<\/span><\/h3>\n\n\n\nBut the main issue when you are looking for something specific on Wireshark, is to filter the packets list (the first table). Devices talk quite a lot on our networks, and it might be overwhelming to see all of these packets.<\/p>\n\n\n\n
That’s why Wireshark includes a field near the top of the screen, where you can enter a formula to only show the packets that are potentially interesting for you (or exclude them).<\/strong> Here is a first example:tcp.port == 80 <\/code>It’s exactly what you think, it will display only the packets using the port 80 (HTTP traffic in general).<\/p>\n\n\n\nReading these filters is quite intuitive, but instead of trying random formulas, here are some of the most useful ones:<\/p>\n\n\n\n
Filter the IP address (to analyze only one device on your network):<\/strong>ip.addr==192.168.222.8<\/code><\/li>You can also filter the source or destination IP addresses with:<\/strong>ip.src==192.168.222.8 ip.dst==192.168.222.25<\/code><\/li>As seen in the previous example, you can filter the ports with:<\/strong>tcp.port==80 udp.port==5060<\/code><\/li><\/ul>\n\n\n\nMany other filters options are available, but those few should already be pretty useful to filter your list. Also, you can use different operators and boolean statement to create more complex filters. Here are a few examples:<\/p>\n\n\n\nFilter<\/th> Description<\/th><\/tr><\/thead> ip.src!=192.168.222.25<\/td> Source IP address is not 192.168.222.25<\/td><\/tr> vnc or http<\/td> Only display VNC or HTTP protocols<\/td><\/tr> ip.src==192.168.222.8 and ip.dst==192.168.222.1<\/td> Filter traffic between my computer and the gateway<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nWhen you start typing something in the filter field, it will autofill with available options and your filter history. So, even if it seems complicated when you start from scratch, it will become easier and easier overtime. And as for the packet analysis, you can easily find help online for more complex filters.<\/p>\n\n\n\n
<\/span>Wireshark Alternatives In Command Line<\/span><\/h2>\n\n\n\nIf you want to record network activity on another device, or want to use SSH to connect to your Kali Linux system, it’s possible to use other tools, as Wireshark doesn’t offer a command line interface.<\/p>\n\n\n\n
Here are two alternatives you can try in this case.<\/p>\n\n\n\n
<\/span>Tcpdump<\/span><\/h3>\n\n\n\nTcpdump is a command-line tool you can use to capture network traffic. <\/strong>Tcpdump is preinstalled on Kali Linux, but if needed you can easily install it on any device via ATP:sudo apt install tcpdump<\/code><\/p>\n\n\n\nUsing the main command will just show all the packets on your screen:sudo tcpdump -i <interface> <\/code> <\/p>\n\n\n\nThis is not really useful. But you can add several options to your command, to only show what you want, and store the result in a capture file,<\/strong> for example:sudo tcpdump -i eth0 -w tcpdump.cap<\/code><\/p>\n\n\n\nYou’ll then record only the traffic on the Ethernet network card, and save the results in a file (tcpdump.cap). Use CTRL+C to stop the capture. What’s great is that you can then open this file with Wireshark (File > Open), and use all the nice features we have seen previously. <\/p>\n\n\n\n
I’ll generally have Wireshark on my computer, do captures on my servers with tcpdump and then open the file on the computer to analyze it.To see all the options for tcpdump, either use:<\/strong>sudo tcpdump --help <\/code>orman tcpdump<\/code><\/p>\n\n\n\nOr maybe you are a pen tester and got access to a Linux device, that is important on the network you are auditing. You may be able to run tcpdump on it, and transfer the capture file to your computer to analyze it comfortably with Wireshark.<\/p>\n\n\n\n
<\/span>Tshark<\/span><\/h3>\n\n\n\nTshark is an alternative to Wireshark, to be used in the terminal directly. <\/strong>It’s created by the same developers as Wireshark, so you’ll find many similarities.<\/p>\n\n\n\nIt’s also pre-installed on Kali Linux, and available in the default repository on most distributions, so, if needed, you can install it with:<\/strong>sudo apt install tshark<\/code><\/p>\n\n\n\nAnd then use a similar command to create a capture. But you need to create the destination file first, and add some permissions (I don’t know exactly why you need this with sudo, but it doesn’t work without it).touch tshark.cap chmod o+w tshark.cap sudo tshark -i eth0 -w tshark.cap<\/code><\/p>\n\n\n\n
<\/figure><\/div>\n\n\nLike with tcpdump, you can press CTRL+C to stop the capture, and import the file in Wireshark to analyze it.<\/strong> But tshark also has a ton of options you can use, to do the same things as in Wireshark with the command line (for example, -f allow you to use capture filters, and -Y to use display filters).<\/p>\n","protected":false},"excerpt":{"rendered":"Wireshark is a free and open-source tool to capture and analyze network traffic. Basically, it will intercept network packets and display their content in a nice interface, so you can analyze them. It’s available on most operating systems. I will show you how to use it on Kali Linux, and share interesting features for you…<\/p>\n","protected":false},"author":1,"featured_media":607,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[16],"tags":[],"taxonomy_info":{"category":[{"value":16,"label":"Kali Linux"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2022\/08\/install-and-use-wireshark-on-kali-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":0,"category_info":[{"term_id":16,"name":"Kali Linux","slug":"kali-linux","term_group":0,"term_taxonomy_id":16,"taxonomy":"category","description":"Jump into our Kali Linux Tutorials. They're perfect for getting the hang of this cool Linux distribution. We make it easy to learn the basics and a bit more!","parent":0,"count":37,"filter":"raw","cat_ID":16,"category_count":37,"category_description":"Jump into our Kali Linux Tutorials. They're perfect for getting the hang of this cool Linux distribution. We make it easy to learn the basics and a bit more!","cat_name":"Kali Linux","category_nicename":"kali-linux","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/596"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=596"}],"version-history":[{"count":3,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/596\/revisions"}],"predecessor-version":[{"id":606,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/596\/revisions\/606"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/607"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}