Tuesday 27 September 2011

Wireshark Tutorial | Capturing Packets

In last tutorial to wireshark we saw how to install wireshark on Linux system. In this following tutorial we will learn how to capture packets using wireshark. The buttons that are useful for capturing packets from network are located on topmost left side of window
.

To see available interfaces that can be used for capturing click on very first button. You can directly start capturing packets by clicking on start button of any working interface of your choice.

The second button will open capture options, same options will open if you would have clicked details button in interface list.
 Interface:
Allows you to select interface you want to use for sniffing. If you want to sniff remote system then you have to provide remote system's IP address, user-name and password (should be administrative account). It also allows null session capture but today hardly any OS is susceptible to null session, I can hardly say this option will work.

Link Layer Header Type:
Two types are available first Ethernet that all usually use and another type is DOCSIS. DOCSIS interface is for those who use internet over cable TV connection. If you do not use cable TV network for internet connection leave that option to default.

When you want to capture all traffic coming from LAN you should keep promiscuous option checked. Next option is packet capture in pcap-ng format. At present avoid using pcap-ng format for capturing packets since pcap-ng is in evolution phase and may give out unexpected output.
(PCAP-NG Packet Capture for Next Generation its a file dump format)
Buffer size is by default set to 1MB and that's good enough for most of the networks if your connection is really very fast that you encounter packet drop while capturing packets then increase its size else don't change default value.
You can set filters while capturing packets but we will discus it in next tutorial.
You can set option to split capture in multiple file but don't use it unless you have already set any filter. From name resolution enable all name resolution. You can press start sniffing by press start button on bottom of window.

Now as all settings are done we should start our first sniffing session. Now click on third button to start sniffing open your web browser and open any website for example www.google.com and see what is captured in wireshark.

0 comments:

Post a Comment

 
Tricks and Tips