Wireshark : Java Glossary

A free TCP/IP (Transmission Control Protocol/Internet Protocol) protocol sniffer formerly known as Ethereal. The current version is 2.6.0 Last revised/verified: 2018-04-24. It has support for hundreds of protocols that piggyback on TCP/IP, formatting the messages it captures. By default it captures all traffic going through your Ethernet card, not just TCP/IP. Its main limitation is it cannot monitor purely local traffic. It must be going to some other machine.

Even though it can do 1000 things I could never imagine doing, it cannot decode GZipped pages, something I would think should be a fundamental feature. I Googled Wireshark Gzip and discovered the Wireshark people believe that is too difficult to do and recommend a number of third party packages. Imagine me spitting out a glassful of lemonade in a spray in disbelief. Granted, Gzip cannot be decoded an isolated packet at a time, but it can a TCP/IP stream at a time.

Unfortunately, the user interface has been improved so the program is no longer even remotely intuitive to use.

Using a simple capture filter [capture ⇒ capture filters] of tcp port 80 will show you just the HTTP (Hypertext Transfer Protocol) stuff. A capture filter determine what raw data to capture. You later can apply any of a number of display filters, e.g. http.request.method == GET to further reduce the amount of material to look at. When you find what you want, right click and tell it to decode and follow the TCP/IP stream. The dialog where you specify the capture filter is artfully hidden. Click Capture ⇒ Options. Double click the interface of interest. Fill in the capture filter box.

Wireshark is an eavesdropper on the link between a program in your machine and one in a server somewhere on the net. It is not privy to the private keys used in encryption. This means it can tell you almost nothing when it snoops on SSL conversations. Other than the initial DNS (Domain Name Service) lookup, everything with https: is encrypted, including the URL (Uniform Resource Locator) you are requesting.

HTTPS (Hypertext Transfer Protocol over SSL (Secure Socket Layer))

Wireshark cannot snoop on https: conversations. Only the end user application has the decoding key. Further it does not display gzipped messages in clear text. It could; it does not need a key, but for some reason they refuse to implement it. For sniffing on https: conversations between browser an server, use the HttpFox add-in.

Tips

If you get a message The NPF driver isn’t running or if there are no connections displayed to select from, open a command prompt with run as admistrator. Type sc start npf to start the NPF service then restart Wireshark. You can also try reinstalling WinPcap.

To access the Wireshark website you need three different login ids and three different passwords, depending on which part of the website you are accessing.

To start Wireshark capturing requires you to fill in three fields:

1. Select the fourth line from the top, and click Ctrl-. Type a filter such as http.request.method == "GET". If you select a preset, engage it by clicking the blue arrow on the right. This field is separated from the rest, so it is easy to overlook.
2. Select a capture filter, e.g. tcp port http
3. Select your connections(s) with Ctrl-Click.
4. Then click the shark fin icon on the third line at the left.

Wireshark Cheat Sheet

The following cheat sheet is implemented as a dummy HTML (Hypertext Markup Language) form to allow you to adjust the values for your particular situation and the print it out on an index card. With it, you will find Wireshark easier to use. If you don’t get satisfactory printed results with print selected in your browser, try a different browser, or use FastStone capture.

If you know how to make browsers print just a form, not the whole document, please let me know.

Books

Book referral for Wireshark 101: Essential Skills for Network Analysis

	recommend book⇒Wireshark 101: Essential Skills for Network Analysis
	by	Laura Chappell	978-1-893939-72-1	paperback
	publisher	Laura Chappell University	B00BF50LD0	kindle
	published	2013-02-01
Contains step-by-step recipes to use Wireshark.
Online bookstores carrying Wireshark 101: Essential Skills for Network Analysis abe books anz abe books.ca abe books.de amazon.ca amazon.de Chapters Indigo amazon.es Chapters Indigo eBooks iberlibro.com abe books.com abe books.fr amazon.com amazon.fr Barnes & Noble abe books.it Nook at Barnes & Noble amazon.it Kobo junglee.com Google play abe books.co.uk O’Reilly Safari amazon.co.uk Powells other stores
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.