Wireshark is one of the most famous network analysis tools in the world, both because it is free and because it works well and is not too difficult to use. Its fame, however, derives from the fact that with this program it is possible to filter, capture and spy on packets and information that pass within a computer network .
Spying on the packets, as seen in a general guide (Entering a protected wifi network to capture packets and spying on what you do on the internet), allows you to read any type of information that goes clear in the communication between the PC and the internet.
This means that if two people are in the same office or home and connect to the same network (or the same router) to go on the internet, then the two PCs can be seen and from one it is possible, using Wireshark, to capture the information of the other, including the websites you visit, plaintext passwords (on non-https sites), emails, chats and so on.
Wireshark, however, is above all a very powerful network analysis program also used by professional technicians and then let's see how to use it seriously.
You can download Wireshark for Windows or Mac OS X from its official website.
If you are using Linux or another UNIX-like system, Wireshark should be in the distribution software repository.
After downloading and installing Wireshark, you can start it and you must immediately select the correct network interface to analyze .
For example, if you want to acquire traffic on the wireless network, click the wifi network card otherwise, if the network used is wired, you must choose the LAN connection and so on.
As soon as you select an interface, you will immediately see that any information that passes over the network is visible in a continuous scrolling list.
If you enable control on a network shared by multiple computers (such as a wifi), and you have activated data acquisition in promiscuous mode, you will also see the packets of other computers connected to the same network .
The acquisition in promiscuous mode is possible from a Windows PC only by installing the WinPCap drivers which are included in the Wireshark installation package.
In the upper left corner you can stop the capture process in real time and stop the traffic acquisition.
Wireshark shows differently colored intercepted data to help identify traffic types more easily.
By default, TCP traffic is green, DNS traffic is dark blue, UDP traffic is light blue instead; the black ones are TCP packets with problems.
To get started and see if it works, you need to make sure that while browsing the internet by opening a few websites, data and information are captured by Wireshark.
HTTP calls are those relating to internet traffic which can be the most interesting if you intend to find browsing information such as the sites visited.
You can also download a sample file for analysis in Wireshark for
Important not to get lost in the sea of generated data is to use packet filtering rules.
The easiest way to apply a filter is to type a search key in the filter box at the top of the window and click Apply.
For example, typing " http " you will only see the connections made through the browser on the internet.
Each package can be inspected and just click on it with the right button to see more details and the TCP Stream or the history of steps made (for example, if you search Google for more things, you can review the entire flow).
More specific filters can be applied from the Analyze menu.
When acquiring packets, it may be inconvenient and difficult to understand the flow of snorted data and information on the network because only IP addresses are displayed.
However, it is possible to convert IP addresses into domain names (for http traffic this means seeing the names of the websites) by activating the functionality from the Edit menu -> Preferences -> Name Resolution and activating " Enable Network Name Resolution ".
When you enable this option, you will see domain names instead of IP addresses but, as Wireshark will have to search for each domain name, DNS requests increase by increasing the flow of data.
If you want to set up an automatic packet capture on your computer, you can create a desktop shortcut to start Wireshark quickly.
After creating the link, right click, enter the properties and, where " Destination " is written, add a space to the row after the final quotation marks and then -i # -k .
instead of # you must put the number of the network card to be checked, according to the order that Wireshark gives during the selection phase.
Capturing traffic from other computers connected to the same network is perhaps its funniest purpose which makes us a bit of a hacker in our own small way (it's not that easy, however).
If you want to record network traffic and spy on information passing through a router, server or other computer, you must use the Wireshark remote capture which, on Windows, uses the WinPcap driver.
After it has been installed, you must open the Windows services window (click on Start and write on the Search or Run box, the Services.msc command).
In the list of services, find and activate what is called Remote Packet Capture Protocol .
This service is disabled by default.
Click on Options Capture in the initial Wireshark window and select Remote from the Interface box.
Then enter the address of the remote system (e.g. 192.168.2.3 ) and as 2002 port.
To work, you must have access to port 2002 on the remote system so you will need to open this port on your computer's firewall or router.
After connection, you can select an interface on the remote system from the box where the network cards are listed and click Start to begin recording the connections made from that computer.
In this video you can see an introductory tutorial done very well to learn how to use Wireshark.
Wireshark is an extremely powerful tool even if only the most experienced can understand it thoroughly and use it to do any type of operation in a network.
This tutorial is just introductory to everything you can do (here is the full manual in English); just know that professionals use it to debug network protocol installations, to analyze security problems and control traffic in companies.
Finally, one last recommendation: many organizations do not allow Wireshark or similar tools to act on their networks (privacy issue) so you should not risk using it in the office unless you have permission.
If you want to try with simpler programs, I recommend downloading the Nirsoft tools to sniff the PC network and see visited sites, internet searches and passwords .
