Sniffing & Spoofingnetworksnifferpacketanalyzercapturetrafficdissection

Wireshark

Wireshark is a network protocol analyzer that captures and interactively inspects network traffic. It provides both graphical (wireshark) and console (tshark) interfaces for packet analysis.

Description

Wireshark is a widely-used network sniffer that captures packets off the wire and dissects numerous protocols. The main graphical tool 'wireshark' allows interactive analysis, while 'tshark' provides console-based packet dumping and filtering. Additional utilities like dumpcap for capturing, capinfos for file information, and editcap for editing capture files extend its functionality.

Common use cases include network troubleshooting, protocol analysis, security monitoring, and forensic investigation of network traffic. It supports reading and writing various capture file formats through libwiretap and provides deep packet inspection via libwireshark.

The Kali package provides multiple components including stratoshark for system call analysis, captype for file type identification, and mergecap for combining captures. Development libraries enable custom dissector creation.

How It Works

Wireshark uses libpcap for packet capture and libwireshark for protocol dissection. Libwiretap handles multiple capture formats like pcap, Sniffer, and snoop. Packets are filtered using BPF syntax during capture or Wireshark display filter syntax during analysis. Tshark and graphical tools process captures in one or two passes, applying read and display filters. Utility libraries like libwsutil provide supporting functions for name resolution, decompression, and utilities.

Installation

bash

sudo apt install wireshark

Flags

-i <interface>name or idx of interface (def: first non-loopback)

-f <capture filter>packet filter in libpcap filter syntax

-r <infile>set the filename to read from (or '-' for stdin)

-Y <display filter>packet display filter in Wireshark display filter syntax

-w <outfile>write packets to a pcapng-format file named "outfile" (or '-' for stdout)

-2perform a two-pass analysis

-c <packet count>stop after n packets (def: infinite)

Examples

Capture TCP port 80 traffic on eth0 interface

tshark -f "tcp port 80" -i eth0

Capture packets from interface eth0 until 60s passed into output.pcapng

dumpcap -i eth0 -a duration:60 -w output.pcapng

Display help for capinfos which prints information about capture files

capinfos -h

Display help for strato (Stratoshark console interface) for system call and log analysis

strato -h

Display help for stratoshark graphical system call and event log analyzer

stratoshark -h

Display help for tshark network traffic analyzer console version

tshark -h

Display help for wireshark graphical network traffic analyzer

wireshark -h

Updated 2026-04-16kali.org ↗