Wireshark

From DikapediaV2
Revision as of 14:38, 11 September 2024 by Ardika Sulistija (talk | contribs) (Created page with "Useful tutorial article: https://www.varonis.com/blog/how-to-use-wireshark ====Install Wireshark on RHEL8.8 with GUI==== ---- In RHEL8.8, if you install wireshark using dzdo yum install wireshark you will see that you will not be able to open it as you will get the error: <i>wireshark: error while loading shared libraries: libQt5PrintSupport.so.5: cannot oopen shared object file: No such file or directory</i> To identify what packages provides libQt5PrintSupport...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Useful tutorial article: https://www.varonis.com/blog/how-to-use-wireshark


Install Wireshark on RHEL8.8 with GUI


In RHEL8.8, if you install wireshark using

dzdo yum install wireshark

you will see that you will not be able to open it as you will get the error: wireshark: error while loading shared libraries: libQt5PrintSupport.so.5: cannot oopen shared object file: No such file or directory

To identify what packages provides libQt5PrintSupport.so.5, run:

dzdo yum whatprovides libQt5PrintSupport.so.5

To resolve this error, run:

dzdo yum -y install qt5-qtbase-gui

Then you will run into this error: wireshark: error while loading shared libraries: libQt5Multimedia.so.5: cannot open shared object file: No such file or directory

To identify what packages provides libQt5Multimedia.so.5, run:

dzdo yum whatprovides llibQt5Multimedia.so.5

To resolve this error, run:

dzdo yum -y install qt5-qtmultimedia

Voila. You should now be able to open wireshark in the GUI.


How to Capture


  • You can simply click start
  • You can click "Capture" > "start"
  • You can select a specific interface by clicking "Capture" > "Options" > then select the interface and click "start"

Useful tutorial article: https://www.varonis.com/blog/how-to-use-wireshark


Wireshark Options


Here are some examples of Wireshark preferences.

  1. Wireshark -> Preferences -> Protocols -> TCP -> untick the relative sequence numbers option. This will allow us to see the absolute sequence numbers of TCP packets in flight.
  1. View -> Untick Packet Bytes. This is a useless section and just eats up space on the screen.


Per James, be sure to follow 1 tcp stream. You can do so by doing the following steps in Wireshark: Analyze > Follow > TCP Stream.


How to filter in Wireshark

In the filter box at the top of wireshark, some common ways to filter to make things easier to read:

  • ip.addr == x.x.x.x
  • tcp.flags.reset==1
  • tcp.srcport==443
  • tcp.port==25
  • tcp.seq == 3817801554
    • Click on a packet, in the bottom details of wireshark, search for Transmission Control Protocl > right click on Sequence Number: 3817801554 > Apply as filter > selected.

For example:

ip.addr == x.x.x.x && tcp.port==25