Wireshark is cross platform and it is available for Linux, Windows and Mac OS. You get the same user experience in any operating system you use.
To learn more about Wireshark, visit the official website of Wireshark at https://www.wireshark.org
In this article, I will show you how to install Wireshark on Ubuntu and how to use it. I am using Ubuntu 18.04 LTS for the demonstration. But it should work on any LTS version of Ubuntu still supported at the time of this writing. Let’s get started.
Wireshark is available in the official package repository of Ubuntu 14.04 LTS and later. So it is really easy to install.
First update the APT package repository cache with the following command:
The APT package repository cache should be updated.
Now, Run the following command to install Wireshark on your Ubuntu machine:
Now press y and then press <Enter>.
By default, Wireshark must be started as root (can also be done with sudo) privileges in order to work. If you want to run Wireshark without root privileges or without sudo, then select <Yes> and press <Enter>.
Wireshark should be installed.
Now if you selected <Yes> in the earlier section to run Wireshark without root access, then run the following command to add your user to the wireshark group:
Finally, reboot your computer with the following command:
Now that Wireshark is installed, you can start Wireshark from the Application Menu of Ubuntu.
You can also run the following command to start Wireshark from the Terminal:
If you did not enable Wireshark to run without root privileges or sudo, then the command should be:
Wireshark should start.
Capturing Packets Using Wireshark:
When you start Wireshark, you will see a list of interfaces that you can capture packets to and from.
There are many types of interfaces you can monitor using Wireshark, for example, Wired, Wireless, USB and many external devices. You can choose to show specific types of interfaces in the welcome screen from the marked section of the screenshot below.
Here, I listed only the Wired network interfaces.
Now to start capturing packets, just select the interface (in my case interface ens33) and click on the Start capturing packets icon as marked in the screenshot below. You can also double click on the interface that you want to capture packets to and from to start capturing packets on that particular interface.
You can also capture packets to and from multiple interfaces at the same time. Just press and hold <Ctrl> and click on the interfaces that you want to capture packets to and from and then click on the Start capturing packets icon as marked in the screenshot below.
Using Wireshark on Ubuntu:
I am capturing packets on the ens33 wired network interface as you can see in the screenshot below. Right now, I have no captured packets.
I pinged google.com from the terminal and as you can see, many packets were captured.
Now you can click on a packet to select it. Selecting a packet would show many information about that packet. As you can see, information about different layers of TCP/IP Protocol is listed.
You can also see the RAW data of that particular packet.
You can also click on the arrows to expand packet data for a particular TCP/IP Protocol Layer.
Filtering Packets Using Wireshark:
On a busy network thousands or millions of packets will be captured each second. So the list will be so long that it will be nearly impossible to scroll through the list and search for certain type of packet.
The good thing is, in Wireshark, you can filter the packets and see only the packets that you need.
To filter packets, you can directly type in the filter expression in the textbox as marked in the screenshot below.
You can also filter packets captured by Wireshark graphically. To do that, click on the Expression… button as marked in the screenshot below.
A new window should open as shown in the screenshot below. From here you can create filter expression to search packets very specifically.
In the Field Name section almost all the networking protocols are listed. The list is huge. You can type in what protocol you’re looking for in the Search textbox and the Field Name section would show the ones that matched.
In this article, I am going to filter out all the DNS packets. So I selected DNS Domain Name System from the Field Name list. You can also click on the arrow on any protocol
And make your selection more specific.
You can also use relational operators to test whether some field is equal to, not equal to, great than or less than some value. I searched for all the DNS IPv4 address which is equal to 192.168.2.1 as you can see in the screenshot below.
The filter expression is also shown in the marked section of the screenshot below. This is a great way to learn how to write filter expression in Wireshark.
Once you’re done, just click on OK.
Now click on the marked icon to Apply the filter.
As you can see, only the DNS protocol packets are shown.
Stopping Packet Capture in Wireshark:
You can click on the red icon as marked in the screenshot below to stop capturing Wireshark packets.
Saving Captured Packets to a File:
You can click on the marked icon to save captured packets to a file for future use.
Now select a destination folder, type in the file name and click on Save.
The file should be saved.
Now you can open and analyze the saved packets anytime. To open the file, go to File > Open from Wireshark or press <Ctrl> + o
Then select the file and click on Open.
The captured packets should be loaded from the file.
So that’s how you install and use Wireshark on Ubuntu. Thanks for reading this article.