Enter the filter name: My machine
  3. Enter the filter string: host
  4. Click New.
  5. Click Save.
  6. Click Close.

Once the filter has been saved, select the filter when starting a capture. To start a capture:

  1. Go to Capture > Options. The capture window (see Figure 3) will open.
  2. Click the Capture Filter button and select a filter from the list.

 The Capture Options Window

Wireshark also allows users to filter captures "on the fly" by entering the filter in the Capture Filter field instead of selecting a saved filter (see Figure 4).

 Filtering on the fly