HakTip 117 – Wireshark 101: Downloading, Displaying, and the BPF Syntax!
On this HakTip, Shannon Morse reviews options to download and display Wireshark windows, as well as the BPF Syntax.
We had a comment from our Youtube page from a fan who said “How do I download WireShark in Linux?” While I’m simply using an executable install on my Windows PC, we also walked through a Linux installation previously on HakTip 64. I highly suggest installing the WinPCap software that is included with Wireshark (which lets Wireshark put your computer into promiscuous mode). By letting your network card sniff traffic in promiscuous mode, you can not only see the traffic coming to you, but also going to all sorts of targets on your network.
Let’s take a closer look at the main windows of Wireshark this week. First up in the Packet List. This is the main window, color coded and listed by time the packet is captured. You’ll see the number of the packets, the time, source, destination, protocol, length, and info. Most of these are pretty self explanatory. Next down is the Packet Details listing, with a bunch of info about a single packet. Furthermore, you can expand the details pane and click on different parts of the packet to view details about each segment of that one packet. Lastly is the Packet Bytes pane. This is where you’ll see what the computer sees- the raw data flying from sender to receiver.
Now, you’re probably wondering about the colors on the Packet List pane. These are for the different protocols. The color coding gives you an easy way to differentiate between all of the protocols, or you can also list the pane by Protocol. You can change these as well by going to View –> Coloring Rules and clicking edit.
For more fun with customizing your Wireshark display, lets dive deeper into time displays. Since time displays are extremely important when trying to analyze a network, we also have a bunch of options for viewing time stamps. You have the Time Reference option available under edit, but you also have the display options under view.
Under capture, we have the Interface list, and Interface options. One of the interesting things under Options is the ability to save your findings into multiple files depending on the size or time of the capture.
Under capture, is also an option for filters. These are all the filters I can use during a capture. These will filter just those specific packets, as opposed to just capturing everything on the network. These capturing filters can be useful if you are looking for specific traffic and don’t want to deal with all the other packets.
Another thing you should probably know about is BPF Syntax. Under options there is a button called “compile selected bpf’s”. BPF stands for Berkeley Packet Filter syntax. This is the syntax that will apply the filters you choose for your capture. BPF is a syntax used by WinpCap, and is important because this is what’s going to make the computer understand whatever filters you make, and how those filters are used in Wireshark. BPF filters are called expressions, and expressions have a bunch of different parts called primitives, which have a bunch of parts called qualifiers. We’re going to wait until next week to break down what the heck I just said, but remember when we did Linux Terminal commands 101 and each command has a syntax that involved the command, an argument, and an option. These expressions are kind of the same.
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.