What is Wireshark?
Wireshark is a free open-source packet analyzer created by Gerald Combs and initially was named Ethereal. When in doubt, run Wireshark. Wireshark is very similar to tcpdump but has the advantage of a very good GUI that greatly improves and simplifies its usage.
In this article I’m going to look at the most common Wireshark filters that I use when I’m troubleshooting with a network trace.
Sometimes we will need a network capture to fully know what’s going on. Wireshark is available for x86 and x64 OS.
“But we have logs for troubleshooting! Why I need Wireshark software?” It is true that you have logs but can you trust them? Packets never lie!
Wireshark is free to use and can be obtained at https://www.wireshark.org/. This is required for computers that will be taking captures.
Once Wireshark is installed, taking a capture is easy.
- Click the options button to verify your configuration.
Ensure that Enable promiscuous mode on all interfaces is selected. This will cause Wireshark to also capture traffic that isn’t explicitly destined to, or sent from, the capture machine. Also ensure that no capture filters have been enabled.
Don’t’ set a filter on this screen so you can capture as much data as possible. Rely on filters post capture to parse out unneeded data. It’s better to capture too much, than not enough and be forced to capture again.
- Select the interface you would like to capture on, and then click Start.
- The capture pane should now start filling with the network traffic.
- Replicate the problem, and once completed click the stop capturing button.
- Save the capture file.
- Using POP as the filter I see the following. This message was not sent using TLS so I can see all the communications in the clear.
- wlan_mgt: IEEE 802.11 wireless LAN management frame
- What about if I want to filter a certain field but I do not know its name? The simplest way is to explode the packet and select the field in the Packet Display section and have a look to the Status Bar.
In this case we selected the Do not fragment field and its syntax is so ip.flags.df == 1 (1 is set , 0 is not)
- The Distribution System (DS) Status field represents the direction the frame is travelling in. Wireshark represents two unique fields as one display entry: From DS and To DS. When From DS is set to 1 and To DS is set to 0, the frame is travelling from the AP to the wireless network. When From DS is set to 0 and To DS is set to 1, the frame is travelling from a wireless client to the AP.
Here, I’ve set a coloring rule to make any packet travelling from the AP to the wireless network have a red foreground and a white background. From View, coloring rules, you can add a color filter. By default the new filter will go at the top, so if you want push it down. Once the coloring rule is in, AP to the wireless network traffic shows up easily. The color method is much superior to digging into each packet and looking through the header.