Analyse network packets with Wireshark

In this scenario, I investigated network traffic to a website using a network packet capture file that contains traffic data related to a user connecting to an internet site. I demonstrated how to apply filters to select and inspect packets based on specific criteria, inspect UDP DNS traffic to examine protocol data, and apply filters to TCP packet data to search for specific payload text data.

Filter for traffic associated with a specific IP address

ip.addr == 142.250.1.139

The list of packets displayed was significantly reduced and contains only packets where either the source or the destination IP address matches the address I entered. Only two packet colours were used: light pink for ICMP protocol packets and light green for TCP (and HTTP, which is a subset of TCP) packets.

I double-clicked the first packet that lists TCP as the protocol to open the packet details pane window.

The upper section of this window contains subtrees where Wireshark will show an analysis of the various parts of the network packet. The lower section of the window contains the raw packet data displayed in hexadecimal and ASCII text.

The first subtree in the upper section starts with the word Frame shows details about the overall network packet, or frame, including the frame length and the arrival time of the packet.

The Ethernet II subtree contains details about the packet at the Ethernet level, including the source and destination MAC addresses and the type of internal protocol that the Ethernet packet contains.

The Internet Protocol Version 4 subtree provides packet data about the Internet Protocol (IP) data contained in the Ethernet packet. It contains information such as the source and destination IP addresses and the Internal Protocol (for example, TCP or UDP), which is carried inside the IP packet.

The Transmission Control Protocol subtree provides detailed information about the TCP packet, including the source and destination TCP ports, the TCP sequence numbers, and the TCP flags.

Filter to select traffic for a specific source IP address

ip.src == 142.250.1.139

Filter to select traffic for a specific destination IP address

ip.dst == 142.250.1.139

Filter to select traffic to or from a specific Ethernet MAC address

eth.addr == 42:01:ac:15:e0:02

Filter to select and examine UDP packets

udp.port == 53

DNS traffic uses UDP port 53, so this will list traffic related to DNS queries and responses only.

Let's explore the first packet in the list by opening the detailed packet window. Domain Name System (query) subtree contains information about the queries. The name of the website that was queried is opensource.google.com.

Let's explore the fourth packet in the list by opening the detailed packet window. I scrolled down and double-clicked the Domain Name System (query) subtree to expand it. Then, I scrolled down and double-clicked Answers, which is in the Domain Name System (query) subtree. The Answers data included the name that was queried (opensource.google.com) and the IP addresses that were associated with that name.

Filter to select and examine TCP packets

The following filter selects TCP port 80 traffic.

tcp.port == 80

Filter to select TCP packet data that contains specific text data

tcp contains "curl"

This filters packets containing web requests made with the curl command in this packet capture file.

Follow streams

Wireshark provides a feature that can be used to filter for packets specific to a protocol and view streams. A stream or conversation is the exchange of data between devices using a protocol. Following a protocol stream is useful when trying to understand the details of a conversation.

Google Sites

Report abuse