Book Image

Mastering Wireshark 2

By : Andrew Crouthamel
Book Image

Mastering Wireshark 2

By: Andrew Crouthamel

Overview of this book

Wireshark, a combination of a Linux distro (Kali) and an open source security framework (Metasploit), is a popular and powerful tool. Wireshark is mainly used to analyze the bits and bytes that flow through a network. It efficiently deals with the second to the seventh layer of network protocols, and the analysis made is presented in a form that can be easily read by people. Mastering Wireshark 2 helps you gain expertise in securing your network. We start with installing and setting up Wireshark2.0, and then explore its interface in order to understand all of its functionalities. As you progress through the chapters, you will discover different ways to create, use, capture, and display filters. By halfway through the book, you will have mastered Wireshark features, analyzed different layers of the network protocol, and searched for anomalies. You’ll learn about plugins and APIs in depth. Finally, the book focuses on pocket analysis for security tasks, command-line utilities, and tools that manage trace files. By the end of the book, you'll have learned how to use Wireshark for network security analysis and configured it for troubleshooting purposes.
Table of Contents (18 chapters)
Title Page
Copyright and Credits
Packt Upsell
Free Chapter
Installing Wireshark 2

Running dumpcap

In this section, we'll take a look at how to run dumpcap, which is another alternative to tshark and tcpdump.

Once again, we'll have to go todumpcap. In this example, it is installed with Wireshark on the system, and if we do a directory listing, you'll see that dumpcap is indeed listed. Tshark is actually based on dumpcap, and so we can type dumpcap.exe --help or -h. If we take a look at the output, it looks very similar to tshark and Wireshark:

Depending on the system that you're using though, it may only have dumpcap available for one reason or another, or tshark may be using too much memory if it's a really small, embedded IoT system, or something like that. You could potentially use dumpcap to have an even lighter utility in order to capture traffic-or maybe you just like using this better. If we look at the arguments that are available, they are just like in tshark. We have -i, -D, and -w for output. They're all very much the same. We can illustrate that by running dumpcap...