Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
Installation
USE flags
USE flags for net-analyzer/wireshark Network protocol analyzer (sniffer)
+capinfos
|
Install capinfos, to print information about capture files |
+captype
|
Install captype, to print the file types of capture files |
+dftest
|
Install dftest, to display filter byte-code, for debugging dfilter routines |
+dumpcap
|
Install dumpcap, to dump network traffic from inside wireshark |
+editcap
|
Install editcap, to edit and/or translate the format of capture files |
+filecaps
|
Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. libcap) |
+gui
|
Enable support for a graphical user interface |
+mergecap
|
Install mergecap, to merge two or more capture files into one |
+minizip
|
Build with zip file compression support |
+netlink
|
Use dev-libs/libnl |
+pcap
|
Use net-libs/libpcap for network packet capturing (build dumpcap, rawshark) |
+plugins
|
Install plugins |
+randpkt
|
Install randpkt, a utility for creating pcap trace files full of random packets |
+randpktdump
|
Install randpktdump, an extcap interface to provide access to the random packet generator (randpkt) |
+reordercap
|
Install reordercap, to reorder input file by timestamp into output file |
+sharkd
|
Install sharkd, the daemon variant of wireshark |
+text2pcap
|
Install text2pcap, to generate a capture file from an ASCII hexdump of packets |
+tshark
|
Install tshark, to dump and analyzer network traffic from the command line |
+udpdump
|
Install udpdump, to get packets exported from a source (like a network device or a GSMTAP producer) that are dumped to a pcap file |
+zstd
|
Enable support for ZSTD compression |
androiddump
|
Install androiddump, an extcap interface to capture from Android devices |
bcg729
|
Use media-libs/bcg729 for G.729 codec support in RTP Player |
brotli
|
Enable Brotli compression support |
ciscodump
|
Install ciscodump, extcap interface to capture from a remote Cisco router |
doc
|
Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally |
dpauxmon
|
Install dpauxmon, an external capture interface (extcap) that captures DisplayPort AUX channel data from linux kernel drivers |
http2
|
Enable support for the HTTP/2 protocol |
http3
|
Install net-libs/nghttp3 for enhanced HTTP3 analysis |
ilbc
|
Build with iLBC support in RTP Player using media-libs/libilbc |
kerberos
|
Add kerberos support |
libxml2
|
Use dev-libs/libxml2 for handling XML configuration in dissectors |
lua
|
Enable Lua scripting support |
lz4
|
Enable support for lz4 compression (as implemented in app-arch/lz4) |
maxminddb
|
Use dev-libs/libmaxminddb for IP address geolocation |
opus
|
Enable Opus audio codec support |
qt6
|
Build with Qt6 support instead of the default Qt5 for GUI support |
sbc
|
Use media-libs/sbc for playing back SBC encoded packets |
sdjournal
|
Install sdjournal, an extcap that captures systemd journal entries |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
smi
|
Use net-libs/libsmi to resolve numeric OIDs into human readable format |
snappy
|
Enable support for Snappy compression (as implemented in app-arch/snappy) |
spandsp
|
Use media-libs/spandsp for for G.722 and G.726 codec support in the RTP Player |
sshdump
|
Install sshdump, an extcap interface to capture from a remote host through SSH |
ssl
|
Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security) |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
tfshark
|
Install tfshark, a terminal-based version of the FileShark capability |
verify-sig
|
Verify upstream signatures on distfiles |
wifi
|
Install wifidump, to dump and analyse 802.11 traffic |
zlib
|
Add support for zlib compression |
Emerge
root #emerge --ask net-analyzer/wiresharkTo install Wireshark with all of the extra features, the following USE flag should be enabled:
kerberos.Configuration
Permissions
Running Wireshark as root can be dangerous and is unnecessary. See the Wireshark Security page for more details.
As wireshark captures from hardware, it needs permissions set to enable capturing. To use wireshark as a normal user, add user to the pcap group (note, replace ${LOGNAME} by the user's actual login name):
root #gpasswd -a ${LOGNAME} pcapTo make the session aware of this new group without having to log in again, enter this command before launching wireshark:
user $newgrp pcapWireshark over SSH
Source system (the server you want to capture packets on) that you have SSH access to, with tcpdump installed, and available to your user (either directly, or via sudo without password). Destination system (where you run graphical Wireshark) with wireshark installed and working, and mkfifo available. Procedure:
Capture traffic remotely over SSH and Wireshark (ssh)
Include -U for prevent buffering when using tcpdump instead of tshark
user $ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i -Capture router traffic via wireshark (router)
Include -U for prevent buffering when using tcpdump instead of tshark
user $ssh root@192.168.1.1 tcpdump -i any -U -s0 -w - 'not port 22' | wireshark -k -i -Capture network traffic via Wireshark (android)
This require root on your android device
user $adb shell su -c tcpdump -nn -i wlan0 -U -s0 -w - 'not port 5555' | wireshark -k -i -Capture radio/sms/gsm traffic via wireshark (android)
This require root on your android device
user $adb exec-out "su -c tcpdump -i any -U -w - 2>/dev/null" | wireshark -k -S -i -Techniques
Network Name Resolution
To automatically resolve IP addresses to domain names, open the preferences window from Edit -> Preferences, clicking the Name Resolution panel and selecting the Enable Network Name Resolution check box.
Enabling Network Name Resolution will increase the captured traffic due to additional DNS requests.
Filter packets to a specific IP Address
To see all incoming and outgoing traffic for a specific address, enter ip.addr == w.x.y.z in the filter box, replacing w.x.y.z with the relevant IP address. Additionally, to view only incoming traffic, replace ip.addr with ip.src; to view only outgoing traffic, replace ip.addr with ip.dst.
Terminal-based Wireshark
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is pcapng format, which is also the format used by Wireshark and various other tools.
Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.
user $tshark -hFor example, to capture packets across a specified network interface and save the results, enter
user $tshark -i wlan0 -w capture-output.pcapReplace wlan0 with the desired network interface and capture-output with the desired filename.
Color output text similarly to the Wireshark GUI, requires a terminal with 24-bit color support Also supplies color attributes to pdml and psml formats
user $tshark -i any --colorExample Usage
- Show only filetypes that begin with "text"
user $tshark -Y 'http.content_type[0:4] == "text"'- Show only javascript
user $tshark -Y tshark -i wlp2s0 -Y 'http.content_type contains "javascript"'- Show all http with content-type="image/(gif|jpeg|png|etc)"
user $tshark -Y 'http.content_type[0:5] == "image"'- Show all http with content-type="image/gif"
user $tshark -Y http.content_type == "image/gif"- Do not show content http, only headers
user $tshark -Y http.response !=0 || http.request.method != "TRACE"- To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31)
user $tshark -Y string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255- To match odd frame numbers
user $tshark -Y string(frame.number) matches "[13579]$"- To see just the file header for any capture type, capture no packets and send to xxd
- An easy way to capture no packets is to filter by unused ipx in the capture filter. This example uses -F pcap for the pcap file type.
user $tshark -f ipx -a duration:1 -F pcap -w - 2>/dev/null | xxd -u
Print http data in a tree
user $tshark -q -i any -Y http -z http,tree======================================================================================================================================= HTTP/Packet Counter: Topic / Item Count Average Min Val Max Val Rate (ms) Percent Burst Rate Burst Start --------------------------------------------------------------------------------------------------------------------------------------- Total HTTP Packets 1 100% 0.0100 2.255 HTTP Request Packets 1 100.00% 0.0100 2.255 GET 1 100.00% 0.0100 2.255 Other HTTP Packets 0 0.00% - - HTTP Response Packets 0 0.00% - - ???: broken 0 - - 5xx: Server Error 0 - - 4xx: Client Error 0 - - 3xx: Redirection 0 - - 2xx: Success 0 - - 1xx: Informational 0 - - ---------------------------------------------------------------------------------------------------------------------------------------
Wireguard
WireGuard was initially started by Jason A. Donenfeld (zx2c4) in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.
Filter WireGuard traffic while capturing
user $tshark -i any udp[8:1] >= 1 and udp[8:1] <= 4 and udp[9:1] == 0 and udp[10:2] == 0Assuming that your WireGuard traffic goes over the wlan0 interface using port 51820
download extract-handshakes.sh
user $extract-handshakes.sh > wg.keys & tshark -i wlan0 -owg.keylog_file:wg.keys -f 'udp port 51820'Step-by-step instructions for these are not yet available for the version merged in Linux v5.6. What you basically have to do is to build offset-finder.c with the headers from drivers/net/wireguard/ and kernel headers and config matching your current kernel.
Dumpcap
Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.
By default, Dumpcap uses the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets’ time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.
Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing:
user $echo 1 > /proc/sys/net/core/bpf_jit_enableNote that this can make your system less secure so change it back when your capture is done
Example Usage
- Capture packets from interface any interface until 60s passed into output.pcapng
user $dumpcap -i any -a duration:60 -w output.pcapngTip
Use Ctrl-C to stop capturing at any time- Another example that will capture packets by size, duration, packets and files
user $dumpcap -a duration:100 -a files:10 -a filesize:10000 -a packets:10000 -b duration:100 -b files:1000 -b filesize:1024 -b packets:20 -w file.pcap
See also
- Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
- Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
- Tcpdump — a command-line network monitoring and data acquisition tool.
External resources
- https://tshark.dev - tshark.dev
- https://wiki.wireshark.org/DisplayFilters - Display Filters
- https://wiki.wireshark.org/Development/LibpcapFileFormat - Libpcap File Format
- https://www.wireshark.org/download/docs/user-guide.pdf Wireshark User's Guide.