Wireshark 101

(Or things you never learned in tech college)

Step by step Wireshark – List devices on a network:

If you are trying to find out what machines sit on a network and normally talk to each other, the most accessible way to do that is to use Wireshark, which is free and an industry standard tool.

Wireshark can be downloaded from www.wireshark.org

Once installed on a system that sits on the network (or on your own if you are using a saved pcap file), you can load the pcap file and analyze endpoints visible at the time of capture.

On the first screen, note  the interface showing the most amount of traffic. That’s a good indication of which interface is in use. 

A graph of traffic will show up.  Click the active interface to collect.

To start capturing traffic on the network, click the shark fin. You are now recording  packets.

Once you have generated some traffic, click the red stop button next to the fin to stop recording.

Save the file so you can analyze it in the future.

To find the endpoints that are communicating most on the network, click Statistics.

From there, select Conversations and click on the IPV4 tab. Devices using IPV6 will be on the relevant tab.

This screen can be sorted by various items to give you a more clear view of the traffic on the network.  If you sort by the number of packets, you will clearly see the endpoint that is communicating most frequently.

For a simple list of endpoints that were actively communicating to and from the network at the time of capture:

Click Statistics, Endpoints.  

If you really want to freak yourself out early in your career, “follow” some of the HTTP streams and look at the information that’s human readable, or export HTTP objects.  More to come!

