Filter Traffic in Wireshark

Introduction

In this lab, you will learn how to filter network traffic using Wireshark, an essential tool for network analysis and cybersecurity investigations. You'll practice capturing live packets, applying display filters to isolate specific traffic, and exporting filtered results for further examination.

The lab provides hands-on experience with Wireshark's core functionalities, from interface selection to traffic analysis. These skills will help you identify network patterns, troubleshoot connectivity issues, and detect potential security threats in network communications.

Skills Graph

Install Wireshark

In this step, you will install Wireshark, a powerful network protocol analyzer that lets you examine network traffic in real-time. Think of it like a microscope for network communications - it captures packets traveling through your network and displays them in a readable format.

Before we begin, it's important to understand that Wireshark requires special permissions to capture network data. That's why we'll be configuring it carefully to work properly on your LabEx VM.

1. First, we need to update the package list. This ensures your system knows about the latest available software versions:

   sudo apt update

2. Now install Wireshark with this command. The -y flag automatically confirms the installation:

   sudo apt install -y wireshark

3. During installation, Wireshark asks about non-superuser access. We configure this in advance using debconf (Debian configuration system) to allow regular users to capture packets:

   echo "wireshark-common wireshark-common/install-setuid boolean true" | sudo debconf-set-selections

4. Next, we add your user to the 'wireshark' group. This grants the necessary permissions without requiring root access:

   sudo usermod -aG wireshark $USER

5. Let's verify the installation worked by checking the version. This confirms Wireshark is properly installed:

   wireshark --version

   You should see output similar to:

   Wireshark 3.6.8 (Git v3.6.8 packaged as 3.6.8-1~ubuntu20.04.0)

6. Group membership changes require a new login session. In a regular system you'd log out and back in, but in LabEx, simply open a new terminal tab for the changes to take effect.

Remember, these configuration steps are crucial because network monitoring tools like Wireshark need special permissions to access network interfaces, but we want to use them safely without always needing root access.

Choose a Network Interface

In this step, you will learn how to identify and select a network interface for packet capture in Wireshark. Network interfaces are the points of connection between your computer and the network. Think of them as doors through which network traffic enters and exits your computer. Each interface has a unique name and characteristics that determine what kind of traffic it can capture.

1. First, let's list all available network interfaces on your system using Wireshark's built-in command. This helps you see all possible capture points before choosing one:

   wireshark -D

   You should see output similar to:

   1. eth0
   2. any (Pseudo-device that captures on all interfaces)
   3. lo (Loopback)

   The output shows interface names with numbers. 'eth0' is typically your physical Ethernet port, while 'lo' is for internal loopback traffic.

2. For more detailed interface information, we can use the Linux ip command. This shows not just the names but also their current operational state:

   ip link show

   This will display all network interfaces with their current state (UP/DOWN). An interface must be UP to capture traffic.

3. For our lab environment, we'll use the eth0 interface, which is typically the primary Ethernet interface in Linux systems. Before using it, let's verify its status to ensure it's active:

   ip link show eth0

   Look for "state UP" in the output to confirm the interface is active. If it shows DOWN, you'll need to troubleshoot the connection before proceeding.

4. Now let's test capturing packets on this interface using Wireshark's terminal version (tshark). This quick test helps verify everything works before using the full GUI:

   sudo tshark -i eth0 -c 5

   This command captures 5 packets from the eth0 interface (-i specifies the interface, -c sets the packet count) and displays them in the terminal. The sudo is needed because packet capture requires root privileges.

5. To start Wireshark in GUI mode (which we'll use in later steps for more advanced filtering):

   wireshark &

   In the Wireshark GUI, you'll see the list of available interfaces in the main window. The ampersand (&) runs Wireshark in the background so you can continue using the terminal.

Capture Live Traffic

In this step, you will learn how to capture live network traffic using Wireshark. Packet capture is the process of intercepting and logging network traffic, which allows you to analyze network communications in real-time. This is fundamental for network troubleshooting and security analysis.

1. First, launch Wireshark in GUI mode from the terminal. The & symbol runs the command in the background so you can continue using the terminal:

   wireshark &

2. When Wireshark opens, you'll see a list of available network interfaces. These represent the physical and virtual network connections on your machine. Select eth0 (the interface we identified in the previous step) by double-clicking it. This is typically your primary Ethernet interface.

3. Wireshark will immediately start capturing all network traffic on this interface. The main window shows packets in three sections: the packet list (summary), packet details (protocol breakdown), and packet bytes (raw data in hex). Packets will appear in real-time as they're captured.

4. To generate some test traffic for capture, open a new terminal and run a simple ping command. This sends ICMP echo requests to Google's DNS server (8.8.8.8):

   ping -c 4 8.8.8.8

5. In Wireshark, you should now see ICMP packets appearing in the capture. These represent your ping requests and responses. Each packet row shows important metadata:

   • Packet number (sequence in capture)
   • Timestamp (when it was captured)
   • Source and destination IP addresses
   • Protocol (ICMP in this case)
   • Packet length in bytes
   • Brief info about the packet contents

6. To stop the capture when you're done, click the red square "Stop" button in the toolbar. This freezes the display so you can examine the captured packets.

7. To save your capture for later analysis:

   • Click "File" → "Save As"
   • Name the file ping_capture.pcapng (.pcapng is Wireshark's capture format)
   • Save it in your ~/project directory for easy access

8. For command-line capture (useful for automation or remote systems), you can use tshark, Wireshark's command-line version. This command captures exactly 10 packets from eth0 and saves them:

   sudo tshark -i eth0 -w ~/project/cli_capture.pcap -c 10

   The -w flag specifies the output file, and -c limits the packet count.

Apply Display Filters

In this step, you will learn how to use Wireshark's display filters to focus on specific network traffic. Display filters help you analyze captured packets by showing only those that match your criteria. Think of them like search terms that let you quickly find the exact network conversations you're interested in among thousands of packets.

1. First, open your previously saved capture file in Wireshark:

   wireshark ~/project/ping_capture.pcapng &

   This command opens Wireshark in the background (&) and loads your saved packet capture. The .pcapng file contains all the network traffic you previously recorded.

2. To filter for ICMP traffic (ping packets), type this in the filter bar at the top:

   icmp

   Press Enter and you'll see only ICMP packets in the display. ICMP is the protocol used by ping commands, so this filter helps you isolate ping-related network activity from other traffic.

3. To filter for traffic to/from a specific IP (like 8.8.8.8):

   ip.addr == 8.8.8.8

   This filter shows all packets where 8.8.8.8 appears as either the source or destination IP address. The double equals sign (==) is used for exact matches in Wireshark filters.

4. Combine filters with logical operators:

   icmp && ip.addr == 8.8.8.8

   This shows only ICMP packets involving 8.8.8.8. The && operator means "AND", so both conditions must be true for a packet to be displayed.

5. Some other useful filters:

   • HTTP traffic: http (shows web browsing activity)
   • DNS queries: dns (shows domain name lookups)
   • Traffic from specific source: ip.src == 192.168.1.1 (shows packets originating from this IP)
   • Traffic to specific destination: ip.dst == 8.8.8.8 (shows packets sent to this IP)

6. To save your filtered view:

   • Click "File" → "Export Specified Packets"
   • Choose "Displayed" and save as filtered_ping.pcapng in ~/project

   This creates a new capture file containing only the filtered packets, which is useful for sharing specific traffic patterns or for further analysis.

7. For command-line filtering (using tshark):

   tshark -r ~/project/ping_capture.pcapng -Y "icmp" -w ~/project/tshark_filtered.pcap

   This alternative method uses Wireshark's command-line version (tshark) to filter and save packets without opening the graphical interface. The -Y flag specifies the filter expression, similar to what you used in the Wireshark GUI.

Export Filtered Data

In this step, you will learn how to export filtered packet data from Wireshark in different formats for analysis and reporting purposes. Exporting data allows you to share your findings with colleagues or import the data into other analysis tools.

1. First, open your filtered capture file in Wireshark. This assumes you've already captured and filtered packets in previous steps:

   wireshark ~/project/filtered_ping.pcapng &

2. To export all displayed packets (after applying filters) in Wireshark's native format:

   • Click "File" → "Export Specified Packets" in the menu bar
   • Ensure "Displayed" is selected to only export packets matching your current filters
   • Save as exported_packets.pcapng in ~/project for later analysis

3. Wireshark's command-line tool tshark lets you export data in various formats. Here are common examples:

   • For CSV format (useful for spreadsheet analysis):

     tshark -r ~/project/filtered_ping.pcapng -T fields -e frame.number -e ip.src -e ip.dst -E header=y -E separator=, > ~/project/packet_data.csv

     This exports packet numbers, source and destination IP addresses with column headers.

   • For detailed plain text output:

     tshark -r ~/project/filtered_ping.pcapng -V > ~/project/packet_details.txt

     This shows full packet details similar to Wireshark's interface.

4. JSON format is useful for programmatic analysis. Export all packet data as JSON:

   tshark -r ~/project/filtered_ping.pcapng -T json > ~/project/packets.json

5. After exporting, verify all files were created correctly by listing them:

   ls -lh ~/project/*.pcapng ~/project/*.csv ~/project/*.txt ~/project/*.json

6. To quickly check how many packets were exported to your PCAPNG file:

   capinfos ~/project/exported_packets.pcapng | grep "Number of packets"

   This confirms your filter worked as expected by showing the packet count.

Summary

In this lab, you have learned how to filter network traffic using Wireshark through practical exercises. The key steps included installing Wireshark, configuring user permissions, identifying network interfaces, and capturing live traffic on the eth0 interface.

You have also practiced applying display filters to analyze specific packets and exporting filtered data. These skills provide a foundation for efficient network traffic analysis using Wireshark's powerful filtering capabilities.