Expired

VII. Router Diagnostics

Expired

How do I use Wireshark?

Products:

Show all

Keywords:

Wireshark is an excellent and free third-party tool useful if you wish to examine the data that your PC is sending at the TCP/IP level across the Ethernet or Wireless interfaces. It is often referred to as a 'packet sniffer'. Wireshark is not a DrayTek produced or supported product but we provide some installation documentation as a courtesy here.

Wireshark will capture data packets coming in and out of the PC running wireshark and is therefore very useful to an engineer for diagnosing problems, or improving compatibility with specific applications. It is also possible to capture traffic on the network or WAN interfaces by setting up the Port Mirroring facility on most DrayTek routers so that traffic from other interfaces is sent to the port that the monitoring PC is connected to.

Initial Setup

Download Wireshark from here. Install the application (which will include WinPcap, a separate program that facilitates the capturing of network traffic by the Wireshark program) and run it once it has installed successfully.

The application will initially show the main screen:

The important menu options are located in the main toolbar:

To start capturing packets, it's necessary to select the interface to capture from, which is set from the List of Capture Interfaces and Capture Options windows.

Start Capture will start a packet capture on all selected interfaces

Stop Capture will stop an active packet capture and allow the packet capture to be saved into a file

Restart Capture is only available once a packet capture has been started or stopped, this clears the packet list and restarts the capture

The Display Filter box is used to control which packets Wireshark shows in the packet list, details on how to use this are in the Filtering Packet Captures tab. If nothing is entered here, it will show all packets received.

Listing the Capture Interfaces will show this window, which shows all detected network interfaces (wired or wireless) and clicking Start here will start a packet capture:

Viewing the Capture Options will show all detected network interfaces and offer additional options for capturing packets.

If capturing from a single interface i.e. Local Area Connection, make sure to untick Capture on all interfaces, otherwise Wireshark would capture packets from other interfaces such as the wireless network adapter.

Ticking "Use promiscuous mode on all interfaces" is recommended, Promiscuous Mode allows Wireshark to receive packets that are not intended for the PC running Wireshark, which is necessary if capturing packets from a network. Otherwise Wireshark will discard packets not intended for the PC doing the packet capture.

It is recommended to untick the Name Resolution options as this alters some values in the packet capture file to make it easier to read for high-level packet analysis. Low-level packet analysis such as observing network issues usually does not benefit from these facilities.

Selecting interfaces in this window and clicking Start would start the packet capture.

Once a packet capture has been started, it will show traffic like this. There are three elements to Wireshark's display of packets:

Packet List - this lists the packets received, clicking on a packet here will show it in the Packet Details and Packet Bytes sections

Packet Details - this shows the details of a selected packet; Wireshark is usually able to determine the protocol of each packet and will show a detailed view of the individual details in the packet, such as the MAC addresses (layer 2), IP address level source and destination addresses (layer 3) and the packet data such as the details of an HTTP request

Packet Byes - this shows the packet data in both hexadecimal and ASCII format, selecting an item here will show in the Packet Details and vice versa

Capturing Packets

To make a packet capture with Wireshark, first of all set up the packet capturing environment, for instance if it's necessary to capture packets from the whole network or WAN interface of a DrayTek router, set up the Port Mirroring first, details on that can be found in this guide.

With that set up, click the Capture Options button in the main toolbar:

In that window, select the network interfaces to capture from, untick the Name Resolution options if any are currently ticked. Click Start to start the packet capture:

This will show packets as they are received by the PC performing the packet capture:

Once the packet capture shows the necessary information, click the red Stop button in the main toolbar, then click the Save button to save the packet data into a .pcap packet capture file, which will include all details of the packets and the packet data they contain:

When saving the packet capture file, it can be useful to set the Compress with gzip option so that the packet capture is compressed using gzip, this can significantly decrease the size of the packet capture which may be useful if sending it over the internet:

Filtering Packet Captures

When capturing packets on a network, there will often be many packets that aren't useful which may make it difficult to find the correct information. To resolve this, use the Display Filter in Wireshark; there are details on how to use the display filter on Wireshark's website which give examples of the syntax that can be used.

This guide will give some examples of how packets captured can be filtered and how to save the resulting filtered list of packets instead of the full packet capture.

To start with, start a packet capture so that packets have been captured. The Display Filter can be applied while packet capture is still active or has been stopped.

Example 1 - Protocol - DHCP

To filter based on the protocol used, enter the protocol name into the Display Filter box, this example will show DHCP packets, which are part of the "bootp" protocol.

Entering that into the filter box will highlight in Green, which indicates that the filter entered has the correct syntax.

If the filter box is highlighted in Red, that indicates that the syntax is incorrect. Click the Expression... button for a list of valid items.

Click Apply to apply that filter, which will then show only DHCP / BOOTP packets in the packet list:

Click Clear to clear the filter, which will show all packets in the packet list.

Example 2 - Address - IP Address

To filter based on the IP Address used in a packet, there are a few options that can be used, this example will show how to filter for packets with 192.168.1.1 as either a source or destination.

ip.addr == 192.168.1.1 - this will show all packets that have 192.168.1.1 in either the source or destination field of a packet
ip.dst == 192.168.1.1 - this will show packets that have 192.168.1.1 in the destination field of a packet, which would be packets sent to 192.168.1.1
ip.src == 192.168.1.1 - this will show packets that have 192.168.1.1 in the source field of a packet, which would be packets sent from 192.168.1.1

Click Apply to apply the filter, click Clear to clear the filter.

Example 3 - Filtering based on a selected packet

It is also possible to filter based on the information in a selected packet, to find all packets with the same details or hide packets with those details. To do that, select a packet from the Packet List and expand the details in the Packet Details view, this example shows that the User Datagram Protocol details section has been expanded and the source port used has been selected.

With a detail selected, Right-Click that detail and it will show options, select Apply as Filter and click Selected:

This will then create the text for the Display Filter and apply it, which will then show only packets matching that criteria:

Click Clear to clear that filter text and display all packets.

Saving the filtered packets

To save filtered list of packets instead of the full packet capture, go to File and click Export Specified Packets:

This will display a dialog box which allows selecting which packets to save; to save only the filtered packets, select All Packets and select the Displayed column, which will be the number of packets currently displayed with the display filter applied.

It is also possible to select the Compress with gzip option to compress the packet capture, which will usually result in a significantly smaller file.

Click Save to save the filtered packet capture:

How do you rate this article?

1 1 1 1 1 1 1 1 1 1

: First Published: 18/03/2013; Last Updated: 22/04/2021

Share this link

How do I use Wireshark?

Initial Setup