1******************************
2Espressif Wireshark User Guide
3******************************
4:link_to_translation:`zh_CN:[中文]`
5
6===========
71. Overview
8===========
9
101.1 What is Wireshark?
11======================
12
13`Wireshark <https://www.wireshark.org>`_ (originally named "Ethereal") is a network packet analyzer that captures network packets and displays the packet data as detailed as possible. It uses WinPcap as its interface to directly capture network traffic going through a network interface controller (NIC).
14
15You could think of a network packet analyzer as a measuring device used to examine what is going on inside a network cable, just like a voltmeter is used by an electrician to examine what is going on inside an electric cable.
16
17In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed.
18
19Wireshark is released under the terms of the GNU General Public License, which means you can use the software and the source code free of charge. It also allows you to modify and customize the source code.
20
21Wireshark is, perhaps, one of the best open source packet analyzers available today.
22
23
241.2 Some Intended Purposes
25==========================
26
27Here are some examples of how Wireshark is typically used:
28
29* Network administrators use it to troubleshoot network problems.
30
31* Network security engineers use it to examine security problems.
32
33* Developers use it to debug protocol implementations.
34
35* People use it to learn more about network protocol internals.
36
37Beside these examples, Wireshark can be used for many other purposes.
38
39
401.3 Features
41============
42
43The main features of Wireshark are as follows:
44
45* Available for UNIX and Windows
46
47* Captures live packet data from a network interface
48
49* Displays packets along with detailed protocol information
50
51* Opens/saves the captured packet data
52
53* Imports/exports packets into a number of file formats, supported by other capture programs
54
55* Advanced packet filtering
56
57* Searches for packets based on multiple criteria
58
59* Colorizes packets according to display filters
60
61* Calculates statistics
62
63* … and a lot more!
64
65
661.4 Wireshark Can or Can't Do
67==============================
68
69* **Live capture from different network media**.
70
71  Wireshark can capture traffic from different network media, including wireless LAN.
72
73* **Import files from many other capture programs**.
74
75  Wireshark can import data from a large number of file formats, supported by other capture programs.
76
77* **Export files for many other capture programs**.
78
79  Wireshark can export data into a large number of file formats, supported by other capture programs.
80
81* **Numerous protocol dissectors**.
82
83  Wireshark can dissect, or decode, a large number of protocols.
84
85* **Wireshark is not an intrusion detection system**.
86
87  It will not warn you if there are any suspicious activities on your network. However, if strange things happen, Wireshark might help you figure out what is really going on.
88
89* **Wireshark does not manipulate processes on the network, it can only perform "measurements" within it**.
90
91  Wireshark does not send packets on the network or influence it in any other way, except for resolving names (converting numerical address values into a human readable format), but even that can be disabled.
92
93
94==========================
952. Where to Get Wireshark
96==========================
97
98You can get Wireshark from the official website: https://www.wireshark.org/download.html
99
100Wireshark can run on various operating systems. Please download the correct version according to the operating system you are using.
101
102
103======================
1043. Step-by-step Guide
105======================
106
107**This demonstration uses Wireshark 2.2.6 on Linux.**
108
109
110**a) Start Wireshark**
111
112On Linux, you can run the shell script provided below. It starts Wireshark, then configures NIC and the channel for packet capture.
113
114::
115
116  ifconfig $1 down
117  iwconfig $1 mode monitor
118  iwconfig $1 channel $2
119  ifconfig $1 up
120  Wireshark&
121
122In the above script, the parameter ``$1`` represents NIC and ``$2`` represents channel. For example, ``wlan0`` in ``./xxx.sh wlan0 6``, specifies the NIC for packet capture, and ``6`` identifies the channel of an AP or Soft-AP.
123
124
125**b) Run the Shell Script to Open Wireshark and Display Capture Interface**
126
127.. figure:: ../../_static/ws-capture-interface.jpeg
128    :align: center
129    :alt: Wireshark Capture Interface
130    :figclass: align-center
131    :width: 60%
132
133    Wireshark Capture Interface
134
135**c) Select the Interface to Start Packet Capture**
136
137As the red markup shows in the picture above, many interfaces are available. The first one is a local NIC and the second one is a wireless NIC.
138
139Please select the NIC according to your requirements. This document will use the wireless NIC to demonstrate packet capture.
140
141Double click *wlan0* to start packet capture.
142
143
144**d) Set up Filters**
145
146Since all packets in the channel will be captured, and many of them are not needed, you have to set up filters to get the packets that you need.
147
148Please find the picture below with the red markup, indicating where the filters should be set up.
149
150.. figure:: ../../_static/ws-setup-filters.png
151    :align: center
152    :alt: Setting up Filters in Wireshark
153    :figclass: align-center
154
155    Setting up Filters in Wireshark
156
157Click *Filter*, the top left blue button in the picture below. The *display filter* dialogue box will appear.
158
159.. figure:: ../../_static/ws-display-filter-dialogue-box.png
160    :align: center
161    :alt: *Display Filter* Dialogue Box
162    :figclass: align-center
163    :width: 60%
164
165    *Display Filter* Dialogue Box
166
167Click the *Expression* button to bring up the *Filter Expression* dialogue box and set the filter according to your requirements.
168
169.. figure:: ../../_static/ws-filter-expression.png
170    :align: center
171    :alt: *Filter Expression* Dialogue Box
172    :figclass: align-center
173    :width: 80%
174
175    *Filter Expression* Dialogue Box
176
177**The quickest way**: enter the filters directly in the toolbar.
178
179.. figure:: ../../_static/ws-filter-toolbar.png
180    :align: center
181    :alt: Filter Toolbar
182    :figclass: align-center
183
184    Filter Toolbar
185
186Click on this area to enter or modify the filters. If you enter a wrong or unfinished filter, the built-in syntax check turns the background red. As soon as the correct expression is entered, the background becomes green.
187
188The previously entered filters are automatically saved. You can access them anytime by opening the drop down list.
189
190For example, as shown in the picture below, enter two MAC addresses as the filters and click *Apply* (the blue arrow). In this case, only the packet data transmitted between these two MAC addresses will be captured.
191
192.. figure:: ../../_static/ws-filter-toolbar_green.png
193    :align: center
194    :alt: Example of MAC Addresses applied in the Filter Toolbar
195    :figclass: align-center
196
197    Example of MAC Addresses applied in the Filter Toolbar
198
199**e) Packet List**
200
201You can click any packet in the packet list and check the detailed information about it in the box below the list. For example, if you click the first packet, its details will appear in that box.
202
203.. figure:: ../../_static/ws-packet-list.png
204    :align: center
205    :alt: Example of Packet List Details
206    :figclass: align-center
207
208    Example of Packet List Details
209
210**f) Stop/Start Packet Capture**
211
212As shown in the picture below, click the red button to stop capturing the current packet.
213
214.. figure:: ../../_static/ws-stop-packet-capture.png
215    :align: center
216    :alt: Stopping Packets Capture
217    :figclass: align-center
218
219    Stopping Packet Capture
220
221Click the top left blue button to start or resume packet capture.
222
223.. figure:: ../../_static/ws-start-resume-packet-capture.png
224    :align: center
225    :alt: Starting or Resuming Packets Capture
226    :figclass: align-center
227    :width: 60%
228
229    Starting or Resuming the Packets Capture
230
231**g) Save the Current Packet**
232
233On Linux, go to *File* -> *Export Packet Dissections* -> *As Plain Text File* to save the packet.
234
235.. figure:: ../../_static/ws-save-packets.png
236    :align: center
237    :alt: Saving Captured Packets
238    :figclass: align-center
239    :width: 60%
240
241    Saving Captured Packets
242
243Please note that *All packets*, *Displayed* and *All expanded* must be selected.
244
245By default, Wireshark saves the captured packet in a libpcap file. You can also save the file in other formats, e.g. txt, to analyze it in other tools.
246
247