Cisco Networking: Installing Wireshark
Wireshark is network protocol analyzer or network sniffer, which is a tool that can view the details of network traffic. When you install Wireshark, you are prompted during the installation to install WinPcap, which is the actual capture driver that does the heavy lifting for Wireshark. Wireshark takes care of data display and analysis, while WinPcap is the capture driver that captures the live network traffic from the network.
You can choose all the defaults for the installation; the only real question you may have is whether you want WinPcap to start with the operating system. If you choose to have WinPcap start with the operating system, then it will always be consuming some of your computer’s resources, even when Wireshark does not need WinPcap.
Normally, WinPcap starts as needed when running Wireshark. If you are running Windows 7 though, the default Windows 7 security features will prevent the WinPcap driver from starting when running Wireshark. In that case, you want WinPcap to start with the operating system.
To set up a basic capture of data, follow these steps:
Select the network card that you want to use to perform the capturing by choosing Capture→Interfaces.
The Capture Interfaces window shown below appears, showing you not only the listed interfaces but also the data received and sent on the interfaces on your computer.
Click the Start button next to your active network interface to kick off a capture session.
On the screen that appears, data scrolls past. You see the following three basic panes:
Packet List: This pane shows all the network frames that have been seen by your network card. If your network card is connected to a hub, then this will be all the traffic on the network; but if the card is attached to a switch, it will only broadcast frames and the network frames addressed to the card’s MAC address.
The information that you see here includes the frame number, as well as the following:
Time: The number of milliseconds that has elapsed since the start of the network capture.
Source Address: The address of the device that sent the network frame on to the network. This may be an IP address such as 192.168.1.123, or a MAC address such as 00:1D:7E:F8:23:D6.
Destination Addresses: The address where the network frame is being sent. The values and options are the same as the source address.
Protocol: The highest layer protocol that is present in the frame. In Figure 4-10, you can see ARP, TCP, and HTTP.
Info: This column displays summary information about the frame. This is a WireShark interpretation of what data is in the frame. The intention is to make it easier for you to understand what type of data is in the network frame.
Packet Details: The pane related to the currently selected packet in the middle frame, with an expanding hierarchy. This allows you to drill into the sections of this data — like moving through the OSI layers. If you expand the Ethernet II section, you can compare the data to the Ethernet frame structure. If you expand the Internet Protocol section, you can compare the data to the packet structure.
Packet Bytes: This pane shows ASCII and hex data that is in the frame. Remember, all data sent in the network frame is binary, and that you can convert this binary data into hexadecimal.
Finally, every eight bits or one byte can be represented by an ASCII character. This pane shows you all of the binary data in Ethernet frame in both its hexadecimal and ASCII equivalent. This can sometimes be helpful when looking for ASCII strings in the data. This data is seen in a neater format in the Packet Details pane.
By selecting different sections of the frame in the Packet Details pane the matching section of the Packet Bytes pane becomes highlighted. This can be helpful if you are attempting to locate a hexadecimal or ASCII equivalent for what you see in the Packet Details pane. If you are following along with Wireshark, try selecting different parts of the frame in the Packet Details pane.