Network Sniffer

This section discusses Wireshark a network sniffer:

What is a "network sniffer"

If you have a network problem, we have the tool for you.

We have to mention Wireshark, since it is an unbelievably powerful network "sniffer": It watches the packets being sent on your local area network, decodes them and displays them in a graphical display.

How to install Wireshark

The Wireshark package is on the Red Hat CD or you can download Wireshark.

Then install Wireshark: 

rpm -iv wireshark*rpm

Tips on using Wireshark

To start capturing packets in real-time and display them: Capture-->Interfaces...
Then in the eth0 row, on the right, click Options.
Then select the following 2 options: 
    X Update list of packets in real time

    X Automatic scrolling in live capture

Then click on Start.

Wireshark example
Below is an example of Wireshark's main window after packets have been captured:
Wireshark capture example

Adding Filters

After you're done playing with Wireshark and watching the network, you'll probably want to focus on traffic between specific hosts, or forcus on specific protocols.

You can Filter which packets are shown by this method: Click your mouse in the rectangle to the right of the Filter: are in the upper part of the window. Then type something like: 

tcp.port==80
When you are done typing that, press Enter and Wireshark will then show only packets that used the TCP port 80. Here are some other examples of what you could type to the right of the Filter button: 
(ip.addr eq ldap.baylor.edu)
ldap
ip.addr == 10.205.0.170
tcp.dstport == 80
http
icmp
udp.dstport == 162
If you want to get fancier, you can click on the Filter button itself and you'll see many choices for filters there.

You can also specify a filter on the command-line to Wireshark. For example to capture only packets between two hosts named nfsserver and myclient you could type: 

wireshark -f "host nfsserver and myclient"
The syntax you would use for the -f expression is the same as used in the tcpdump command.

Where to get more information

Linux Quick Reference Home