Sniffing Packets with Wireshark¶

This guide will lead you through the steps of packet capturing with Wireshark.
It is necessary to know which interface card on your computer is being used for traffic. If you do not know which one is being used, open your console and enter:

ifconfig

Next, open Wireshark.

sudo wireshark

Make sure you sniff on the active interface card.

If you are done sniffing, stop Wireshark by pressing ctrl E.

It is possible to follow a specific session. In case you have recorded a quite large pcap and you would for example like to see a specific visit to a website, you can do so by setting the filter on the top left of Wireshark to

http

followed by pressing enter

See example:

Find the packet you are looking for by scrolling through the information.
Right-click on that packet and choose
follow tcp stream
A window with detailed information about that packet pops up.
Close the window and you will see only information about that specific session. You can save this information by going to the file-menu and choose
save as...
choose

displayed

and save the file.

See example:

Files (2)

Wireshark-http.png (322 KB) Wireshark-http.png		Anne-Fleur Koolstra, 09/20/2011 10:31 AM
Wireshark_save_as.png (210 KB) Wireshark_save_as.png		Anne-Fleur Koolstra, 09/20/2011 10:39 AM

Project

General

Profile

Suricata

Wiki

Sniffing Packets with Wireshark¶