Did You Know?
Got a tip? Let us know

We are pleased to announce our new TecMint Q/A section to submit your Linux questions

Wireshark – Network Protocol Analyzer Tool for RHEL/CentOS/Fedora

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators
CW

Wireshark is a open source and freely available network analyzer tool which is shipped with most of the Linux distributions now a days. Also wireshark runs on various Unix-like operating systems i.e Mac OS X, BSD, Solaris including Windows OS as well. Wireshark is very similar to tcpdump, but has a graphical front-end, plus great filtering and sorting options are integrated within. Here, we are installing wireshark using YUM Commands in our RHEL 6.3 system.

Install Wireshark in Linux

Install Wireshark in Linux

Wireshark Requirements

You need to have following packages installed on your system, before installing wireshark tool.

  1. GTK+ : It a multi-platform tool used for creating graphical user interface
  2. Glib : It is a cross-platform tool for applications written in C language.
  3. libpcap : It is used to capture user-level packet and provides a portable framework for network monitoring.
  4. gcc : It stand for (GNU Compiler Collection) used to provide and compile C, C++ applications

The below installation instructions shows how to install Wireshark tool on RHEL 6.3/6.2/6.1/6/5.8, CentOS 6.3/6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 using YUM command. It’ll resolved all the dependencies issues automatically and this is the beauty of yum commands.

Install Wireshark in RHEL/CentOS 6/5 and Fedora 17-12

Step 1: Installing Wireshark using Yum

To install wireshark package you need to have a root privilege, below step shows how to install it using yum tool.

[root@tecmint ~]#yum -y install wireshark

Step 2: Installing Wireshark-Gnome GUI using Yum

You must install wireshark-gnome for GUI, using yum with -y option.

[root@tecmint ~]#yum -y install wireshark-gnome

Step 3: Running Wireshark

To start wireshark, execute the following command on the terminal.

[root@tecmint ~]#wireshark
Wireshark Welcome Screen

Wireshark Welcome Screen

Step 4: Wireshark Configuration and Usage

Once Wireshark is installed, start it up and to start capturing, choose a desire interfaces and press start from the Capture interfaces. You’ll see a pop-up window similar to the below.

Wireshark Capture Interface

Wireshark Capture Interface

As shown below, we can see below three pane i.e top, middle and down.

Wireshark Capturing eth0

Wireshark Capturing eth0

Top : In the top pane of the Wireshark window corresponds to a single packet seen on the network. You can drill down and obtain more information by clicking on a row. This causes the bottom two window panes to fill with information.

Middle :The middle pane contains drill-down details on the packet selected in the top frame.

Bottom : The bottom window pane shows the contents of the packet in both hexadecimal and ASCII representations.

Step 5: Filter by source IP Address.

This will filter the packets only from source IP in filter tab as shown below.

ip.src==192.168.0.2
Wireshark - Filter by source IP Address

Wireshark – Filter by source IP Address

Step 6: Filter by destination IP Address

This will filter the packet view in wireshark to only those packets that have destination IP as mentioned in the filter.

ip.dst==69.171.228.70
Wireshark - Filter by destination IP Address

Wireshark – Filter by destination IP Address

Step 7: Filter by Protocol

This will filter the packet view in wireshark to only those packets that have http packets mentioned in the filter.

http
Wireshark - Filter by Protocol

Wireshark – Filter by Protocol

Step 8: Filter by || (OR) Condition

This will filter the packets that match either one or the other condition.

http||arp
Wireshark - Filter by || (OR) Condition

Wireshark – Filter by || (OR) Condition

Step 9: Filter by && (AND) condition

This will filter the packet view in wireshark to only tcp packets and have source ip as 192.168.0.2

tcp&&ip.src==192.168.0.2
Wireshark - Filter by && (AND) condition

Wireshark – Filter by && (AND) condition

Step 10 Filter by Port number

Filter by tcp port number 80.

tcp.port eq 80
Wireshark - Filter by Port number

Wireshark – Filter by Port number

Tips : In addition to above, you can click the ‘Expression…’ button to discover all the filters. Also you can save the captured data to analyze later.

This article is for those who wants to debug and analyze the packets to and from in their network interfaces. You can also try it out and share your views through comment box below.

He has over 10 years of rich IT experience which includes various Linux Distros, FOSS and Networking. Narad always believes sharing IT knowledge with others and adopts new technology with ease.

Linux Services & Free WordPress Setup

Our post is simply ‘DIY’ aka ‘Do It Yourself, still you may find difficulties and want us to help you out. We offer wide range of Linux and Web Hosting Solutions at fair minimum rates. Please submit your orders by Clicking Here.

4 Responses

  1. muthii says:

    Thanks for putting this up I needed to analyze some traffic on my box.

  2. Niranjan says:

    Hi Thanks for very descriptive info on Wireshark. It was very helpfull.

    However, I am facing some issues while trying to open wireshark from command prompt.

    [root@p1-vbu1-slot1-diam5 ~]# wireshark

    (wireshark:14036): Gtk-WARNING **: cannot open display:
    [root@p1-vbu1-slot1-diam5 ~]# wireshark –display=:0

    (wireshark:14047): Gtk-WARNING **: cannot open display: :0
    [root@p1-vbu1-slot1-diam5 ~]#

    Niranjan

  3. Niranjan says:

    Hi,

    Also besides the above observation, I just wanted to let you know that I have installed the gtk+, glib after installing wireshark.

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.