Dissecting network traffic
wireshark, libpcap, packets, packet sniffer
Building a network flight recorder with Wireshark.
Wireshark [1], the packet sniffer formerly known as Ethereal, is a must-have for system administrators. If you've ever had to troubleshoot a network problem or needed to watch a transaction with a server, then this is the tool for you. Like most (all?) network data capture programs for Linux, Wireshark relies on libpcap, which provides a system-independent interface for capturing packets; therefore, you do not need to write custom routines for every packet sniffer (tcpdump, Snort, Wireshark, etc.). As long as your OS (e.g., Linux, *BSD, HP-UX, Solaris, Windows, etc.) and software support libpcap, you can sniff packets to your heart's content.
Installing libpcap and Wireshark
Libpcap comes with most operating systems, and Wireshark is almost always included (at least on Linux and BSD). Wireshark is sometimes split into two separate packages: one consisting of the back-end utilities like tshark and mergecap, and the other consisting of the graphical user interface (GUI). On Fedora and most related systems, you can simply run yum:
yum install libpcap yum install wireshark-gnome
Debian is just as easy:
apt-get install libpcap0 apt-get install wireshark
One problem with using a vendor-supplied version of Wireshark is that most vendors ship really old versions of Wireshark (e.g., Fedora 11 ships v1.1.3). However, the 1.2 series (and v1.3.0, which might be out by the time this article prints) has a lot of new features, such as protocol support, bug fixes, and GeoIP integration (more on this later). To build Wireshark from source, you'll need to download it, so you can either pull the latest stable version [2], or, if you're feeling brave, you can get one of the latest automated builds from SVN [3]. Once you have unpacked it, the installation is pretty simple:
./configure make make install
To compile Wireshark, you will need to address some dependencies. At a minimum, you'll want libpcap; I also suggest installing GnuTLS, PCRE (Perl-Compatible Regular Expressions), and GeoIP if you want to use any of the advanced features.
Running Wireshark
Unfortunately, to run Wireshark and capture live data, you need to run it as root. Wireshark has had security problems in the past (more on this later) that allow remote attackers to execute code by sending malicious data, which Wireshark processes. Two ways to avoid running Wireshark as root are relatively simple. The first is to use a packet capture program, such as dumpcap or tcpdump, and then later examine the capture files while running Wireshark as a regular user.
The second method is to run Wireshark as root, but within a contained environment. While running Wireshark within a VMware server-based virtual machine, I originally assumed that Wireshark would only see network data to and from that specific virtual machine. Why I thought this isn't clear (just being hopeful, I guess). In fact, because libpcap accesses the kernel and thus the network card at a low enough level, it will see all network traffic to and from that physical interface. Thus, you can run Wireshark in a VM and easily sniff network traffic. The downside of this is that any rogue user with root access to a VM (at least under VMware Server) can see all the network traffic to the underlying physical machine and any guest VM using that interface.
Libpcap Capture Filters
Capturing network traffic on anything but the most quiet of networks is a lot like drinking from a fire hose. The good news is that almost all programs that use libpcap to capture data also accept filter libpcap filter commands (and sometimes, like Wireshark, support their own filters as well). The bad news is that libpcap's filter set is relatively limited, primarily supporting network addresses and ports (because it is protocol aware). At a minimum, you can use it to minimize the amount of data you're writing to the hard drive or forcing Wireshark to process. For example, to capture web traffic in libpcap, you could use the following syntax:
dst port 80 or 443
The tcpdump man page covers libpcap filter syntax in depth.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.