In this tutorial, we will discuss about Wireshark interfaces in complete detail. If you’re into Cyber Security or maybe want to get into it at some point in the near future, then you’d know what I am talking about. After the basic network analysis, you’re ultimately faced with the decision whether to carry on with the prominent WireShark or other network and data monitoring tools such as Cloud Shark and Sysdig. Among these 3 tools, WireShark is the preferred tool, providing a decent interface that allows us to distinguish between data based on various criteria and then examine the packet transition process.
What is Wireshark ?
It’s one of the most widely used and principal network protocol analyzer. It is the go-to standard for many large scale commercial projects and non-profit organizations. Since its inception in July 1998, government agencies and software houses have been using this tool profoundly. WireShark allows you to see what's happening on your network at a microscopic level.
How to Use Wireshark Interface [Complete Tutorial with examples]
The DevTools in many of the browsers including Chrome, Firefox and Edge allow only a limited of operations on your main data network, limiting your access to it only when an internet connection is available. WireShark resolves this problem by capturing offline traffic too, hence the developers have come to love this tool for it’s many jaw-dropping and cross platform features.
However, let’s not stray from our main topic here. Interfaces, indeed are one of most fundamental differences that play a huge role when deciding a tool to work with protocols and networks and as you guessed, that’s what we are going to talk about here.
Be that as it may, with so many pros, wireshark comes packed with a few cons too. It provides a user with so many options at once. Hence, sometimes it gets quite complex for a novice developer to navigate through the tool. Your home screen display may vary slightly from other operating systems’ due to the fact that Wireshark is built for a number of different platforms with different screen managers, styles, and versions of the software. Fortunately, the features and functionality remains same throughout the system, regardless of the OS. The most unique GUI would be the CLI (Command Line Interface).
Navigating to Home Screen
This horizontal section allows you access to main 11 functionalities, from file management to capturing filters and getting help. Let’s take you to a ride through these.
When working with the Wireshark interface, File is the go-to menu as it has all of the tasks commonly associated with working with a file, as shown below.
The Edit menu allows you to find and mark packets, set a time reference, copy and provide detailed information on creating a configuration profile, or modify preferences. The following is a screenshot of the Edit menu:-
As you can see in the screenshot, there are many options. The following discussion outlines ways to copy various items and find packets within Wireshark.
Copying Item and Finding Packets
While analyzing packets, you may see an item or value you would like to copy. Wireshark makes this easy to accomplish as the Copy menu choice has many submenus to further define copy options. In addition, we'll see how we can locate a specific packet or a string value within the capture.
The Copy submenu has the following options to select from:-
- Value: This will copy an IPv4 address.
- As Filter: This will create a filter based on the IPv4 address you selected or any other value. You can then paste the filter in the display filter area, press Enter, and Wireshark will run the filter.
Within the Edit menu choice, there are a few groupings of selections. We'll start with the first grouping, which offers ways to find packets:-
- Find Packet: This is where you can search for specific packets and even find string values within a packet capture.
- Find Next: If Wireshark finds what you are looking for, Find Next will go to the next instance.
- Find Previous: If Wireshark finds what you are looking for, Find Previous will go back to the previous packet.
Marking and Ignoring Packets
While working with packets, you might find and mark packets that are interesting, so you can return to them at a later date. In addition, you may want to ignore specific packets. This next grouping of selections offers ways to mark packets:-
- Mark/Unmark Packet: This allows you to mark a specified packet or packets, which turns the packet(s) black for easy visual reference.
- Mark All Displayed: This will mark all displayed packets, meaning if you used a display, filter Wireshark will only mark the packets that are displayed.
- Unmark All Displayed: If all displayed packets are already marked then this will unmark all displayed packets.
- Next Mark: When packets are marked, this option allows you to move to the next marked packet.
- Previous Mark: When packets are marked, this option allows you to navigate back to the previous marked packet.
In addition to marking packets to identify items of interest, you may want to ignore specific packets. The following shows how you can select specific packets to ignore while doing your analysis:-
- Ignore/Unignore Packet: This allows you to select a packet and, once selected, it will be as if the packet never existed, and it won't show up in statistics or a flow graph; it's simply ignored. Once you select ignore, the packet line will have a reference reading <Ignored>, as shown here:-
- Ignore All Displayed: This will ignore all displayed packets, meaning if you used a display filter, Wireshark will ignore only the displayed packets.
- Unignore All Displayed: If the displayed packets are ignored, when selected, Wireshark will unignore all displayed packets.
Setting a Time Reference
In your analysis, you may have a group of packets where you want to see exactly how long the delay was within those packets. In Wireshark, you can set a time reference on the packet where you think the trouble began and watch the time values to see gaps in the transmission.
Wireshark provides a variety of ways to set a time reference and then offers ways to navigate through the time references:-
- Set/Unset Time Reference: This allows you to set/unset a time reference.
- Unset All Time References: This will unset all time references.
- Next Time Reference: Once a reference is set, this allows you to navigate to the next time reference.
- Previous Time Reference: Once a reference is set, this allows you to navigate to the previous time reference.
- Time Shift: This is an option you can use when you need to adjust the time reference. For example, if you are examining two captures that each used a different file format - that is, one file used NTP (short for Network Time Protocol) and the other file used PTP (short for Precision Timing Protocol), you may want to do a time shift. If you select this option, it will launch a dialog box where you can set your values, as shown here:-
The last option shows where you can undo all shifts if you get unexpected results.
Personalizing Your Work Area
While working with a capture, you can record your changes by using comments. In addition, you can fine-tune the interface by creating a tailored configuration profile and/or modify individual settings using the Preferences menu:-
- Packet Comments: This allows you to include comments on a single packet.
- Delete all Packet Comments: This removes all comments.
- Configuration Profile: This allows you to create a customized profile, specific to your workflow. This is a powerful feature, as you can create several profiles, so they can be used for specific applications or clients.
- Preferences: This brings up the Preferences dialog box where you can alter the appearance and elements that influence the functionality of Wireshark. Here, you can adjust the font and color or even the layout, as shown in the following screenshot:-
Although the Edit menu is widely used, let's take a look at the View menu, so you can see the many ways to modify the look and feel of your capture during analysis. More on Learn Wireshark - Fundamentals of Wireshark.
The View menu is where you can alter the appearance of the captured packets, and it includes ways to colorize packets, expand the subtrees, or show a packet in a separate window:-
Let's start with ways to adjust the toolbars and panels and how to go into full-screen mode. If you would like to follow along, use the HTTP.cap file.
Enhancing the Interface
In Wireshark, there are several ways to alter and enhance the interface, such as how we view the toolbars and which panels we would like to be visible. We'll start at the top with the toolbars.
The toolbar section represents a grouping where similar items are combined in many menus. Once in this section, you will see a list of the three available toolbars that are currently available, as shown here:-
If you see a checkmark as shown in the preceding screenshot, that indicates the toolbar is visible. The toolbars are explained as follows:-
- Main Toolbar: This holds all of the commonly accessed icons.
- Filter Toolbar: This is where you will find the display filter.
- Status Bar: This is found at the bottom of the Wireshark screen. The Status Bar tells how many packets are captured and how many are displayed, what profile is applied, and the name of the file.
- Full Screen: This is used when we want Wireshark to go full screen, which will fill the current window.
Once you get used to the toolbars, you will see they provide a handy way to help you to navigate the interface. Now, let's take a look at the next grouping, which is the panel view, so you can modify what is visible on the screen. A checkmark indicates the panel is visible. If you do not want a panel to be visible, uncheck the panel and it will be hidden from view:-
- Packet List: This is a list of all of the captured packets, where each line represents a single packet.
- Packet Details: This displays the details of a single packet.
- Packet Bytes: This is a hexadecimal representation of a single packet.
Go menu redirects you to a specified packet. You can select different options from here like Next Packet, Previous Packet, First Packet, Last Packet etc, to traverse through the packets.
Capture menu is used to manage captures and capture filters. You can start and stop capture from this menu.
Alter viewing filters to show relevant info, set up user-specific filters, activate or disable protocol dissection.
Display stats windows, packet summary, statistics about the protocol hierarchy.
Display stats related to VoIP, such as media analysis, flowcharts, and protocol hierarchy.
Displays information regarding wireless communications. For instance, WLAN, Bluetooth.
Additional tools to modify Firewall ACL rules.
Navigational help and User manuals.
2) The Priority Toolbar (Main Settings)
This part allows you to quickly perform multiple actions on your screen. It mainly focuses on Captures, Packets and Viewing insights.
You may rapidly alter and add display filters to your capture with the assistance of this toolbar. Display filters let you focus only on the packets that are pertinent to what you're attempting to observe, such as those with particular static IP addresses, ports, MAC addresses, etc., from the ones that you've collected.
4) The Interface list
It is the primary location where the installed interfaces on your device will be shown. You must choose an interface by clicking on it before you could use packet data. At this screen, you can also select a capture filter and the kind of interface to display in the interfaces lists. By opening a saved capture file or Clicking on a new interface, you’d be redirected to the working screen.
Remember, WireShark has to be launched with Administrative permissions.
A blue button that indicates that you can now begin capturing the packet is enabled in the top left corner of your interface when you connect to it. You will see a screen when you click it, as demonstrated below.
It is likely for captured packets to be highlighted in Blue, Black and Green. Wireshark employs colors to make it easier to see the different traffic kinds at a glance. Green , by default indicates TCP traffic. Darker shades of Blue are sensitive to DNS traffic whereas lighter shades of blue indicate UDP traffic. Moreover, Black indicates problematic TCP packets. Ouch!!
Once the interface has been chosen, Wireshark begins to collect packets and displays a list of them along with a live window for the capture of packets. Until we stop capturing manually, Wireshark will continue to capture live packets. You can then further use Analyzer to gain insights for different protocols. To developers, one of the most important property remains “MAC address of source and destination” as it is used to analyze traffic and speed for different regions. For instance, take a look below.
Oh I know, nothing is more unpleasant than attempting to figure out a tool while troubleshooting a network. CLI rids you of that frustration by automating the system to an extent, but throws you into even more unseen complex puddles of data.
Most versatile interface menu is available to Linux OS users, with a list of more than 12 options to choose from. Some of the most prominent interface commands in Linux are:
- ‘any’: Lists all available interfaces, hidden and prioritized.
- "usb0", "usb1": USB interfaces
- ‘wlan’: wireless local area network
Nonetheless, Windows and Mac users aren’t too behind either. The local operating system security just doesn’t allow too much to be seen, for security reasons obviously. The open source developers have found Windows OS to be the most user-friendly when operating WireShark. One of the perks being “the detection of Wireless interfaces” in home screen.
tShark - Command Line Interface
For our hard-core developers, we’ll also take a shallow dive into Command Line Interface (tShark). Similar settings are supported by the terminal version of Wireshark, which is very helpful when a Graphical User Interface (GUI) Development Environment is not accessible.
Although potentially much simpler to use, not all setups enable graphical user interfaces, particularly server environments with just command-line choices. As a result, at some point, you will need to use a CLI as a network administrator or security engineer. It's important to remember that tShark can occasionally be used instead of tcpdump. Although the functionality of both tools for capturing traffic is practically identical, tShark is much more potent. Many different set of commands may be used to capture traffic after selecting network interface.
- To see all available network interfaces, type tshark -D
- To start capturing live traffic, type tshark -i
- To seek help from predefined dictionary, type tshark -help
In this article, we have gained some insights into Wireshark's interfaces and how to capture packets of data from them. Choosing an interface is totally up to you and may depend upon the size of data and the extent to which you want it to be processed. Finding the most important relevant data and ignoring the irrelevant bits is the most difficult component of packet analysis. As you get used to WireShark, you’ll start to notice that there are interfaces you don’t necessarily need. In this case, you can choose to hide them too.
Although graphical interfaces are simple, automated packet capture analysis cannot be done with them, that’s where the mighty command-line CLI. What's more, it's also ideal for ssh-based remote packet sniffing, which remains a topic for another day.