Wireshark Packet Capture Overview

Sep 27, 2024

Lecture Notes: Packet Capture with Wireshark

Introduction

  • Focus on capturing network traffic for analysis.
  • Discussion limited to interfaces and traffic capture using Wireshark, not analyzer placement.

Installing Wireshark

  • Packet Driver Requirement:
    • Wireshark needs a packet driver to capture traffic.
    • On Mac OS: libpcap version 1.9.1.
    • On Windows: npcap library.

Interfaces in Wireshark

  • Accessing Interfaces:
    • Go to Wireshark, About Wireshark on Mac, Help, About Wireshark on Windows.
  • Common Interfaces:
    • Bluetooth, local area connection, Wi-Fi analysis point.
    • Virtual interfaces may appear if using VPNs or tools creating virtual adapters.
  • Traffic Activity:
    • Active interfaces show traffic, inactive ones remain flat.

Simplifying Interface Management

  • Capture Options and Interface Management:
    • Access via the setup gear icon in Wireshark.
    • Use "Manage Interfaces" to select active interfaces only.
    • Ensures a simpler interface list for efficient capture.

Snap Length Configuration

  • Purpose:
    • Limit data capture per frame (e.g., snap length 64 captures first 64 bytes).
  • Considerations:
    • Important to avoid under capturing essential data.
    • Useful in secure environments where capturing full payload is unnecessary.

Buffer and Promiscuous Mode

  • Buffer Setting:
    • Default is 2 MB of kernel buffer, suitable for most environments.
  • Promiscuous Mode:
    • Must be enabled to capture all traffic, not just to/from the capturing device.

Output Configuration

  • Output Settings:
    • Configure save location and output settings.
    • Prefer smaller trace files (under 500 MB) for ease of analysis.

Long-term Capture and Ring Buffer

  • Capture Strategy:
    • Use multiple smaller PCAP files instead of one large capture.
    • Set location and naming for output files (e.g., test.pcapng).
  • Ring Buffer Usage:
    • Prevents hard drive from filling up by overwriting old files.
    • Set number of files and file size to manage storage and data retention.

Conclusion

  • Summary:
    • Effective traffic capture with Wireshark's GUI.
    • Next lesson will cover command line packet capture.
  • Stay tuned for Lesson 3: Packet capture from the command line.
  • Remember to configure interfaces and capture settings according to environment needs.