Getting Started With Wireshark On Ubuntu

Wireshark is a free and open-source tool to capture and analyze network traffic. Basically, it will intercept network packets and display their content in a nice interface, so you can analyze them. It’s available on most Linux distributions, including Ubuntu. I will show you how to install it on your computer, and share interesting features for you to use.

Wireshark can be installed on Ubuntu from the default repository. It’s available in Ubuntu software, or via the command line, by using APT: “sudo apt install wireshark”.

But once installed, the first steps might be a bit confusing if you never used it before. So keep reading for the full installation procedure, and an introduction to some of the most powerful features.

Install Wireshark on Ubuntu

Wireshark is available in the Ubuntu software (the “app store”), but it comes with a few issues related to the permissions for normal users, so I recommend using APT in a command line to install it. Here is how to do it:

• Open a terminal.
• Do the system updates first:
  sudo apt update
sudo apt upgrade
• You can then install the wireshark package with:
  sudo apt install wireshark

  It will install all the dependencies at the same time.
• During the installation, you will be asked if you want to allow normal users to run a capture:
  
  That’s the thing missing with Ubuntu software, so please answer “Yes” if you need it.
  By default, only superusers can capture packets with Wireshark.

After that, the packages will be installed on your system, just wait a few minutes.

If you need to be able to capture packets with normal users, there is another extra step to allow each user individually. The allowed users have to be added in the wireshark group.
So, if you want to allow the current user to use Wireshark captures, type the following command:
sudo usermod -a -G $USER

Your current user will be added to the group, and will have the permissions after the next reboot.
Restart your computer if you would like to try it now:
sudo reboot

How To Use Wireshark on Ubuntu

Installing Wireshark has been pretty straightforward, except for the permissions command maybe. But if it’s your first time trying it, you’ll probably need some additional help now. Let’s browse the most important features together.

First steps with Wireshark

Find the Wireshark icon in the launchpad to start it for the first time:

The main interface looks like this:

Basically, you can almost do nothing with this tool before having a network capture to analyze. You can either start a new one, or import one from a file, but you need one.

Just make sure you can see your network interfaces in the list before going further. On my screenshot, I can see “eth0”, which is my network cable interface, so I’m ready to move on.
If you can’t see anything, you have a permission issue, make sure you followed the previous section completely.

Capture network traffic

The main feature that you’ll use frequently with Wireshark is the capture. Basically, the idea is to listen to what’s happening on one of your network interfaces. If your computer is just one element of your network, it will mostly be your own network usage, and a few talks between your device and the other ones.

But when your computer or server is an important node of this network (DNS server, gateway, etc.), it will record almost anything happening on the network. This will be pretty useful for the analysis part I’ll introduce later (and it’s also used by hackers and pen-testers).

Anyway, here is how to start a capture with Wireshark:

• Select the interface you want to capture in the list.
  In general, it will be “eth0” if your computer is plugged via Ethernet, or “wlan0” if you are using a Wi-Fi connection.
• Click on the first icon in the top bar.
  You can also double-click on the interface name, use the “Capture” menu, or just press CTRL+E.
• If everything is working properly, the window starts to be filled with a table refreshing constantly:
  

Each line is a packet detected by Wireshark.
Let this run as long as needed. It will keep capturing the network traffic until you press the stop button (the red one in the top bar).

Packets analysis

After doing a capture of the network traffic, you can then analyze its content. The screen is split in three main parts:

• Packets list: the first part. Where you can see all captured packets, and use the display filters to only show those that interest you. I’ll get back to this later.
• Packet details: when you select one packet, you can see its content, in a more or less readable text format.
• Packet bytes: the exact packet content, with bytes and hexadecimal format (less useful for us ^^).

On the first part, you’ll see the macro information, like source, destination and protocol. It will help you to select the ones you are interested in. For example, if you are looking for suspect HTTP activity from 192.168.222.8, you can skip everything unrelated (like VNC and other IP addresses). I’ll show you how to filter this list in the next section.

Packet analysis with Wireshark could be a dedicated article, or even a full book on its own. So, I won’t give you more details here, but you can check the official documentation to learn more about it.

Filters

But the main issue when you are looking for something specific on Wireshark, is to filter the packets list (the first table). Devices talk quite a lot on our networks, and it might be overwhelming to see all of these packets.

That’s why Wireshark includes a field near the top of the screen, where you can enter a formula to only show the packets that are potentially interesting for you (or exclude them).
Here is a first example:
tcp.port == 80
It’s exactly what you think, it will display only the packets using the port 80 (HTTP traffic in general).

Reading these filters is quite intuitive, but instead of trying random formulas, here are some of the most useful ones:

• Filter the IP address (to analyze only one device on your network):
  ip.addr==192.168.222.8
• You can also filter the source or destination IP addresses with:
  ip.src==192.168.222.8
ip.dst==192.168.222.25
• As seen in the previous example, you can filter the ports with:
  tcp.port==80
udp.port==5060

Many other filters options are available, but those few should already be pretty useful to filter your list.
Also, you can use different operators and boolean statement to create more complex filters.
Here are a few examples:

Filter	Description
ip.src!=192.168.222.25	Source IP address is not 192.168.222.25
vnc or http	Only display VNC or HTTP protocols
ip.src==192.168.222.8 and ip.dst==192.168.222.1	Filter traffic between two devices

When you start typing something in the filter field, it will autofill with available options and your filter history. So, even if it seems complicated when you start from scratch, it will become easier and easier overtime. And as for the packet analysis, you can easily find help online for more complex filters.

Wireshark Alternatives In Command Line

If you don’t have a desktop interface, or want to do some network analysis in a terminal or via SSH, it’s possible. You just have to use other tools, as Wireshark doesn’t offer a command line interface.

Here are two alternatives you can try in this case.

Tcpdump

Tcpdump is a command-line tool you can use to capture network traffic.
You can install it with APT, it’s available in the default repository on Ubuntu and most distributions:
sudo apt install tcpdump

Using the main command will just show all the packets on your screen:
sudo tcpdump


This is not really useful.
But you can add several options to your command, to only show what you want, and store the result in a capture file, for example:
sudo tcpdump -i eth0 -w tcpdump.cap

You’ll then record only the traffic on the Ethernet network card, and save the results in a file (tcpdump.cap). Use CTRL+C to stop the capture.
What’s great is that you can then open this file with Wireshark (File > Open), and use all the nice features we have seen previously.

I’ll generally have Wireshark on my computer, do captures on my servers with tcpdump and then open the file on the computer to analyze it.
To see all the options for tcpdump, either use:
sudo tcpdump --help
or
man tcpdump

Tshark

Tshark is an alternative to Wireshark, to be used in the terminal directly. It’s created by the same developers as Wireshark, so you’ll find many similarities.

It’s also available in the default repository on most distributions, so you can install it with:
sudo apt install tshark

And then use a similar command to create a capture. But you need to create the destination file first, and add some permissions (I don’t know exactly why you need this with sudo, but it doesn’t work without it).
touch tshark.cap
chmod o+w tshark.cap
sudo tshark -i eth0 -w tshark.cap

Like with tcpdump, you can press CTRL+C to stop the capture, and import the file in Wireshark to analyze it. But tshark also has a ton of options you can use, to do the same things as in Wireshark with the command line (for example, -f allow you to use capture filters, and -Y to use display filters).

Additional Resources

Lost with the command line?
You don’t need to learn and remember everything, just download my cheat sheet where I explain the most important commands on Linux, with a brief explanation and some examples.
Download my free PDF cheat sheet.

VIP Community
If you just want to hang out with me and other Linux fans, you can also join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.
More details here.

Need help building something with Python?
Python is a great language to get started with programming on any Linux computer.
Learn the essentials, step-by-step, without losing time understanding useless concepts.
Get the e-book now.