# Wireshark > **The World's Foremost and Widely-Used Network Protocol Analyzer** ## 📋 Overview Wireshark adalah open-source packet analyzer yang digunakan untuk network troubleshooting, analysis, software development, dan communications protocol development. Dikenal sebagai Ethereal sebelum tahun 2006, Wireshark menjadi standar industri untuk network protocol analysis. ## 🎯 Key Features ### 🔍 **Deep Packet Inspection** * **Protocol Dissection** - 3,000+ protocol support * **Live Capture** - Real-time packet capture * **Offline Analysis** - Analyze saved capture files * **Color Coding** - Visual packet identification * **Expert Information** - Automated problem detection ### 📊 **Filtering and Search** * **Capture Filters** - Pre-capture filtering * **Display Filters** - Post-capture packet filtering * **Search Capabilities** - Find specific patterns * **Regular Expressions** - Advanced pattern matching * **Filter Macros** - Reusable filter expressions ### 🛡️ **Security Analysis** * **Traffic Decryption** - SSL/TLS decryption support * **Malware Detection** - Suspicious traffic identification * **Anomaly Detection** - Traffic pattern analysis * **Security Protocol Analysis** - Authentication, encryption protocols * **Network Forensics** - Incident investigation ### 📈 **Performance Analysis** * **TCP Stream Analysis** - Connection performance metrics * **VoIP Analysis** - SIP, RTP quality metrics * **HTTP Analysis** - Web performance statistics * **Network Latency** - Round-trip time analysis * **Bandwidth Monitoring** - Traffic usage statistics ## 🚀 Installation ### Windows Installation ```powershell # Download from https://www.wireshark.org/download.html # Run installer with administrator privileges # Install Npcap during installation (packet capture library) # Choose components: # - Wireshark (GUI) # - TShark (CLI) # - TShark documentation # - Plugins and extensions ``` ### Linux Installation ```bash # Ubuntu/Debian sudo apt-get update sudo apt-get install wireshark-common tshark # Add user to wireshark group for non-root capture sudo usermod -a -G wireshark $USER # Log out and log back in for changes to take effect # CentOS/RHEL/Fedora sudo dnf install wireshark wireshark-cli # Arch Linux sudo pacman -S wireshark-qt sudo gpasswd -a $USER wireshark ``` ### macOS Installation ```bash # Using Homebrew brew install --cask wireshark # Download DMG from https://www.wireshark.org/download.html # Mount DMG and drag to Applications # Install ChmodBPF for non-root packet capture ``` ### Docker Installation ```bash # Pull Wireshark image docker pull linuxserver/wireshark # Run with privileged access for packet capture docker run -d \ --name=wireshark \ --net=host \ --privileged \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=America/Los_Angeles \ -p 3000:3000 \ linuxserver/wireshark ``` ## 🔧 Basic Configuration ### First-Time Setup 1. **Interface Selection** - Choose network interfaces to monitor 2. **Capture Options** - Configure capture settings 3. **Color Rules** - Set up display filters and colors 4. **Protocols** - Enable/disable protocol dissectors 5. **Name Resolution** - Configure DNS and MAC resolution ### Interface Configuration ``` # Select interfaces Capture → Options → Check desired interfaces # Configure capture options - Buffer size: 1 MB (default) - Capture in promiscuous mode: Checked - Update list of packets in real time: Checked - Hide capture info dialog: Unchecked - Resolve MAC addresses: Checked - Resolve network names: Unchecked (for performance) ``` ## 🔍 Basic Usage ### Starting Capture ```bash # GUI: Double-click interface or press Ctrl+E # CLI: Start capturing with tshark tshark -i eth0 # Capture on specific interface tshark -i wlan0 # Capture with count limit tshark -i eth0 -c 100 # Capture with time limit (30 seconds) tshark -i eth0 -a duration:30 ``` ### Basic Display Filters ```bash # Show only HTTP traffic http # Show traffic to/from specific host ip.addr == 192.168.1.100 # Show TCP traffic on port 80 tcp.port == 80 # Show DNS traffic dns # Show HTTP GET requests http.request.method == "GET" # Combine filters (AND) ip.addr == 192.168.1.100 and tcp.port == 80 # Combine filters (OR) tcp.port == 80 or tcp.port == 443 ``` ### Capture Filters ```bash # Capture only HTTP traffic port 80 or port 8080 # Capture traffic to/from specific host host 192.168.1.100 # Capture TCP traffic tcp # Capture traffic on port range portrange 1-1024 # Exclude broadcast traffic not broadcast # Capture HTTP GET requests tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 ``` ## 🎯 Common Use Cases ### 1. **Network Troubleshooting** ``` Filter: tcp.analysis.flags Shows: TCP problems like retransmissions, duplicate ACKs Filter: icmp Shows: ICMP messages for connectivity troubleshooting Filter: dns Shows: DNS query/response analysis Filter: dhcp Shows: DHCP server/client communication ``` ### 2. **Security Analysis** ``` Filter: http.request.method == "POST" Shows: Potential data exfiltration Filter: tls.handshake.type == 1 Shows: TLS client hello messages Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0 Shows: New connection attempts Filter: icmp.type == 8 Shows: Ping requests (potential network mapping) ``` ### 3. **Performance Analysis** ``` Filter: tcp.analysis.retransmission Shows: Network performance issues Filter: http.time > 1 Shows: Slow HTTP responses Filter: tcp.window_size_scalefactor Shows: TCP window scaling for throughput analysis Filter: rtp Shows: VoIP traffic quality analysis ``` ### 4. **Protocol Analysis** ``` Filter: http Shows: HTTP request/response analysis Filter: smtp Shows: Email traffic Filter: ssh Shows: Secure shell connections Filter: smb or nbss Shows: Windows file sharing traffic ``` ## 📊 Advanced Filtering ### Complex Filters ```bash # HTTP traffic not from local network http and not ip.src == 192.168.1.0/24 # Large HTTP responses http.response and http.content_length > 100000 # SSL/TLS certificate issues ssl.alert_message or ssl.handshake.type == 3 # TCP connection problems tcp.analysis.retransmission or tcp.analysis.fast_retransmission # DNS queries without responses dns and not dns.flags.response # HTTP traffic with specific user agent http.user_agent contains "curl" # Traffic with specific MAC address eth.addr == 00:11:22:33:44:55 # IPv6 traffic ipv6 # VLAN tagged traffic vlan # MPLS traffic mpls ``` ### Filter Expressions ```bash # Protocol field references http.request.method http.response.code tcp.port ip.ttl # Comparison operators == (equal) != (not equal) > (greater than) < (less than) >= (greater than or equal) <= (less than or equal) # Logical operators and or not xor # String matching contains matches ~ (regular expression) # Set membership in ``` ## 🔧 Command Line Interface (TShark) ### Basic TShark Usage ```bash # Capture packets with output tshark -i eth0 -c 100 -V # Save capture to file tshark -i eth0 -w capture.pcap # Read from capture file tshark -r capture.pcap # Apply display filter tshark -r capture.pcap -Y "http.request.method == 'GET'" # Show specific fields tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port # Export to CSV tshark -r capture.pcap -T fields -E separator=, -e ip.src -e ip.dst > output.csv ``` ### Advanced TShark Commands ```bash # Live capture with two-pass analysis tshark -i eth0 -2 -R "http.request.method == 'GET'" # Decode specific protocols tshark -r capture.pcap -d tcp.port==8080,http # Follow TCP stream tshark -r capture.pcap -z follow,tcp,ascii,0 # Protocol hierarchy statistics tshark -r capture.pcap -z io,stat,0,"COUNT(http.request.method) http.request.method" # Conversation statistics tshark -r capture.pcap -z conv,tcp # Endpoint statistics tshark -r capture.pcap -z endpoints,ip # HTTP server statistics tshark -r capture.pcap -z http,stat ``` ## 📈 Traffic Analysis ### HTTP Analysis ```bash # HTTP requests by host http.host # HTTP methods http.request.method # HTTP response codes http.response.code # HTTP user agents http.user_agent # HTTP content types http.content_type # HTTP referrers http.referer # Extract HTTP objects File → Export Objects → HTTP ``` ### TCP Analysis ```bash # TCP stream analysis Right-click packet → Follow → TCP Stream # TCP round-trip time tcp.analysis.ack_rtt # TCP window size tcp.window_size # TCP sequence numbers tcp.seq tcp.ack # TCP flags tcp.flags.syn tcp.flags.ack tcp.flags.fin tcp.flags.rst ``` ### SSL/TLS Analysis ```bash # SSL/TLS version ssl.record.version # Cipher suite ssl.handshake.ciphersuite # Certificate information ssl.handshake.certificate # Master secret (requires key log file) Edit → Preferences → Protocols → SSL → (Pre)-Master-Secret log filename ``` ## 🔗 Decryption Support ### SSL/TLS Decryption ```bash # Create key log file # Add to Wireshark preferences Edit → Preferences → Protocols → SSL → (Pre)-Master-Secret log filename # Environment variable for browsers export SSLKEYLOGFILE=~/.ssl-keylog.log # Firefox/Chrome configuration # Set SSLKEYLOGFILE environment variable before launching browser ``` ### WPA/WPA2 Decryption ```bash # Add network key Edit → Preferences → Protocols → IEEE 802.11 → Edit # Enter SSID and passphrase ``` ## 📊 Statistics and Reporting ### Built-in Statistics ``` Statistics → Protocol Hierarchy - Shows protocol breakdown of capture Statistics → Conversations - Shows traffic statistics between endpoints Statistics → Endpoints - Shows traffic statistics per endpoint Statistics → IO Graph - Shows traffic over time graphs Statistics → Flow Graph - Shows conversation flow diagram Statistics → HTTP → Requests - Shows HTTP request statistics Statistics → HTTP → Packet Counter - Shows HTTP packet statistics Statistics → TCP → Stream Graphs - Shows TCP stream analysis ``` ### Custom Statistics ```bash # Create custom statistics Statistics → Custom... # Example: HTTP response code distribution # Filter: http.response.code # Display: Column values, Count # Example: TCP ports by packet count # Filter: tcp.port # Display: Column values, Count ``` ## 🔧 Automation and Scripting ### Lua Scripting ```lua -- Example: Custom protocol dissector local my_proto = Proto("myproto", "My Custom Protocol") local fields = my_proto.fields fields.my_field = ProtoField.uint8("myproto.field", "My Field", base.HEX) function my_proto.dissector(buffer, pinfo, tree) local subtree = tree:add(my_proto, buffer()) subtree:add(fields.my_field, buffer(0,1)) end register_postdissector(my_proto) ``` ### Command Line Automation ```bash #!/bin/bash # Automated packet capture script INTERFACE="eth0" DURATION=300 OUTPUT_DIR="/tmp/wireshark" TIMESTAMP=$(date +%Y%m%d_%H%M%S) mkdir -p $OUTPUT_DIR # Start capture tshark -i $INTERFACE -a duration:$DURATION -w $OUTPUT_DIR/capture_$TIMESTAMP.pcap # Generate statistics tshark -r $OUTPUT_DIR/capture_$TIMESTAMP.pcap -z io,stat,0 > $OUTPUT_DIR/stats_$TIMESTAMP.txt # Extract HTTP requests tshark -r $OUTPUT_DIR/capture_$TIMESTAMP.pcap -Y "http.request" -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri > $OUTPUT_DIR/http_$TIMESTAMP.csv echo "Capture and analysis completed: $OUTPUT_DIR/capture_$TIMESTAMP.pcap" ``` ## 🎓 Learning Resources ### Official Documentation * [Wireshark Official Documentation](https://www.wireshark.org/docs/) * [Wireshark User Guide](https://www.wireshark.org/docs/wsdg_html_chunked/) * [Wireshark Filter Reference](https://www.wireshark.org/docs/wsug_html_chunked/ChapterWorking.html) * [Wireshark Wiki](https://wiki.wireshark.org/) ### Training Resources * [Wireshark University](https://www.wireshark.org/training/) * [Laura Chappell's Wireshark Training](https://www.chappellu.com/) * [Practical Packet Analysis](https://nostarch.com/packetanalysis) * [Wireshark Network Analysis](https://www.wiresharkbook.com/) ## 📈 Comparison with Other Tools | Feature | Wireshark | tcpdump | TShark | ngrep | | -------------------- | --------- | -------- | --------- | ------- | | **GUI** | ✅ | ❌ | ❌ | ❌ | | **Protocol Support** | 3,000+ | Limited | 3,000+ | Limited | | **Filters** | Advanced | Basic | Advanced | Basic | | **File Formats** | Multiple | Multiple | Multiple | None | | **Live Capture** | ✅ | ✅ | ✅ | ✅ | | **Analysis** | Deep | Basic | Deep | Pattern | | **Learning Curve** | 📚 Medium | 📚 Easy | 📚 Medium | 📚 Easy | ## 🔧 Troubleshooting ### Common Issues ```bash # Permission denied (run as administrator/root) sudo wireshark # or add user to wireshark group # No interfaces visible # Check if Npcap/WinPcap is installed and running # High CPU usage # Reduce capture buffer size # Apply capture filters # Disable real-time updates for large captures # Can't see decrypted HTTPS # Configure SSL key log file # Ensure browser is using SSLKEYLOGFILE variable # Missing protocol dissectors # Update Wireshark to latest version # Install protocol plugins ``` ### Performance Optimization ```bash # Increase capture buffer size Capture → Options → Buffer size: 50 MB # Use capture filters to reduce traffic Capture → Options → Capture Filter: port 80 # Disable name resolution for faster capture Edit → Preferences → Name Resolution → Enable all network name resolution: Unchecked # Use TShark for automated analysis tshark -i eth0 -c 1000 -w capture.pcap ``` ## 🛡️ Security Considerations ### Privacy and Data Protection * **Sensitive Data** - Avoid capturing passwords or personal data * **Network Permission** - Only capture networks you own/authorized * **Data Retention** - Follow data retention policies * **Secure Storage** - Encrypt sensitive capture files ### Network Security * **Network Impact** - Packet capture can affect network performance * **Promiscuous Mode** - May trigger security alerts * **Port Security** - Some networks block packet capture * **Legal Compliance** - Follow local laws and regulations *** **⚠️ Legal Notice**: Only capture network traffic on networks you own or have explicit permission to monitor. Unauthorized packet capture may violate privacy laws and network policies. **⚡ Pro Tip**: Start with broad filters and progressively narrow down to focus on specific traffic patterns. Use color coding to quickly identify interesting packets. *📅 Last Updated: 2024*