Wireshark is a tool used for capturing and analysis of the packets which are incoming and going out of the system. After one launches the wireshark, a GUI window can be seen that is divided into three parts as packet, packet layers and packet data (in hexadecimal format).

Deliverable:

In Kali Linux Terminal

~# wireshark

GUI of wireshark wil open.

Goto

--> Capture Menu

--> Interface (select appropriate interface for which you want to capture the traffic)

--> Start

Ex. Lets see wireshark packet analysis for TCP 3 way handshake. The TCP handshake occurs in three separate steps. In the first step, the device that wants to communicate (host A) sends a TCP packet to its target (host B). This initial packet contains no data other than the lower-layer protocol headers. The TCP header in this packet has the SYN flag set and includes the initial sequence number and maximum segment size (MSS) that will be used for the communication process. Host B responds to this packet by sending a similar packet with the SYN and ACK flags set, along with its initial sequence number. Finally, host A sends one last packet to host B with only the ACK flag set. Once this process is completed, both devices should have all of the information they need to begin communicating properly.

The first packet in this capture represents our initial SYN packet (see Figure). The packet is transmitted from 192.168.42.169 on port 49212 to 74.125.236.131 on port 443. We can see here that the sequence number transmitted is 0.

Fig. Initial SYN packet

The second packet in the handshake is the SYN/ACK response from 74.125.236.131 (see Figure). This packet also contains this host’s initial sequence number (0) and an acknowledgment number (1). The acknowledgment number shown here is one more than the sequence number included in the previous packet, because this field is used to specify the next sequence number the host expects to receive.

Fig. The SYN/ACK response packet

The final packet is the ACK packet sent from 192.168.42.169 (see Figure). This packet, as expected, contains the sequence number 1 as defined in the previous packet’s Acknowledgment Number field.

Fig. The Final ACK packet

Thus wireshark can be used as packet capturing as well as packet analysis purpose as it converts the non readable hexadecimal data into a human readable format.

You can also filter the traffic as per our requrement.

Ex. Suppose you want to see only those packets going to specific (destination) IP address. Then you can use folloeing filter in Filter Box:

ip.dst=={destination IP address}

and click on Apply.

Or

Ex. Suppose you want to see only http packets, then use:

tcp

and click on Apply.

Similarly you can use many filters.

If you want complete connection stream with all contents of the connection then you can right click on a specific packet and select 'Follow TCP Stream'.