Wireshark-users: Re: [Wireshark-users] I am new

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 1 Nov 2008 13:38:58 -0700

On Nov 1, 2008, at 10:41 AM, Meena Zala wrote:

I am new, and I am interessted in Wireshark. I also read the booklet,

Which booklet is that?

but still I have some questions. Hope you can help me.

1. What is Wireshark for?

Capturing and analyzing network traffic, in order to:

	solve networking problems;

	debug software that performs networking operations;

	reverse-engineer networking protocols;

determine what software and equipment is doing on a network (people have used it to, for example, discover that some software installed on their computer "phones home");

	etc..

See

	http://en.wikipedia.org/wiki/Packet_sniffer

for information on packet sniffers such as Wireshark; in particular, see the Uses section.

2. How do I start the protocol? If I go on start (option capture)

I.e., you select "Options" from the "Capture" menu, and click "Start"?

no data are being captured.

Did you select "Update list of packets in real time" in the "Display Options" section of the dialog?

If you didn't select "Update list of packets in real time", there should be a dialog with the title "Wireshark: Capture from {interface}", where "{interface} is the interface on which you're capturing, with a table giving protocols, packet counts, and percentages; are no packets showing up?

If you did select "Update list of packets in real time", that dialog might show up (depending on whether you checked "Hide capture info dialog" or not), and the main display should show packets arriving; are no packets showing up?

Do packets not show up even if, for example, you start up a Web browser and go to some Web sites?

On what interface are you capturing?

3. How can I capture my internet protocol?

Run Wireshark and capture on your main network interface.

If I keep wireshark running, and I go on my email, it will show my password?

It will show your machine connecting to the email server. Whether it shows your password depends on whether the password is sent over the network in some encrypted form or not. If, for example, you're using Web mail that uses SSL/TLS (https: rather than http:), or if you're using POP or IMAP with SSL/TLS, the session will be encrypted and, unless you have the keys necessary to decrypt it, you won't be able to see your password.

See, for example:

	http://wiki.wireshark.org/SSL

4. Can I capture other computers internet protocols?

Possibly.

How?

If you're on a wireless network, you might be able to capture the traffic in "promiscuous" or "monitor" mode, although if your network uses WEB or WPA/WPA2, it will, again, be encrypted, and, without the necessary keys, you won't be able to decrypt the traffic. (This decryption is separate from, for example, the encryption used for SSL/ TLS; SSL/TLS traffic over a WEP-protected or WPA-protected network is encrypted twice, and you'd need to set up Wireshark to decrypt at *both* layers.)

See, for example:

	http://wiki.wireshark.org/CaptureSetup/WLAN

	http://wiki.wireshark.org/HowToDecrypt802.11

If you're on an Ethernet network, whether you will be able to capture traffic not sent to your machine or from your machine depends on how the network is configured. If the network has a "real" hub, it should be possible (unless it's a "dual-speed" hub and there are both 10Mb/ sec and 100Mb/sec hosts on the network). If the network has a switch (some "hubs" are really switches), you probably won't be able to capture traffic to or from other hosts unless the switch is a "managed" switch with support for "port mirroring", and you capture on a "mirrored" port. See, for example:

	http://wiki.wireshark.org/CaptureSetup/Ethernet

Can I capture also someone who is not on the network?

Not on which network? There is no traffic to or from a host that's not on *any* network, so presumably you're referring to your network at home or at work.

You (probably) won't, for example, be able to capture traffic on the Internet backbone, as you (probably) don't have access to the equipment on the Internet backbone. You won't be able to capture traffic on the Wi-Fi network I have at home, as you're probably not within radio range of it (and if you were, it's WPA-protected anyway :-)), or on the Ethernet network we have in our building, or on the Ethernet network we have at work (unless you work there, and you're not in the employee directory :-)), or even, if you *did* work there, on a network segment other than the one into which your machine is plugged.

5. How can I find out the IP Adress of an other user?

Ask them. :-)

How do I find out my own IP Adress?

That depends on the operating system running on your machine; what operating system (and what version of that operating system) is it running?