How to use Wireshark to capture and inspect network trace
Wireshark, a network analysis tool captures packets in real time and displays them in human-readable format. Wireshark includes filters, colour-coding and other features that let you dig deep into network traffic and inspect individual packets.
This tutorial will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network, or troubleshoot network problems.
Getting Wireshark
You can download Wireshark for Windows or Mac OS X from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.
Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
Click the stop capture button near the top left corner of the window when you want to stop capturing traffic.
Color Coding
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colours to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colours to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colours to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
Filtering Packets
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
You’ll see the full conversation between the client and the server.
Inspecting Packets
Click a packet to select it and you can dig down to view its details.
Sample NTML handshake between SDP Server and client :
Steps to capture relevant data :
1) Set the filter as ip.addr == <client ip address>
2) Make sure the packet sequence matches the image given below
3) Now set the filter as ip.dst == <client ip address>
4) Now check for the first occurrence of HTTP/1.1 200 OK
5) Double click the packet and observe the time taken since request and make sure it's within acceptable limits.
New to ADSelfService Plus?
Related Articles
Unable to configuring a network drive as attachment path
Error Please make sure that file attachment path exits/available. Fix 1. Ensure you are able to access the network drive from MSP server with the same location provided in Self Service Portal Settings 2. Open services.msc Manage Engine ServiceDesk ...How do I schedule a backup over a network share?
You can configure a backup scheduling over a network share Click Admin -> Backup Scheduling under General block -> Edit Scheduling link on the right hand side of the page. Set the Backup location as \\Network server name\backup. NOTE: Please provide ...How to share a backup/file attachments over a network path
As i have mentioned the file attachments folder should be shared across a network path and the network path should be mentioned in the following format in the Admin->Self-Service Portal Settings. // Network server name/fileAttachments I have shared a ...How to use Account based support e-mail address ?
How can i raise a request through an Email and how it will be assigned to an Account? In your mail-server, create a user e-mail account to which all e-mails will be fetched. Create an e-mail alias for this e-mail account for each of your customer ...Unable to configure SAML using OneLogin -Uploaded Certificate is Invalid
Upon configuring SAML, if you come across the below errors: Uploaded Certificate is Invalid (Happens with .PEM cert generated in OneLogin) failed to update IdP details. Check logs for details Verify the below trace in the Logs: ...