Capturing network packets with Wireshark

Keenetic routers can capture network packets using a particular software module (component). This is the most convenient way to collect network packet dump on the router. We would recommend that you use this method. It is described in the article: Network packet capture.

But suppose you need to collect a network packet dump from a computer. In that case, you can do so with the popular Wireshark software, which is widely used for capturing network traffic and is designed to collect and analyse network packets/protocols. The program is distributed free of charge. You can download the latest version from the program's official website.

wshk-01.png

You can perform a Wireshark installation on the computer, following the instructions of the Wireshark Setup Wizard.

Next, start the application. You will see the main window.

2022-11-30_10-31-13.png

Highlight (double-click) the interface through which the packet capture will automatically start.

NOTE: Important! Perform a network packet capture in such a way that you can see the traffic information when a problem occurs.

In Wireshark, you will see all captured packets.

2022-11-30_10-37-49.png

To stop packet capture, click on the respective button on the Wireshark toolbar.

If you need to start capturing packets again, you can just press the respective button to start.

2022-11-30_10-41-08.png

Go to 'File > Save' to save the captured data to a file.

2022-11-30_10-46-19.png

Select a file location, enter a name and press the 'Save' button.

2022-11-30_10-54-29.png

If a technical support engineer requests, the file received can be sent to our support team.

TIP: Tip: For easy searching/viewing of packet information in Wireshark, captured packets can be filtered by IP address or port number.

Here are some examples:

If you want to filter captured packets by the destination IP address 35.74.215.78, specify a rule in the filter field: ip.dst==35.74.215.78.

2022-11-30_10-57-03.png

If you want to filter captured packets on a specific TCP port (e.g. port 443), specify a rule in the filter field: tcp.port==443.

2022-11-30_11-03-40.png

If you want to filter captured packets by a specific IP address (e.g. IP 192.168.139.121), specify a rule in the filtering field: ip.addr==192.168.139.121.
In this case, only packets containing the specified source or destination IP address will be shown.

2022-11-30_11-06-36.png

To filter DHCP requests only, in the filtering field, type bootp or udp.port==68.

To filter only WoL requests (Wake on LAN), type wol or wol.sync == ff:ff:ff:ff:ff:ff

Full details of the Display Filter syntax can be found at https://wiki.wireshark.org/DisplayFilters.

Numerous different examples of network traffic dumps can be found at https://wiki.wireshark.org/SampleCaptures.

TIP: Note

The Wireshark software is cross-platform. Versions for most UNIX-like systems, including GNU/Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X, and Windows, are available on the Wireshark website.
Capture Wireless Packets with Ubuntu Linux Dongle.pdf shows an example of using a bootable Ubuntu Linux USB stick to capture network packets using Wireshark.

Was this article helpful?

66 out of 88 found this helpful