Wireshark is the most useful & popular tool for packet Level deep Network Analysis & Troubleshooting. Most importantly, it is open source. It is like a measuring meter or device to find and examine what is going on inside a network cable or port just like a multimeter is used by an electrician to examine what is going on inside an electric cable … but of course at much deeper level.
Wireshark or such SW tools are not something very new. Such tools were available in the past as well but they were very expensive and proprietary because they were mostly on dedicated hardware (same as OTDR and Spectrum Analysers are on dedicated HW till date).
Wireshark Filters/Operators
Wireshark uses Filters to capture & display the packets. It has two types of filters:
i. Capture Filters
A capture filter is used to select which packets should be saved to disk while capturing. For capture filters wireshark uses a special methodology call BPF syntax which runs in the kernel. With the use of capture filters, only those packets are captured which are defined in the rules of Capture filter. It decreases the amount of data to be saved because full dissection of packets has not been done yet.
ii. Display Filters
After Capture is complete on a link using capture filter, we can use display filters to further refine what information we want to see & analyze. These are also useful when the capture filters were not used while capturing the traffic from wire. Here we do the full dissection of packets.
Below is an example where we have two atech Routers. I will first capture the traffic on link b/w R1 & R2 using the capture filters and then we will analyse the captured traffic using different display filters:
Both links are admin down, so there is no capture at the moment:
As soon as I enable the interfaces, we will see ‘ARP’, ‘LOOP’ & ‘CDP’. We can apply the capture filter to capture only the CDP & LOOP (for this example, I will capture all three):
After the capture is complete, we can save it & then we can apply different display filters to view the packets of our interest.
e.g. we can apply Display Filter to view only CDP data from the R1’s Port (based on its MAC) as in below:
You can follow the wireshark section of my website to find more detail on operators with examples.
Wireshark will show the packets sent or received by the local computer. If you want to see packets on other links & going to other computers, then you will either need an Ethernet hub, or configure your router to send you a copy of all packets. Commercial routers can do this, but consumer grade cannot.
I want to see if Wireshark shows all traffic or if there is some firmware that hides some packets from it. How do I capture all packets on the wireshark?
Wireshark shows all the packets sent/received by the local computer. But if you want to see packets on other links on the network then you will either need an Ethernet hub, or configure your router to send you a copy of all packets. Most of the routers support it.
Why WLAN packages are translated to Ethernet packages by Wireshark?
Because IEEE 802.11 wi-fi uses the same framing as Ethernet with some additions and usually that’s Ethernet II.
Please have a look into the data encapsulation diagram & my YouTube channel more clarification:
https://www.youtube.com/channel/UCA5vnifZXWur6gHyK81hsTA/?sub_confirmation=1
Im a newbee with wireshark and I wanna know that Where can I find an extensive list of wireshark abbreviations (e.g. PK, OFT2, MZ)?
You can get them in the Resource>Cheatsheet section on this ATech website.
Does it possible that capture packets between two devices in a wifi? I need to know that what data is passed between the two devices and how it is possible?
Yes, it is possible to capture the wireless packets. It requires an adapter which supports monitoring mode and is compatible with airpcap.
If you are looking for detailed analysis then use kali linux with Alfa card.