In the third of this four part series, we shall explore Wireshark and its features. It is one of the best softwares used by professionals to capture and interactively browse the traffic running on a computer network. While this part specifically discusses Wireshark, the rest of the series includes the following:
The summary shall discuss specific scenarios and compare each tool based on factors to help you make an informed decision.
Section 1: Introduction
Wireshark is one of the world’s most famous network protocol analyzer. It is free and open source, and is commonly used for network troubleshooting, analysis and software testing. The tool browses and captures all the traffic running on a computer network. It is compatible with most platforms including Windows, OS X, Linux, and UNIX.
Wireshark has a unique filtering mechanism. It two main types of filters:
- Capture filters are specified when packets are being captured and will capture only those packets that are specified for inclusion/exclusion in the given expression
- Display filters are applied to an existing set of captured packets in order to hide unwanted packets or show desired packets based on the specified expression
Section 2: Capture Filters
Capture filters are used during the actual packet-capturing process. The main reason of using capture filters is to only capture traffic relevant to the user. If you know that you do not need to analyze a particular form of traffic, you can simply filter it out with a capture filter and save the processing power that would typically be used in capturing those packets. This is extremely useful when dealing with large amounts of data. The analysis process can be sped up by ensuring that you are looking at only the packet relevant to the issue at hand. Some of the default capture filters have been shown below:
Section 3: Display Filters
Display filters is a useful feature offered by Wireshark. A display filter indicates only packets that match a particular defined expression. You can enter a display filter in the Filter text box above the Packet List pane. Display filters are used more often than capture filters because they allow you to filter packet data without actually omitting the rest of the data in the capture file. You can simply clear the filter expression if you need the rest of the data. To remove the filter, click the Clear button
Section 4: Capture GA data in Wireshark
Step 1: DDownload and install Fiddler as per your system configuration (Windows, Linux)
Step 2: Open the Wireshark tool
Step 3: The tool asks for the path from which the user is connected to the Internet (LAN/Wi-Fi). After selecting the appropriate option, the tool starts capturing data. Now, to analyze the data of a particular website, use the below command in the display filter http.host== “www.xyz.com”
If you know the source or destination IP, then you can use the below commands in the display filter:
ip.src == “
Step 4: As soon as the required display filter is applied, Wireshark shows the relevant requests which the user needs to scan through. A click on a request shows the frame, TCP packets and the HTTP header information. Now click on the HTTP request as our GA relevant information is stored in it.
Step 5: As you scan through the HTTP header and click on cookie information, you can see the UTM parameters which are being passed, the client ID, the UA-ID to which the GA data is being sent and the source, medium and campaign through which the user landed on the site.
Step 6:You can save captured packets simply by using the Save As button from the File menu. You can choose which packets to save and which file format to be used.
Section 5: Coloring Rules
Earlier called color filters, coloring rules is a very useful mechanism available in Wireshark which helps us emphasize the packets we might be interested in. The mechanism works according to the display rule set by the user. There are two types of coloring rules in Wireshark: temporary rules which work only till the program is run, and permanent rules which can be run even after the user returns to the program later.
One can create a new rule by clicking on the + button and delete rules by clicking the – button. The ‘copy’ button will duplicate a rule.
The default colors have been shown in the screenshot below. Green color shows TCP traffic, the light blue color shows UDP traffic, and the black color shows TCP packets with bottlenecks.
Wireshark, is hence a useful tool since it provides an efficient platform to capture packets, to display smart statistics, define filters (capture and display) and analyze problems in our network. However, checking web analytics data in Wireshark is cumbersome.
In case you are looking out for some specific requirements, please refer the links below:
- Getting started guide: https://wiki.wireshark.org/
- Wireshark tools: https://www.wireshark.org/tools/
We shall discuss all the three tools in the summary part of this four part series.
- Soham Shah & Kartikay Sharma (Web Analytics)