by

How to Install and Use Wireshark on Ubuntu 20.04 LTS

Wireshark is an open-source network protocol analyzer tool indispensable for system administration and security. It drills down and displays data travelling on the network. Wireshark allows you to either capture live network packets or to save it for offline analysis.

One of the features of Wireshark that you will love to learn is the display filter which lets you inspect only that traffic you are really interested in. Wireshark is available for various platforms including Windows, Linux, MacOS, FreeBSD, and some others.

Some of the tasks one can perform with Wireshark are

  • Capturing and finding traffic passing through your network
  • Inspection of hundreds of different protocols
  • Live capture of traffic/offline analysis
  • Troubleshooting dropped packets and latency problems
  • Looking at attempts of attacks or malicious activities

In this article, we will explain how to install Wireshark on the Ubuntu system. The installation procedures have been tested on Ubuntu 20.04 LTS.

Note:

  • We have used the command line Terminal for the installation procedure. You can launch the Terminal via Ctrl+Alt+T keyboard shortcut.
  • You must be a root user or have sudo privileges in order to install and use Wireshark to capture data on your system.

Installing Wireshark

For installing Wireshark, you will need to add the “Universe” repository. Issue the following command in Terminal to do so:

$ sudo add-apt-repository universe

Now issue the following command in Terminal to install Wireshark on your system:

$ sudo apt install Wireshark

When prompted for a password, type sudo password.

Install Wireshark

After running the above command, you might be asked for confirmation, hit y, and then hit Enter, after which installation of Wireshark will be started in your system.

During the installation of Wireshark, the following window will appear asking you if you want to allow non-superusers to capture packets. Enabling it can be a security risk, so it is better to leave it disabled and hit Enter.

Configure Wireshark

Once the installation of Wireshark is completed, you can verify it using the following command in Terminal:AdvertisementAdvertisement

$ wireshark --version

If Wireshark has installed successfully, you will a similar output displaying the version of Wireshark installed.

Check Wireshark version

Launch Wireshark

Now you are ready to launch and use Wireshark on your Ubuntu machine. In order to launch Wireshark, issue the following command in Terminal:

$ sudo wireshark

If you are logged in as a root user, you can also launch Wireshark form the GUI. Hit the super key and type wireshark in the search bar. When the icon for the Wireshark appears, click on it to launch it.

Wireshark Icon

Remember you will not be able to capture network traffic if you launch Wireshark without root or sudo privilege.

When the Wireshark opens, you will see the following default view:

Wireshark GUI

Using Wireshark

Wireshark is a powerful tool with plenty of features. Here we will just go through the basics of the two important features that are: packet capture and display filter.

Packet Capture

In order to capture packets using Wireshark, follow the below simple steps:

1. From the list of available network interfaces in the Wireshark window, select the interface on which you want to capture packets.

2. From the toolbar at the top, click the start button to start capturing the packets on the selected interface as shown in the following screenshot.

Capture Network packages using Wireshark

If there is currently no traffic, then you can generate some traffic by visiting any website or by accessing a file shared on the network. After that, you will see the captured packets displaying in real-time.

3. To stop capturing the packets, click the stop button as shown in the following screenshot.

Network traffic

In the above screenshot, you can see the Wireshark divided into three panes:

1. The topmost panelist all the packets captured by Wireshark.

2. The middle pane shows packet header details for each selected packet.

3. The third pane shows the raw data of each selected packet.

Display filter

As you have seen in the above screenshots, the Wireshark displays a large number of packets for single network activity. In a normal network, there are thousands of packets traveling back and forth on your network. It is very difficult to find a specific packet form thousands of captured packets. Here comes the display filtering feature of Wireshark.

With Wireshark display filters, you can only display the types of packets you are looking for. In this way, it narrows down the results and makes it easy for you to find what you are looking for. You can filter the results based on protocols, source and destination IP addresses, port number, and some others.

Wireshark has a lot of pre-defined filters that you can make use of. When you start typing the filter name, Wireshark helps you to auto-complete it by suggesting names. To only show the packets containing a specific protocol, type the protocol name into the “Apply a display filter” field under the toolbar.

Example:

To display only the TCP packets from all the captured packets, type tcp. After entering the filter name, you will see only the TCP packets.

Filter TCP packages in Wireshark

That’s how you can install and use Wireshark on Ubuntu 20.04 LTS system. We have just discussed the basics of the Wireshark tool. In order to have a solid grasp on Wireshark, you need to go through all of the features and experiment with them.

Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

News Feed