One of the most well-known packet sniffers is Wireshark® (formerly named Ethereal®).
This is a flexible and powerful tool. Any network administrator worth his or her salt will know how to run Wireshark. Most professionals use it often.
Wireshark has been getting better and better with every release. It will likely be around for a long time as the industry standard.
You will install Wireshark and do a few examples to give you a small taste of what Wireshark can do. In addition to loading Wireshark you will also have to load WinPCap® in order to actually capture the packets being sent over your network.
Download Wireshark .
If the program doesn't automatically open, browse to your downloads folder.
Double-click Wireshark-setup-1.8.5.exe. (The software version numbers will be slightly different as newer versions are released.)
Install Wireshark and WinPCap.
Double-click the Wireshark icon on your desktop.
You will want to note the description and IP address of the interface with the most traffic. You will need to select this interface in the following steps.)
Note the interface with the most traffic. (You will select this interface in the following steps.)
Close the Capture Interfaces window.
Click Capture, and Options.
Select your Network Interface Card (NIC) if it is not already selected.
Close ALL other programs you currently have open except your word processing program (e.g., MS Word or OpenOffice Writer).
Click Start.
Let it run for 30 seconds.
While you are waiting, open a Web browser and go to Google
Return to your Wireshark window.
In the file menu, click Capture, and Stop.
Scroll up until you see a green and blue area. (These are the packets you captured when you requested Google's main page.)
Take a screenshot.
Scroll down until you see a line that has GET / HTTP/1.1 in the Info column. (You may have to try more than one until you get to the packet that shows "Google" in the bottom pane.)
Select that row.
In the bottom pane, you will see a bunch of numbers to the left. (It's the packet's contents in hexadecimal.) Just to the right, you will see the content of the packet in a column.
Take a screenshot.
Note: You just picked packets off your network and looked at their contents. There may have been a lot of traffic that you couldn't interpret. Don't worry about the information on your screen that is difficult to understand. In the next project, you will use a filter to capture only Web traffic going over port 80.
Project Thought Questions
What do the different colors mean in the Wireshark log?
Why does your computer get packets that are addressed to another machine?
How many packets does your computer send/receive in a single mouse click when you visit a website?
What do SYN, ACK, FIN, and GET mean?
Can you capture all of the packets for an entire network?