To capture data with Wireshark on a Linux system, run the program from the
root account. E.g., on a CentOS Linux system, if you are logged into the system
under a regular user account, you can open a Terminal window (you can run
the program by clicking on Applications selecting Utilities and
then Terminal and then typing su - root followed by
wireshark when you successfully log into the root account at the
shell prompt. Or, on
Ubuntu
Linux, you can type sudo wireshark at a command prompt.
When the program starts, you will see a window like the one below:
Under Start, you will see a list of available interfaces. Select
the appropriate network interfacei by clicking on it. In the case of the
example above, enp4s0 is the wired network interface. Or you can
select the relevant interface for which you wish to capture network
traffic by selecting Capture from the menu bar and then selecting
Interfaces. You can then start capturing data on that interface
by clicking on the green, shark fin icon on the tool bar at the top of
the window or by clicking on Capture on the menu bar and then
selecting Start.
If you then do something to create network traffic on that interface, e.g., visiting a website in a browser, you will see information on the packets observed on that interface appear in the Wireshark window.
In the middle pane of the Wireshark window, you can click on a plus sign to the left of a line to expand the line to see more information. Or you can double-click on a packet entry in the top line to see more information on that packet.
Wireshark will continue to capture packets until you click on the red square on the tool bar or select Capture from the menu bar and then select Stop.
By port number
By IP address
By multiple conditions
You may see a lot of packets captured that aren't relevant to an issue you
may be attempting to troubleshoot. To reduce the amount of data that is
displayed, you can apply a filter. E.g., if I wanted to only
see traffic to the
HTTP port, i.e,
well-known port 80, I could type
tcp.port==80 in the Filter field. If you want to specify
that you wish to filter on a port that is equal to a numeric value, you need to
use two
equals signs as the
relational operator (in many computer languages, a single equals sign
is used as an
assignment operator, e.g., to assign a value to a
variable while double equals signs are used to test whether
two things are equal, e.g., whether a variable's value is equal to a specific
number or text
string. Since
network ports can be associated with either the
transmission control protocol (TCP) or
User Datagram Protocol (UDP) network protocol, you specify the relevant
network protocol by putting it before the "port" in the filter,
i.e., in this case tcp.port, since I know that HTTP and
HTTPS use
the TCP protocol of the
Internet Protocol (IP) suite.
If you wish to filter by IP address, you can use a filter in the form
ip.addr==xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is
a relevant IP address, e.g., ip.addr==104.96.219.64.
If I want to include both the HTTP port and the HTTPS port in the displayed
packets, I can put the word "or" or use double
vertical bars, i.e., ||, between the port specifications to
represent a
logical or condition. I.e., the value can be either one or the other of
the two values I'm separating with the word "or" or two vertical bars.
I.e., tcp.port==80 or tcp.port==443 or tcp.port==80 ||
tcp.port==443.
To use a
logical conjunction, i.e., display packets where this condition and
that condition is true, you can put the word "and" or two
ampersands between the
conditions. E.g., to specify that I only want to see traffic for a particular IP
address, 93.184.216.34 when the traffic is to port 80, i.e., the
well-known port for
HTTP traffic, I can use
ip.addr==93.184.216.34 && tcp.port==80 or
ip.addr==93.184.216.34 && tcp.port==80 as shown below.
Related articles:
