CCNA Voice Questions and Answers » Wireshark Beginner guide


Wireshark/Ethereal is a free network protocol analyzer for almost all operating systems (including Unix, Linux and MS Windows). It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark/Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

The installation of Wireshark is easy so I will not mention here, you can find newest Wireshark version at

Using of Wireshark/Ethereal

1. Capturing
Normally it is possible to use Ethernet hub with ethereal or some better switch on which one Ethernet port can be configured as monitoring portTo capture Ethernet traffic start Wireshark/Ethereal, select Capture menu and click to Options. Following screen will appear:


Capture Options

In interface selection select Ethernet interface from which you would like to capture traffic. In some configurations default selection can be for example Generic NdisWan Adapter – which is not physical network card from which Wireshark/Ethereal is able to capture. This adapter can be founded in configurations with enabled terminal services. If capture for some specific host is needed it is possible to define filter. Examples of some filters related to hosts:

Capture filter Explanation
host Shows packets in which host is source or destination
host and host Shows packets in which host is source host and host is destination host (or vice versa)
host and (host
or host
Shows packets in which host is source host and hosts or host are destination hosts (or vice versa)
host and not Shows packets in which is source or destination side but
only if packets are not coming from or going to

It is possible to capture just some low-level protocol. Here a few examples:

Capture filter Explanation
tcp Captures just packages transmitted using tcp protocol.
tcp port 80 Captures just packages transmitted using tcp protocol from/to port 80.
tcp port 80 or udp Captures packages transmitted tcp protocol from/to port 80 and packages
transmitted using udp protocol

2. Filtering (during capture session)

It is possible, during capture session, to define another filter which will apply to captured information. See following example


(Wireshark/Ethereal in action)

In filter field is string: “ldap” which means that Wireshark/Ethereal will show just transactions which are using ldap protocol. It is possible to change value of this filter during capturing session.
Some simple examples:

Filter Explanation
sip Shows just packages transmitted using
sip protocol.
mgcp Shows just packages transmitted using
mgcp protocol.
ldap Shows just packages transmitted using
ldap protocol.

More complicated examples:

Filter Explanation
ldap.bind.version = = 3 Show just Bind LDAP messages where
protocol version equals to three.
tcp contains surpass Shows all tcp packages with world
surpass anywhere in message
sip contains UHURA or
Shows BOTH – all sip packages
containing word UHURA, and also
shows packages where source or
destination IP is
sip.Method == “REGISTER” and
Shows ONLY sip packages where
Method is REGISTER AND source or
destination IP is

Note: Filtering is case sensitive!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.