Wireshark Packet Capture Overview

So in this lesson, it's all about packet capture. So how can we actually take data off the network and bring it into our analysis point? Now, in this lesson, we're not gonna talk about where to place the analyzer. We're gonna leave that for a future lesson. But specifically, we're gonna talk about the interfaces that you see when you go to capture traffic with Wireshark, what they mean, and even how to do this on the command line. So first, let's go ahead and get started by looking at what happens when we install Wireshark. Now in order for Wireshark to capture traffic, it needs to use a packet driver. So one way that we can see which one our machine is using is by going up to the top, and I'm on a Mac system here, so I'm going to go ahead and go to Wireshark, About Wireshark, and here I can see after some of those details that I can see upon the installation, if I come down here to the operating system that I'm running, here's my Mac OS, and if I come down here a little bit lower, I can see I'm using libpcap. version 1.9.1. Now on my Windows box, I'll just flip over there for a moment, and if I come and do exactly the same thing, I'm going to go up to Help, I'm going to come down to About Wireshark, and here I can see on my Windows box I'm actually using the npcap library. So what that does is that on Windows machines allows me to bring those packets into my analyzer and capture them. So while I'm on the Windows box, let's go ahead and take a look at the kind of interfaces that we see right at the outset. Now, if you ever come in here in Wireshark and you don't see anything, it's possible that we either don't have that packet capture driver installed, or it's possible that we don't have administrative access to actually access that level of the system, which we need to be able to do with Wireshark. So here I can see several interfaces on this system. I've got Bluetooth network connection, local area connection. Here's my Wi-Fi analysis point. and several different things. Now, on this machine, I don't have a lot of different physical connections to it. So many times you'll see virtual interfaces, especially if you have a lot of VPN adapters, or if you're using tools like GNS3, for example, that create virtual adapters. Many times you'll see those in this list. Now, depending on how I'm capturing, either on the Wi-Fi or if I plug in an actual physical interface, that's where I'll start to see traffic and activity. coming in. So on that line, it won't be flat anymore. It'll actually show me where that traffic is. So on my Mac system, coming back here, I can see I have my Wi-Fi interface. I definitely have some information coming and going from there. I can see that utilization. And I also see U-Tune and Thunderbolt and a few other interfaces. Now again, right now I don't have a physical cable installed. And if I did, if I plugged in a cable to a Thunderbolt interface, that's where you'd probably see that light up and I'd see some activity. Now to go a little bit deeper into these interfaces. What I'd like you to do is come up to our little setup button or capture options. Looks kind of like a setup gear. Let's go ahead and click that and that will bring us into our Wireshark capture options. And from here you can see a little bit more detail about each one of these interfaces. Now this is where things can get a little bit confusing, especially when we have interfaces that are virtual that we just don't capture on all the time. So as a practice, what I like to do... is I like to come into manage interfaces. And so what I'll do here is I'll just check the ones that I know I'm actively using. So for example, Wi-Fi, maybe for now I'll uncheck these guys. Maybe I'm plugging in a Thunderbolt interface, so I'll leave that one active. Or if I know for sure one of these is mapped to a VPN interface and I want to capture on that. But what this does is it just simplifies my list. So instead of having 14 interfaces, many of which are virtual. that I may or may not be actively using. I just like to leave that to the ones that I know for sure I'm gonna use. So I'm gonna go ahead and say, okay, and then come back to my list and I can see that that's a bit more simple now. Now, another thing I'd like to talk to you guys about is snap length. So here, this is where I can tell Wireshark if I'm capturing traffic to only capture a certain amount of data per frame. So say I'm in a secure environment. and I don't want to capture the entire payload. This is where I can come in and I can say snap length 64. And that will just give me the first 64 bytes of the frame. And usually that's good enough to get through the Ethernet part of the frame, the IP packet information, so the IP header, and then also the TCP header values. That'll give me about what I need. Now, be careful with that because it's possible that you could under capture. We could slice it. so far just have such a small amount of data that it's not really useful. So it's just a good place to remember if you don't want to capture the entire payload, it's possible just to capture the first hundred or so bytes and SnapLength is where you would configure that. So right next to that is buffer 2. Now that just means 2 megabytes of kernel buffer for our capture process. In most cases I find that's fine. You don't have to adjust this number unless you're in a very, very high throughput environment. And we also want to make sure that we always have enable promiscuous mode on all interfaces, because what this does is it allows Wireshark to capture traffic not just to and from itself, but also other machines. that are unicasting traffic between each other. Okay, so how about our output now? I'd like to briefly take a look at that for you. Let's go to output. So what this allows me to do is configure the place that I want Wireshark to save to, and also allows me to configure some other settings that can make Wireshark traffic easier to read. Now for me personally, when I'm doing my analysis, I don't like doing analysis on trace files, anything larger than about 500 megabytes. If a trace file or a pcap is larger than that, it takes a long time to open. I've got to set some pre filters on it to really get it to open well. So what I like to do is I like to keep those as small as possible. So what I'm going to do is show you how you can do a longer term capture with Wireshark instead of creating a very, very large pcap that runs over a long period of time. Instead, let's capture many smaller pcaps. And then when a problem strikes, we just go back in time to the one that was capturing when that problem occurred. So let's go ahead and configure this. So first I am going to set a location where I want to save this data to. So I'm going to go ahead and say browse and I'm just going to put this for now under Chris data. There we go. And I'm going to save this as test.pcap. Okay, pcap ng. There we go. I'm going to say save. All right, so then now I have my location that I want to actually save and the name. And next I'm going to come down, I'm just going to leave this output format pcapng. But now what I want to do is create a new file automatically. So what this does is allows me to set either an amount of time do I want to capture, or is there a number of packets I want to capture. In this case, what I'm going to do is create a new file automatically after, and I'm going to put 500 kilobytes, megabytes, gigabytes. Let's do megabytes. And so... That will now create a new packet capture after 500 megabytes. Now, if I just hit start at this point, what's going to happen is every 500 megabytes, it's going to add a new packet capture and it's going to be named test and it's going to have a time date stamp just after it. Now that will continue basically until my hard drive fills. So if I would prefer not to fill my entire hard drive with PCAPs, what I can do is I can use a ring buffer. And I can create a certain number of files that will give me whatever amount of time I hope to achieve. So let's say, for example, if I punch in 10 here, what's going to happen is I'll have 10 500 megabyte files. So after the 10th file, what's going to happen is it's going to go back and overwrite the first one, then the second one, then the third one, and so on. But I'll only ever have that rolling amount of data. I'll only have 10 files of 500 megs each. Now in a low throughput environment, that could get me a whole day's worth of capture. But if I'm on a data center in front of a really important database, this could just be a few minutes. So these are the numbers that you can tune. Do you want to have more data in each trace file and maybe use more ring buffer? So for example, 100 files that we overwrite, you can start to do the math and figure out how much of your hard drive do you want to take up and how large do you want those packet captures to be? So once we have this set, now I don't have the start capture button highlighted because I never selected an interface. So I'm going to go back to input and I'm just going to select Wi-Fi. And then once I hit start, now Wireshark is going to do that ring buffer off of the Wi-Fi interface and then I can go to that location that I'm saving those trace files to. After the fact, after an issue happens, now I have the data there and I can do some post capture analysis. So that's a trick that I use quite a bit when I'm trying to capture a problem, especially one that's intermittent, that I don't know exactly when it's going to strike. So that was our lesson for today. How to actually do packet capture with Wireshark within the graphical user interface. Now on our next lesson, we're going to talk about how we can do packet capture from the command line. So stay tuned for lesson three. Thanks for stopping by and I'll see you on another lesson in the Wireshark Masterclass. Thanks a lot guys. Thank

We're gonna leave that for a future lesson. But specifically, we're gonna talk about the interfaces that you see when you go to capture traffic with Wireshark, what they mean, and even how to do this on the command line. So first, let's go ahead and get started by looking at what happens when we install Wireshark. Now in order for Wireshark to capture traffic, it needs to use a packet driver.

So one way that we can see which one our machine is using is by going up to the top, and I'm on a Mac system here, so I'm going to go ahead and go to Wireshark, About Wireshark, and here I can see after some of those details that I can see upon the installation, if I come down here to the operating system that I'm running, here's my Mac OS, and if I come down here a little bit lower, I can see I'm using libpcap. version 1.9.1. Now on my Windows box, I'll just flip over there for a moment, and if I come and do exactly the same thing, I'm going to go up to Help, I'm going to come down to About Wireshark, and here I can see on my Windows box I'm actually using the npcap library.

So what that does is that on Windows machines allows me to bring those packets into my analyzer and capture them. So while I'm on the Windows box, let's go ahead and take a look at the kind of interfaces that we see right at the outset. Now, if you ever come in here in Wireshark and you don't see anything, it's possible that we either don't have that packet capture driver installed, or it's possible that we don't have administrative access to actually access that level of the system, which we need to be able to do with Wireshark. So here I can see several interfaces on this system.

I've got Bluetooth network connection, local area connection. Here's my Wi-Fi analysis point. and several different things. Now, on this machine, I don't have a lot of different physical connections to it. So many times you'll see virtual interfaces, especially if you have a lot of VPN adapters, or if you're using tools like GNS3, for example, that create virtual adapters.

Many times you'll see those in this list. Now, depending on how I'm capturing, either on the Wi-Fi or if I plug in an actual physical interface, that's where I'll start to see traffic and activity. coming in.

So on that line, it won't be flat anymore. It'll actually show me where that traffic is. So on my Mac system, coming back here, I can see I have my Wi-Fi interface. I definitely have some information coming and going from there. I can see that utilization.

And I also see U-Tune and Thunderbolt and a few other interfaces. Now again, right now I don't have a physical cable installed. And if I did, if I plugged in a cable to a Thunderbolt interface, that's where you'd probably see that light up and I'd see some activity. Now to go a little bit deeper into these interfaces.

What I'd like you to do is come up to our little setup button or capture options. Looks kind of like a setup gear. Let's go ahead and click that and that will bring us into our Wireshark capture options.

And from here you can see a little bit more detail about each one of these interfaces. Now this is where things can get a little bit confusing, especially when we have interfaces that are virtual that we just don't capture on all the time. So as a practice, what I like to do...

is I like to come into manage interfaces. And so what I'll do here is I'll just check the ones that I know I'm actively using. So for example, Wi-Fi, maybe for now I'll uncheck these guys. Maybe I'm plugging in a Thunderbolt interface, so I'll leave that one active. Or if I know for sure one of these is mapped to a VPN interface and I want to capture on that.

But what this does is it just simplifies my list. So instead of having 14 interfaces, many of which are virtual. that I may or may not be actively using.

I just like to leave that to the ones that I know for sure I'm gonna use. So I'm gonna go ahead and say, okay, and then come back to my list and I can see that that's a bit more simple now. Now, another thing I'd like to talk to you guys about is snap length.

So here, this is where I can tell Wireshark if I'm capturing traffic to only capture a certain amount of data per frame. So say I'm in a secure environment. and I don't want to capture the entire payload.

This is where I can come in and I can say snap length 64. And that will just give me the first 64 bytes of the frame. And usually that's good enough to get through the Ethernet part of the frame, the IP packet information, so the IP header, and then also the TCP header values. That'll give me about what I need. Now, be careful with that because it's possible that you could under capture.

We could slice it. so far just have such a small amount of data that it's not really useful. So it's just a good place to remember if you don't want to capture the entire payload, it's possible just to capture the first hundred or so bytes and SnapLength is where you would configure that.

So right next to that is buffer 2. Now that just means 2 megabytes of kernel buffer for our capture process. In most cases I find that's fine. You don't have to adjust this number unless you're in a very, very high throughput environment. And we also want to make sure that we always have enable promiscuous mode on all interfaces, because what this does is it allows Wireshark to capture traffic not just to and from itself, but also other machines. that are unicasting traffic between each other.

Okay, so how about our output now? I'd like to briefly take a look at that for you. Let's go to output.

So what this allows me to do is configure the place that I want Wireshark to save to, and also allows me to configure some other settings that can make Wireshark traffic easier to read. Now for me personally, when I'm doing my analysis, I don't like doing analysis on trace files, anything larger than about 500 megabytes. If a trace file or a pcap is larger than that, it takes a long time to open. I've got to set some pre filters on it to really get it to open well.

So what I like to do is I like to keep those as small as possible. So what I'm going to do is show you how you can do a longer term capture with Wireshark instead of creating a very, very large pcap that runs over a long period of time. Instead, let's capture many smaller pcaps.

And then when a problem strikes, we just go back in time to the one that was capturing when that problem occurred. So let's go ahead and configure this. So first I am going to set a location where I want to save this data to. So I'm going to go ahead and say browse and I'm just going to put this for now under Chris data.

There we go. And I'm going to save this as test.pcap. Okay, pcap ng.

There we go. I'm going to say save. All right, so then now I have my location that I want to actually save and the name.

And next I'm going to come down, I'm just going to leave this output format pcapng. But now what I want to do is create a new file automatically. So what this does is allows me to set either an amount of time do I want to capture, or is there a number of packets I want to capture. In this case, what I'm going to do is create a new file automatically after, and I'm going to put 500 kilobytes, megabytes, gigabytes.

Let's do megabytes. And so... That will now create a new packet capture after 500 megabytes.

Now, if I just hit start at this point, what's going to happen is every 500 megabytes, it's going to add a new packet capture and it's going to be named test and it's going to have a time date stamp just after it. Now that will continue basically until my hard drive fills. So if I would prefer not to fill my entire hard drive with PCAPs, what I can do is I can use a ring buffer.

And I can create a certain number of files that will give me whatever amount of time I hope to achieve. So let's say, for example, if I punch in 10 here, what's going to happen is I'll have 10 500 megabyte files. So after the 10th file, what's going to happen is it's going to go back and overwrite the first one, then the second one, then the third one, and so on. But I'll only ever have that rolling amount of data.

I'll only have 10 files of 500 megs each. Now in a low throughput environment, that could get me a whole day's worth of capture. But if I'm on a data center in front of a really important database, this could just be a few minutes.

So these are the numbers that you can tune. Do you want to have more data in each trace file and maybe use more ring buffer? So for example, 100 files that we overwrite, you can start to do the math and figure out how much of your hard drive do you want to take up and how large do you want those packet captures to be?

So once we have this set, now I don't have the start capture button highlighted because I never selected an interface. So I'm going to go back to input and I'm just going to select Wi-Fi. And then once I hit start, now Wireshark is going to do that ring buffer off of the Wi-Fi interface and then I can go to that location that I'm saving those trace files to.

After the fact, after an issue happens, now I have the data there and I can do some post capture analysis. So that's a trick that I use quite a bit when I'm trying to capture a problem, especially one that's intermittent, that I don't know exactly when it's going to strike. So that was our lesson for today. How to actually do packet capture with Wireshark within the graphical user interface.

Now on our next lesson, we're going to talk about how we can do packet capture from the command line. So stay tuned for lesson three. Thanks for stopping by and I'll see you on another lesson in the Wireshark Masterclass.

Thanks a lot guys. Thank

Transcript for:Wireshark Packet Capture Overview

Transcript for:
Wireshark Packet Capture Overview