This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Basics of wireshark

0

Hello, I have newly started using Wireshark for data capturing, can anybody please tell me what are the basic things one should know to work with wireshark. For what purpose the manual pages are useful?

asked 24 May '11, 23:23

sagu072's gravatar image

sagu072
35232428
accept rate: 0%

2 Answers:

2

This is a really large topics, so here's what I think you should do:

  1. Familiarize yourself with Wireshark display filters, also context sensitive filtering by using the popup menus
  2. check out the various statistics (endpoints, conversations, protocol distribution, I/O graph, just to name a few)
  3. The most important thing you need is knowledge about the protocols you want to analyze. If you don't know how they are supposed to work you won't get much results out of working with Wireshark. So if you don't know the structure and workings of Ethernet, IP, TCP/UDP, ICMP, DHCP, ARP, etc. you should get into that. Otherwise the decodes won't mean much to you.

It looks like a short list, but believe me, it's not something you can do in one afternoon ;-)

answered 24 May '11, 23:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

jasper, Thank you very much jasper, knowing protcols is getting to know the working of tat protocol n message structures only right ? o anything else is important .? If u hv any other suggestion pleas post. Thanks Sagar

(25 May '11, 00:09) sagu072

You need to know message structures first, but also how the protocol works in regard to requests/answers. For example the TCP sequence number/acknowledge number mechanism is something where only knowing the header structure isn't enough - you also need to know how the packets work with each other.

(25 May '11, 00:21) Jasper ♦♦

ok, what are dumpcap, mergecap etc, which are provided in manual pages, for wat purpose they can be used ?

(25 May '11, 00:33) sagu072

(I converted your "answer" into a "comment" as that is how this site works best, see the FAQ)

(25 May '11, 00:52) SYN-bit ♦♦

@SynBit: thx, I would have done the conversion as well but I don't think I can :-)

@sagu072: dumpcap is the executable that does the actual capture on your network card. It can either be used separately or automatically through capturing from within Wireshark. Mergecap is used to merge or concatenate multiple tracefiles.

(25 May '11, 01:14) Jasper ♦♦

hi, i want to know how to decode the data which is in hex dumped format, i mean i want to know what s the exact message flowing through the network by removing the headers of protocol , can u pleas tel me some idea of how i can go to it.

(29 May '11, 23:32) sagu072
showing 5 of 6 show 1 more comments

2

One good starting point is the book Laura Chappell wrote about Wirshark Network Analysis. It teches you the basics of how to use Wireshark and also the basics of mostly used protocols.

answered 25 May '11, 00:54

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

is that book s free ? it will be helpful for me if u can paste the link to download the book .

(25 May '11, 01:16) sagu072

Nope, that is not a free book.

If you want to start with free information you might want to check out the following:

(25 May '11, 01:25) SYN-bit ♦♦

hi, i want to know how to decode the data which is in hex dumped format, i mean i want to know what s the exact message flowing through the network by removing the headers of protocol , can u pleas tel me some idea of how i can go to it.

(29 May '11, 23:32) sagu072