How to install and use Wireshark (Ethereal) for Ethernet Packet Sniffing

Why use Wireshark ?

Wireshark is a tool that allow you to capture Ethernet packets sent/received on one or more interfaces of your laptop. It can be very useful in many cases, when you want to see what your unit is sending/receving in order to troubleshooting a problem. For example, if you see your laptop sending an ICMP packet and not receiving the reply, you can isolate the problem, being sure that is not your laptop that has some wrong settings as the wrong default gateway for example.
It is also useful to have it installed in the laptop to open IP, ETH or PPP pcap files that you can collect on the Digi TransPort (but this document will not go into details on that matter).

How can I download and install Wireshark?
To install Wireshark you will need to go to http://www.wireshark.org/download.html and follow instructions. 

How can I use Wireshark to capture packets?

Once installed you will be able to use Wireshark to view ethernet packets. To start a trace, click on the second icon from the upper left:
 
User-added image

This will open the capture options.  Select the ones you need and click 'start' to begin. 

User-added image

Note you can also specify other settings (as for example the update the list of packets in real time) clicking on “Options” that will reveal the following window, and then click start:


User-added image

The trace should now be running and you should see the symbol of wireshark becoming green.  You can finish to capture packets clicking on 'stop running trace' button.  It's the 4rth from the top left, after clicking on it, capture should stop and the wireshark symbol returns back to the blu color:
Following an example of what you can see:
 
 User-added image
 
 
How can I filter packets to only see what I am looking for?
 
You can also filter the trace (also while it is running). In the capture filter text field, you can enter different commands to filter the packets to only see the ones you're interested in. Following the syntax for three useful cases.
 
IP address: For instance you may want to track a unit by its IP address, the command for this would be "ip.addr == x.x.x.x" where x is the IP address of your laptop or of a unit that you want to monitor.
 
MAC address: You may also want to watch the device by the MAC address, as this will show you all the packets it sends out, including the ones it sends out before it gets an IP address. To do this you would use the syntax "mac contains xx:xx:xx:xx:xx:xx" where x is the MAC address.

Protocol: You may also want to see only packet of a certain protocol. To do that you need just to enter into the Filter window the name of the protocol, and if you need to see more than one protocol you can separate them with the “||” symbol. It can be useful for example if you have Browsing issues, filtering DNS and HTTP protocol to see what is happening, as in the following example:

User-added image


How can I save captured packets?
You can save the contents of the trace by the 'file' menu and then take the 'save as' option


NB: Please note that Wireshark has much more functionality than what we describe here, so if you have time, we recommend reading through the help files and trying out different settings to get a better feel for what is possible with this application.

Last updated: Mar 05, 2019

Filed Under

Cellular/Transport

Recently Viewed

No recently viewed articles

Did you find this article helpful?