Capturing some packets in Wireshark

The first steps to examining Ethernet traffic

There was a fair amount of commentary a couple of days ago when I introduced the Wireshark tool without actually getting into its feature set. My intention was to suggest some situations where the tool could be useful, mention the potential dangers of using the tool in the workplace, and recommend that readers first find out whether they’re allowed to use the tool at work, before getting into it. Apparently some readers out there thought that that was not enough information for a four-paragraph blog post. You may not have thought so if, like one of my seminar students a couple of years ago, you’d been fired for using this program at work! Also, please remember that these are serial blog postings and not full magazine articles. Anyway I’m as eager to get into it as you are, so let’s take a look at the first steps to making a Wireshark capture. (For the people who were interested in the slow domain controller boot issue, rest assured that I’ll get to that topic too.) Once you’ve got the program installed, you can start it up and see a top-level screen with several sections. For a quick start, just click the “Capture Options” link in the “Capture” section to the left of the screen. In the ensuing dialog box, choose the network interface whose traffic you’d like to capture. This is at the upper right. The IP address associated with that interface shows up below it. If you want to capture packets beyond the ones that are coming into your computer or going out of it, then you can check the “Capture packets in promiscuous mode” box; otherwise, clear this box so that you don’t capture a lot of irrelevant packets. One of the most important skills in using Wireshark is to limit what you actually capture, so that you don’t have to wade through unnecessary detail later. The next thing that you should set up in this dialog box is the capture file. I find it quickest to click the Browse.. button and specify a file name and location. If you want WireShark to open automatically when you doubleclick the capture file in the future, save it with the extenstion .PCAP. You can leave all the other settings in the Capture Options dialog box at their default values for now; we’ll talk about some of them after we get the basics down. Now do something over the network – such as opening a browser window, displaying the contents of a shared folder, and so forth. You should see some packets appearing in the Wireshark window. Once you have a few, click Capture > Stop. Now you’ve got some data to begin working with. In the next posting, we’ll take a look at what the displayed packets mean, and how you can begin making some sense of them.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.