Introduction to Wireshark

Hello friends,

This is the Second part of Chapter 3 from the “Rootsh3ll WiFi Security and Pentesting Series“. In case you missed the previous chapter you can read here.

In Chapter 2, We will cover:

  • Introduction to Aircrack-ng Suite of tools
  • Introduction to Wireshark
  • WEP cracking using Aircrack-ng
  • WPA/WPA2 Personal cracking using Aircrack-ng
  • WPS cracking

In this chapter we will cover the RED part.

Wireshark is a free and open-source packet analyzer. It is one of the most powerful and popular tools used by pentesters as well as network administrators for

  • Network troubleshooting
  • Analysis
  • Software and communications protocol development, and
  • Education
Checkout my new store for Best WiFi adapters for Hacking, Best-selling Pentesting Books and Best WiFi Boosters: Rootsh3ll rStore

As for analysis, it is used to inspect data passing through the network interface which could be your ethernet, LAN, Wi-Fi, USB(storage or modem). In other words, Wireshark is a packet sniffer for the pentesters.

From the perspective of a pentester, Wireshark is

  • Packet sniffer
  • Network analyzer
  • Network performance monitoring tool
  • Protocol analyzer

The series of data that wireshark inspects are called ‘frames’ which includes ‘packets’. Wireshark has the ability to capture all the packets passing through the network interface and decode them for analysis.

It is important to note that this is an excellent tool used by the network administrators to check that their customers sensitive data is being transmitted securely (Encrypted), at the same time it can also be used by a hacker on unsecured(unencrypted) networks. We will learn in this series how a hacker can misuse the legitimate tool for malicious purposes once he is connected to the network.

Before moving on to the installation process and tutorial it is necessary to know the history behind the tool.


Wireshark, originally named as Ethereal, was written and released by Gerald combs, who was a computer science graduate of the University of Missouri–Kansas City. In late 1990s the commercial protocol analysis tools were prices near $1500 and also were not compatible on the company’s primary platforms(Solaris and Linux). So, Gerald began writing Ethereal and released the first version in 1998.

Why did the name change to wireshark ?

In 2006, Combs accepted a job with CACE technologies. Combs didn’t own the trademark of Ethereal(owned by Network Integration Services), but held copyright on most of the Ethereal source code, so he used the contents of the Ethereal Subversion repository as the basis for the Wireshark repository and then named the project as “Wireshark”.

According to wikipedia,

“Wireshark has won several industry awards over the years, including eWeek, InfoWorld, and PC Magazine. It is also the top-rated packet sniffer in the Insecure.Org network security tools survey and was the SourceForge Project of the Month in August 2010.”

From 2006 onward, wireshark has been in the top 10 tools used by the penetration testers and hackers.


Wireshark comes pre-installed on most of the pentesting distros like Kali Linux, Backbox, Pentoo, Samurai WTF. But being a penetration tester, network administrator or a script kiddie, it is very essential for one to know the installation process of any tool and not to rely upon the preinstalled tools and just use them.

Pentesting distros are designed for the penetration testers to work faster, by not installing and fixing the system every time, and for education purposes also. But people tend to misunderstand this with work lesser. It might mean the same but it isn’t. You should learn how to install and fix the tools, it will not only give you an in-depth understanding of working of the tool, but also by doing this you open a new possibility for yourself to do more.

Download Wireshark

Wireshark is available for Windows, Mac and Linux. You can download wireshark from the official site.

We will see how to install wireshark on Linux by source code. download the latest source code here. and save it on the desktop.


  1. Open terminal and type:
    $ cd ~/Desktop
    $ tar xvf wireshark-1.*.bz2 
    $ cd wireshark*
  2. Run the autogen.sh script to configure your build directory:
    $ ./autogen.sh
  3. Run the configure script. This checks your Linux system to ensure it has the proper library dependencies, in addition to the proper compiler to compile the source code. Run this command from the terminal:
    $ ./configure --enable-setcap-install
  4. Now let’s Build wireshark, type
    $ make
  5. Install wireshark
    $ make install
  6. Run wireshark
    $ gksudo wireshark &

and enter your password, or simply press ALT+F2 and type wireshark.

As we know that Wireshark can capture traffic from ethernet, USB, WiFi (connected network), or WiFi (Not connected).

Now, as it seems pretty easy to select the interface and start capturing traffic from the ethernet, USB or WiFi(when connected). But keeping this series in mind, we are using a Wireless card and haven’t yet penetrated or connected to a network. So it leaves us with an option of sniffing the air and that is possible by putting the wireless card on monitor mode.

Monitor mode

To put wireless card on monitor mode, open terminal

  • Type “ifconfig”  and check the name of the wireless interface, “Wlan1” in this caseifconfig
  • Now type “airmon-ng start wlan1”. Here wlan1 is the interface we are going to put on monitor mode. and type “ifconfig” to check the new monitor mode interface. “wlan1mon” in this case, yours can be different like mon0, mon1 etcmonitor-mode

We have now put the card on monitor mode. Time to start wireshark and sniff the air.

Select Interface

After starting wireshark you will see a window with 3 columns,

  • Capture
  • Files, and
  • Online

as per the order, we will select our Interface from the Interface List for capturing the data packets and then click on start.


As you can see in the above picture I have selected the capture interface i.e wlan1mon. Now click “start”

As soon as you will click “start” you’ll see the packets start to appear in real-time. Wireshark will capture all the packets passing through the wireless card.

Stop sniffing

Click on “stop” on the top left corner of the window when you want to stop.


Filter packets and Analyze

A numerous number of packets are captured in a short span of time, especially when card is on monitor mode, and it makes packet analyzing difficult. Here we need to filter the output, reduce the clutter and make it easier to analyze

Wireshark contains a variety of filters. We will see some of them in this tutorial to understand how filters work and make the work easier.

  1. Filter packets with a specific SSID. Inthis example, “ravi@wifi” is the SSID we will filterSSID-filter
    In the above screenshot we have entered the filter in the green box on the upper left corner i.e ‘ wlan_mgt.ssid = “ravi@wifi” ‘. Now all the packet displayed have a common element which is the SSID name: “ravi@wifi” which was being broadcasted in the air.
  2. Wireshark capture all sorts of packets and you might think of filtering packets with specific MAC address. In next example we will filter all the broadcast packets. broadcast packets have destination MAC address as “FF:FF:FF:FF:FF:FF“. You can see this in the previous image.MAC-filter
    wlan.addr == FF:FF:FF:FF:FF:FF has a syntax just like the Java language, Here wlan is the package and addr, which is hardware address, is the class defined in the wlan package. Now we can also specify a hardware address which is all F’s for the broadcast, will be different for different hardware.As you can compare point 1 and 2 are the same in the above images, but point 2 is different as it is showing 2 different SSID’s rather than only “ravi@wifi” from the 1st filter we applied.

There are many wlan filters that we will use during the series. you can also  see all of the wlan package filters here.

Save packets

When you get your desired packets filtered it’s time to save them for analyzing in future.

  • Click on File.
  • click on Save.
  • Browse location, input Filename and press [Enter]

Next time you start wireshark and want to analyze previously saved packets

  • Open wireshark
  • Click on Open under the Files option from the 3 columns
  • Browse for the .Pcap file
  • Do whatever you want.

Color coding

You would have noticed that all the frames captured were being displayed in black/white. That is not it. Wireshark display packets in colors.

In the above examples the packets were broadcast packets and wireshark don’t apply any color coding to the broadcast packets.

By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems. for example applying a filter “dns” we see an output of packets, all highlighted with dark blue color.



We now have our hands-on wireshark and had a glimpse of using wireshark filters to reduce the clutter. We will learn more about wireshark and its filters along the series.

Next we will see how to crack WEP using aircrack-ng suite of tools and inspect the captured pcap file using wireshark.

Useful Links:


TP-LINK TL-MR3420 300 MB/s Wireless Router 2x 5dBi antennas

Network Adapters:

Alfa AWUSO36NH High Gain B/G/N USB / Alfa AWUS036NHA B/G/N USB

High Gain Antenna:

Alfa 9dBi WiFi Omni-Directional High-Gain Antenna

USB Drive (32 GB):

SanDisk Ultra Fit  USB 3.0  32GB Pen Drive (International)

SanDisk Ultra USB 3.0 32 GB Pen Drive (India Only)


Did you already try wireshark before ? share your thoughts in the comments section below.