As power users, we love control. More specifically, we love knowing what happens where, when and how. While utilities to monitor your CPU usage and other metrics are fairly easily available, your network is often ignored since it’s a lot more, well, nerdy.

Today, I am going to give you a mini-review of Wireshark, an excellent network utility, and a little guide through running the app on your computer.

Whats The Point?

Above all else, you end up learning a tremendous deal about networking because of Wireshark. If you are interested in how computers interface with one another, and the messages they send, this is perfect for you. Of course, you may need Wikipedia at your side to know what some things mean, learning about different protocols and so forth, but all the material to learn from can be found within Wireshark.

Another popular use of Wireshark is checking what is going around on in your network. Especially when it comes to what is going in and out of your machine. Many people use Wireshark to validate their traffic and ensure that there is nothing out of the ordinary or unexpected going on. Many server administrators run Wireshark every now and then, to see who is accessing their resources and what they are doing.

If you have a network-based problem, such as failing to connect to servers, buggy networks and so forth, Wireshark is your first port of call. My latest serious use of Wireshark was to log my Xbox’s network connections. I was trying to find out why my router rejects certain matchmaking game sessions and accepts others. I bridged the wireless and ethernet connections of my laptop, with my Xbox going into the ethernet, and the wireless going out to the web. I ran Wireshark on the wireless interface and gathered heaps of data. I discovered that my router was sending redirect signals to my Xbox, which I then corrected.

Mini-Review

As an application, Wireshark is very basic. There are no fancy effects or anything like that, just a few panes for information, and some buttons to manipulate it. This is, of course, very good and exactly what is needed from a utility progam.

The last thing I want from a program intended to get into the deep technical side of computing is a load of flashy effects. Some other applications try to go along the ‘eye-candy’ route and not only is it nine times out of ten ugly, it’s extremely offputting.

Though it takes a little getting used to at first, Wireshark quickly becomes very easy to use. You quickly get used to data flying about the place, as well as interpreting the information it provides.

Something that really impressed me which I didn’t know about until writing this article, is that Wireshark can also tap into your USB connections. So if you have a faulty USB drive, run Wireshark on the USB interface when you plug it in. That should give you plenty of information to help understand what is going wrong.

So if you are interested in trying Wireshark out for yourself, read on!

Let’s Try It Out!

Wireshark is free for Windows, and you can get it from the Wireshark website.

Once you have Wireshark installed and started up, go to the top left of the window and click the icon that looks like a spanner laying atop a network card. Have a quick overlook of options and change them if you need to, such as the network interface to record on. I recommend unticking ‘Capture Packets In Promiscuous Mode’ if you intend to capture a Wireless interface. You can see my setup below, but instead of eth0 in the Interface box, you should see one of your network cards.

This setup usually works for me, however you may want to tweak one or two things. For example enabling 'Name Resolution' in the bottom right corner will tell Wireshark to try and use computer names instead of IP addresses where possible.

When you are ready to begin, click Start. Wireshark is now capturing every single piece of data your interface is sending and receiving. Let it run for about 15 seconds and then click the stop icon located towards the top left of the window, next to the spanner icon. The fifteen seconds you ran Wireshark should be more than enough to capture some packets for you to look at. You should end up with something similar to my screenshot below.

If you can't see the screenshot clearly, click it to open a full-size version in a new tab.

If you can't see the screenshot clearly, click it to open a full-size version in a new tab.

Hopefully this screenshot is a good example. Let’s take a look at the top of the three panes in Wireshark, called the ‘Packet List’.

Packet List

The top pane is where captured data packets are listed, and they are usually ordered by the time they were sent. The packets highlighted in green in my screenshot are all transmissions from my computer to the backend which Appstorm uses to compose posts. The blue ones are caused by my computer probing the network at the moment this screenshot was taken, looking for Dropbox clients to connect to.

Most of the information people would want when using Wireshark is shown in this pane, such as addresses and ports used for connections, the protocol used and so forth. However, let’s take it a bit further.

Packet Details

Underneath the Packet List (the second of the three panes) is the ‘Packet Details’ window. This shows the data contained within the packet of data you have selected in the packet list. Far more information is revealed here than in the Packet List.

There can be anywhere from 2 to 10 line entries for a packet, depending on the protocol used for the packet as well as the data it contained.  In the screenshot example, I have selected the first entry in the Packet List. This is a TCP packet sent from my computer to the Appstorm server. (Note the ‘Source’ and ‘Destination’ IP in the Packet List).

In the Packet Details window the first expandable line entitled Frame 1 contains mostly data on the time and length of the packet. I can see that the packet was 11792 bits in size and was sent at 11:17am on January 9th.

The second line beginning with “Ethernet II” lists most of the hardware information of the interfaces used to send and receive the packet. You can see in the screenshot above, even without expanding the entry, that I run a GigaByte ethernet card, its MAC address, and that the destination device (Appstorm) runs a device produced by AskeyCom.

Underneath the hardware entry comes the Internet Protocol Version and Source/Destination Addresses. In that entry, you can see that I am running IPv4, my local IP address, and the destination address. When expanded, this entry details the packet header length, identification tags, its lifetime, network protocol, and a few checksums.

The last entry in the screenshot is the Transmission Control Protocol. This is what I stared at in hundreds of packets during my Xbox issue. This entry lists the source port (your end) and the destination port (their end), sometimes with the name of the service that usually runs on that port. As you can see in the screenshot, Wireshark is telling me that the port I am trying to reach on the Appstorm server is usually used to negotiate HTTP requests. This entry also shows any flags that were set on the packets and whether the packet is sequential or requests acknowledgement of receipt. A few other header and body lengths are listed in here too.

Packet Bytes

The third and final pane is the Packet Bytes pane. This pane reveals all the data that was sent or received as Hexadecimal binary. Since we can’t read hexadecimal binary, Wireshark attempts to translate the data into terms we can understand to the right of the raw data.

If you click a packet in the Packet List, all the data in the Packet Bytes pane will be selected. The more practical and interesting approach is to go through the Packet Details pane and click through each entry one by one, then the sub-entries one by one. This lets you see which part of the packet contained instructions, identifiers, addresses so so forth because the relevant part of the data becomes highlighted in the Packet Bytes pane.

Final Thoughts

If you flick through the network logs you took, I am sure you will be able to identify many packets you sent. Or perhaps they were sent by automated process on your computer, like my Dropbox entries. It can be very interesting to see what is going on. Hopefully you can understand why I find Wireshark to be so useful. Due to my finding it this useful, I’m awarding it a 10/10 rating.

Wireshark has everything you would need when it comes to traffic analysis, and much much more on top. Even if you have no use for it now, try to remember the name — it may become useful to you in the future.

If you have any comments, can recommend similar programs, or know of a good network utility to rival Wireshark, leave a note in the comments section. Thank you so much for reading!