WireShark

In this example I will install Wireshark using Ubuntu -16.04 LTS, Xenial -.
First:open terminal and write the following command sudo apt-get install wireshark-gtk -to install a
Wiresharks graphical interface-, hit enter, and enter your password -you must be in the sudo list to
be able to use the sudo command-.

Second:Launch Wireshark-gtk, you can press the window button, then search for Wireshark-gtk and double click it
or just open your terminal and write Wireshark-gtk -You can write only wi then Press the tab button to
autocomplete the command, if there are more than one program or file starting with the name wi, then you
need to press the tab button twice to show you all the available items having this name-

Third:You need to allow non super-users to capture data via adding the user to Wireshark group -which is created
automatically- with this command sudo gpasswd -a allamoox Wireshark -Assuming that Im using the user
name allamoox-

Fourth:- Determine which interface you will capture. You can run ifconfig command to see which interface
You are using to have access to the Internet.

Here enp3s0 - for wired connection -.

Press ctrl+I and choose the tick the enp3s0 interface, then click start.

Kill any connection you have, and run this simple ping command to ashellz.com
as we can see only packets from and to 192.168.1.15 is captured - As I Applied the Ip.src filter on
Wireshark, to show only connections with my local host Source IP -. I will right click in the first packet and
choose Follow UDP - User Datagram Protocol - stream , to analyze it.

In the
first
line, we
can see
my
local
host
-192.168.1.15 - requested from the DNS server -192.168.1.6 - the IP address of ashellz.com.
In the second line my DNS replied to my host with the ashellz.com - A record/IPV4- 192.185.16.67.
Then the host start to send ICMP - Internet Control Message Protocol requests and receive replies
normally.
In the following picture we can see only request, we cant see any reply because we applied the filter
ip.src=192.168.1.15.
If we
want to
see both
requests and replies, we should add this filter ip.addr==192.168.1.15 - as it will capture all the data from
this IP regardless its a source or a destination -.

We have a massive list to control our captures

for example we can open the Protocol Hierarchy window from the statics menu and we will get the the
protocol hierarchy of the captured packets, as in the following picture.

Analyzing Is Explained Below

100% of my captured packets was via IPV4. 7% of my packets were via the ICMP and 23% were via the
UDP - which are the DNS request and the DNS reply -. Then we can see how many bytes been sent and
rceived in this ping command.

P.S:- The display filter ip.src eq 192.168.1.15- is shown at the top of the protocol hierarchy window. You
you can add a new filter, for example right click in the the User Datagram Protocol and choose it to be
applied as a filter, it will be beside the ip.src, as shown below.

NTI.SE
I will Open a terminal and Ping nti.se to know its IP address. 31.216.35.44

Then to make it easier I will apply this filter ip.addr== 31.216.35.44 - Which is the same as ip.add eq
31.216.35.44, which is the same as ip.dst == 31.216.35.44 or ip.src == 31.216.35.44 - so I can see only the
traffic captured from this website. I will put www.nti.se in my address bar and hit enter.

We will take for example the first frame and analyse it

In this frame there are 74 bytes - *8 = 592 bits has been transferred from my host to the nti.se webserver.
How did these bits transmitted actually ? These packets had been transmitted - according to the Open
System Interconnection Model - via seven different layers which are
The Application layer: This is the layer when I opened my Internet browser application firefox- , the used
protocol is HTTP - Hyper Text Transfer Protocol- .
The Physical layer: This is the layer when my data is presented as bits - zeros and ones -and moving
through the cables - Copper/Fiber wires, Wireless, etc. note the word 74 bytes on wire- The

Data link layer: This is the layer where my host send the data Via its MAC - Media Access Control address - 50:7b:9d:8d:78:06 - to the router MAC address - 9c:97:26:cb:29:90 -

The Network layer: This is the layer where the IP added to the

The Transportation layer