Wireshark is an open-source network protocol analysis tool AKA a packet sniffer. Host analysis tools monitors individual client or server while network analysis tools focus on packets that moves across different networks. While there is numerous network analysis tool, Wireshark remains as one of the most widely used tool for traffic analysis. Wireshark is quite easy to learn and only takes a day at best, if you understand what you are seeing.
First thing you need to do is select which interface you want to begin capturing packets on. It’s simple as selecting capture and start at the home screen of Wireshark. If you want to look at the packets you captured before, you can go to file->open and click on the captured pcap file. You will see numerous data upon capturing or opening up previous captured data, so you will need to know how to narrow it down. You will apply filters to do that at the top search bar like box. There are different filter operators you can use. Equal, not equal, greater than, less than, equal to, contains, and matches. There are different items to filter by as well like time, destination and source, port, server name, and protocol.
Let’s do an example of DNS traffic. You can go ahead and filter by DNS only packets. You shouldn’t see anything at first unless you have DNS traffic. Domain name system or DNS is the protocol that turns domain names into IP addresses. It’s basically what allows browsers to find and reach out to website servers. After creating a DNS traffic, you should be able to see a DNS packet.
HansITAcademy 