
How I use Wireshark - ingve
https://jvns.ca/blog/2018/06/19/what-i-use-wireshark-for/
======
lambda
One really useful tip for Wireshark that's not as obvious as it should be.

Increasingly often, what you need to debug is a TLS connection. However, that
can make debugging more difficult as the contents of the connection are
encrypted.

However, if you can access the server key, whether you have access to the
production server, or are working in a development environment, or you MITM
yourself with mitmproxy, or you're working on some product that ships the same
default server keys with every install, you can load the key into Wireshark
and then decrypt all of the TLS traffic.

To do so, go to Preferences > Protocols > SSL, and click "Edit" next to "RSA
keys list". Then you can load private keys in, and associate them with a host
and port, and when you have a TLS connection on that host and port, Wireshark
will decrypt the traffic and you can see the inner protocol.

[https://wiki.wireshark.org/SSL](https://wiki.wireshark.org/SSL)

Note that this doesn't work if you use a cipher suite with forward secrecy,
though it looks like there is support for that as well if you enable logging
of ephemeral keys in your client or server
([https://security.stackexchange.com/questions/35639/decryptin...](https://security.stackexchange.com/questions/35639/decrypting-
tls-in-wireshark-when-using-dhe-rsa-ciphersuites/42350#42350))

~~~
xorcist
If you get a mitmproxy working, you probably won't need the Wireshark bits.
Getting ephemeral keys out can be tricky and might not even be worth the
trouble.

Sometimes I find it convenient to redirect traffic with iptables. That way, if
I can classify which traffic interests me, only that traffic will pass through
the proxy for inspection. A warning though, SSL specific problems tend to go
away when being looked at that way :).

A third method I know people use is LD_PRELOADing a hook in the application to
dump keys (search for sslkeylog.c for an example) but that's far too exciting
for me to try in production. Between these three methods I tend to reach for
the proxy first.

~~~
kingosticks
There's also a fun example of the third method at [1] which is used to decrypt
and dump traffic from the official Spotify app for inspection in wireshark.
This is used to reverse engineer their protocol and reimplement it in
librespot (and various ports of that).

[1] [https://github.com/librespot-org/spotify-
analyze/blob/master...](https://github.com/librespot-org/spotify-
analyze/blob/master/dump/dump.c)

------
taneq
I've used it for a few things:

* To analyze the bluetooth protocol for a smartwatch so I could reverse-engineer a phone app to talk to it

* To intercept a temperature logger's TCP comms and figure out how it talked to the vendor's (crap) server software so I could write a better server for it

* To track down a weird problem where ffmpeg won't stream from my home CCTV system (it turns out it sends a duplicate PLAY command, still haven't figured out why yet...)

* To snoop for IP addresses on my local network in order to find lost devices (eg. when someone else set a device to a static IP address which has since been lost).

It's basically a fantastic Swiss Army knife for any question that starts with
"what" and ends with "on the network".

~~~
_pmf_
Also: USB with USBPCap.

My personal pain point is lack of localhost tracing under Windows.

~~~
mapl
Try npcap [https://nmap.org/npcap/](https://nmap.org/npcap/)

Loopback Packet Capture: Npcap is able to sniff loopback packets
(transmissions between services on the same machine) by using the Windows
Filtering Platform (WFP). After installation, Npcap will create an adapter
named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this
adapter to capture, you will see all loopback traffic the same way as other
non-loopback adapters

~~~
_pmf_
Thanks; will try.

------
rosstex
Going to shamelessly post a Wireshark tutorial I made when I TA'd the
networking class at Berkeley. I think it's a pretty good intro to the tool,
and feel free to suggest others too.

[https://www.youtube.com/watch?v=jvuiI1Leg6w](https://www.youtube.com/watch?v=jvuiI1Leg6w)

~~~
rickyspanish
Great tutorial. More importantly though, how did you get that desktop
wallpaper?

~~~
rosstex
Ha, my favorite question. The video is from
[https://www.youtube.com/watch?v=skI8e5BCozE](https://www.youtube.com/watch?v=skI8e5BCozE).

You can use Dreamscene for Windows 7/8\. On Windows 10, I used VideoPaper, a
free tool from
[https://www.reddit.com/r/VideoPaper/](https://www.reddit.com/r/VideoPaper/).
It hasn't been updated in a while, so it might not work anymore. Apparently,
you can also use VLC to set a video as your desktop background.

------
fulafel
My favourite Wireshark link: [https://danlebrero.com/2017/04/06/documenting-
your-architect...](https://danlebrero.com/2017/04/06/documenting-your-
architecture-wireshark-plantuml-and-a-repl/)

Generating a sequence diagram of a running system w a bit of Clojure code and
PlantUML mixed in.

~~~
chii
that is actually really freaking cool use case! _bookmarked_ for future
reference.

------
kop316
Is there a reason that it the website is recommending you install a third
party repository in Debian for Wireshark? It is a native package:

[https://packages.debian.org/search?searchon=names&keywords=w...](https://packages.debian.org/search?searchon=names&keywords=wireshark)

EDIT: It appears that the website has changed, but still comments about
installing from the PPA for newer packages. PPAs tend to be for Ubuntu only,
and is not meant for other Debian-based distros.

~~~
rhodysurf
Maybe to get the latest up to date version? I know Debian can lag behind
having the latest packages

~~~
lucb1e
If you want up to date software, you should just run Debian testing (or some
other distribution/OS). In Debian, testing lags a few days behind unstable to
make sure that things aren't breaking and then pushes the update.

~~~
IncRnd
> _If you want up to date software, you should just run Debian testing (or
> some other distribution /OS)._

Telling people to run a new OS in order to get an updated version of Wireshark
is crazy.

If people only want a single updated package, then it is perfectly fine to
include the updated PPA.

~~~
kop316
PPAs tend to be for Ubuntu only, and is not meant for other Debian-based
distros. Ubuntu and other distros will be pegged to other libraries, and
mixing libraries on an OS is not a good idea.

If you really want the updated package, I would recommend compiling from
source.

EDIT: I should point out that have a valid point that if you want to run up to
date software, Debian is probably not the Distro you want to use. Ubuntu is a
Debian based Distro that tends to have more up to date software. However, I
like using Debian as I rarely need the most up to date software, and I have
never had an update go bad on Debian.

~~~
IncRnd
Good points. Thank you.

I totally get that a FrankenDebian type of system can result from mixing
packages from outside of Debian with a base Debian system.

What I really wanted to convey was that saying someone should run Debian
unstable or some other OS in order to update a single package is not
reasonable - that it is far more reasonable for a person to take point updates
using a PPA in such a case.

~~~
kop316
I agree with that point. Debian has a repository known as backports
([https://backports.debian.org/](https://backports.debian.org/)). But they
note that it is not as well tested as the stable repository, and it is on an
as-is basis, so not all packages are in there.

However, Debian Stable is not the distro you want to run if you want the
latest packages. I think Ubuntu and Arch are two distros that do that more? I
have not looked around for new distros in several years, Debian is my OS of
choice.

~~~
IncRnd
I've used debian and arch (on different machines of course) for years. I like
that debian never breaks. On the other hand, I like the rolling release model
of arch. :)

~~~
kop316
I get that! I used to do the Debian testing "rolling" release and really liked
it. Sometime I will try Arch.

------
mobilemidget
I use this to run Wireshark on local desktop with live traffic from remote
server

e.g. excludes port 22/53

ssh root@host tcpdump -U -s0 'not port 22 and not port 53' -w - | wireshark -k
-I -

~~~
Kurtz79
The first time I used this command to monitor traffic remotely on a headless
device it felt like magic. Incredibly useful.

You can achieve the same under Windows using putty/plink:

plink.exe -ssh -pw password root@host "tcpdump -ni eth0 -s 0 -w - not port 22"
| "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

Of course you need to have tcpdump as a command line executable in the host.

------
CloudNetworking
Wireshark is my favourite "I told you so" tool. You can't imagine how useful
it is for network troubleshooting.

Heck, It's been many times that I've told a customer "you've got this device
running this OS in your network doing DPI/ALG/etc and it's probably sitting
_points at the network diagram_ exactly here, which you conveniently forgot to
add to the diagram" just by looking at a network trace with Wireshark.

~~~
krylon
> You can't imagine how useful it is for network troubleshooting.

I think anyone who has ever had to troubleshoot networking issues can attest
to that. I certainly can. ;-)

------
alexpotato
Every time someone posts about wireshark, I think it's good to post about
tcpflow.

What is it? In short, it shows you the TCP packets as opposed to the raw IP
packets. If you are doing protocol analysis or debugging, it's AMAZING!

[https://linux.die.net/man/1/tcpflow](https://linux.die.net/man/1/tcpflow)

------
bitcharmer
Thought someone might find it useful... There is a command line equivalent
called tshark. It's great for simple packet processing.

I used it a lot to generate csv files with relevant packet data.

------
teekert
Wireshark is worth a couple of hours of play. It was quite a revelation to use
it on a non https connection and watch myself transmit my password letter for
letter in clear text :) Yes one can imagine how that is, but still, doing it
is different.

~~~
FabHK
Or, similarly, I set up an HTTPS proxy on my Mac, and set Wireshark to listen.
Then, had someone else log in to a different account (say, the guest account)
on the machine, and asked them to log into gmail, say, as usually via HTTPS
(with a fake user/pass). A warning does pop up about "insecure connection",
but most people just dismiss it and go ahead and log in - and wireshark
intercepts username and password.

Classic MiTM, well known, but still freaky to observe how easy it is to set
up.

~~~
endless1234
This wouldn't really be possible with a modern browser, luckily, since they
don't let users bypass the warning for sites with HSTS.

~~~
lucb1e
Yeah for Gmail or some other big website. The real targets are usually the
smaller corporate sites which are not in the preload list, but you wouldn't
use those to demo with...

~~~
endless1234
Well as long as the site has HSTS and the user had visited it at least once
before the MiTM attempt.. But yeah a gazillion corporate sites won't have HSTS
configured

~~~
e12e
In this case, the user runs the browser from a guest account - that the
"attacker" controls. It would be prudent to start with a clean profile - so no
"earlier" visits.

------
ouchjars
Wireshark can open streamable multimedia files too. I've used it in contexts
completely outside networking to inspect a podcast file that played weirdly
and an ancient MP3 mix that turned out to be two files with different sample
rates concatenated together so media players didn't seek properly in it.

~~~
stuxnet79
Wow! Can you elaborate more on the latter? How were you able to figure that
out with Wireshark?

------
dandigangi
My greatest use thus far with Wireshark was proving that some HTTP requests
one of your applications were making actually left the machine and went
through our network.

Our Node Proxy was not cooperating and it helped us track down the issues.
Nice tool to have in your belt.

Thanks for sharing.

~~~
paulie_a
Wireshark is great, I used it a while back to diagnose why a rogue DHCP server
was routing DNS through Germany.

------
asafira
I have happily used Wireshark during my physics PhD to deal with poor vendor
software for various equipment. Example: while Montana Instruments
([https://www.montanainstruments.com/](https://www.montanainstruments.com/))
now has a python library for interacting with their cryostats (refrigerators),
they didn't always have one, and I just couldn't get their dll's to work.
Instead, I sniffed the packets that were being sent back and forth between
their provided GUI software and the cryostat, and got things working fairly
easily in python thereafter.

Good times.

------
toomanybeersies
I love Wireshark. It's a very useful tool for anything network related.
Sometimes I like to boot it up and just look at arp requests being bounced
around the network, it's hard to resist the temptation to boot up Metasploit
and engage in some script kiddy fun while I'm doing it.

The one problem I have is that usually when I discover I need to use
Wireshark, I'm not able to download it as I don't have an internet connection.

~~~
TeMPOraL
> _The one problem I have is that usually when I discover I need to use
> Wireshark, I 'm not able to download it as I don't have an internet
> connection._

Solution: carry a fresh version for all platforms on a pendrive, in your
wallet.

------
simonebrunozzi
Slightly off-topic: I personally know the co-creator of Wireshark, Loris
Degioanni
([https://thenewstack.io/author/lorisdegioanni/](https://thenewstack.io/author/lorisdegioanni/)),
a super-brilliant engineer from Italy. I am wondering why the Wikipedia
article doesn't mention him. (I know his co-authorship is true).

------
kaiken1987
Wireshark is fantastic. It also great for listening in on USB connections. The
only issue I have with it is I have to use a secondary program to capture the
loopback. But rawcap is small lightweight and easy is its not a huge issue

~~~
woodrowbarlow
if i recall correctly, this is a windows-only limitation. i've had no problems
capturing loopback on linux. on windows, you can install npcap rather than
winpcap to allow capturing on the loopback with wireshark.

------
singularity2001
used it after I had ssh connections from/to china.

checked to see if system cleanup and hardened firewall kicked them out. After
some days with zero traffic (minus broadcast etc) declared red alert over.

------
zwieback
Great for wireless debug as well. We had an issue in the early days of WPA and
Wireshark was one of the first open apps to support sniffing and decrypting
WPA traffic. We also used Omnipeek, which had a better GUI and better
promiscuous and monitor support but Wireshark caught up and now it's my go-to
tool.

Filter syntax is a headache, though, if I remember correctly it's totally
different for capture and display. I have to go to the manual every time I use
wireshark.

------
cmurf
Bluetooth? Is Wireshark is useful for troubleshooting dropped connections
between mouse and host controller? So far hcidump and bluetoothd debugging
aren't revealing why I keep getting dropped connections, but only on Linux. I
don't have the same problem with Windows 10 and the same hardware setup. But
off hand it seems like Wireshark would produce a ton of really verbose data.

------
jimpudar
Hansang Bae, the CTO of Riverbed (Wireshark's corporate sponsor) has a series
of videos about using Wireshark. There are some great practical packet
analysis tips in these.

[https://www.youtube.com/watch?v=U0QABcTD-
xc&list=PLnKJHZhW_B...](https://www.youtube.com/watch?v=U0QABcTD-
xc&list=PLnKJHZhW_BuCPcIg6Ja2boDeHIRwoHMT-)

------
partycoder
To follow a specific TCP connection I rather do this: 1. select message from a
connection, 2. Follow -> TCP Stream.

Another thing that helps is to just write a display filter expression, like
'tcp.port eq 443 and ip.dst==1.2.3.4'

[https://wiki.wireshark.org/DisplayFilters](https://wiki.wireshark.org/DisplayFilters)

------
syntaxing
I never understood how to intercept another device's TCP packets. Do you
connect some sort of device in between the device and the network as a node or
is the only requirement is to be connected in the same hub? Does anyone have
reading material on how to do this?

~~~
johngalt
Either you run wireshark directly on the endpoint, or you setup some means of
tapping into the traffic.

The most common method is to use a managed switch to setup a mirror port.
Basically you tell the switch to copy all traffic and send it out on an extra
port and then capture traffic while connected to that port.

------
Grazester
I was a network engineer for a University so.

-Used it to discover Cisco switch port number and switch names for ports

-Find rouge routers on the network people setup in their dorm rooms that would hand out their own ip address(DHCP) on our network

------
kasey_junk
Worth adding that Wireshark has a plugin system for adding protocols.

The fix/fast protocol plugin is something I'd have been in a lot of trouble
without in my past.

~~~
berti
And you can write dissectors in Lua. Super handy for quick/dirty jobs.

------
chmaynard
The UI in the Mac version has a Windows look and feel, which seems odd. I'm
interested in why the developers chose this approach.

~~~
_pmf_
I think they just use the default GTK theme.

~~~
kevinherron
It's Qt now unless you're on a pretty old version.

~~~
_pmf_
You're right. I assumed the new look was a Gtk 2 to 3 switch, but it's been
Gtk to Qt.

------
gsich
Important filter: !(tcp.len==0)

------
krylon
That blog is a treasure trove! Her writing style is great, very accessible,
even if you are a newbie to the subject, and her enthusiasm is infectious!

