Sniffing Packets with Wireshark¶
This guide will lead you through the steps of packet capturing with Wireshark.
It is necessary to know which interface card on your computer is being used for traffic. If you do not know which one is being used, open your console and enter:
ifconfig
Next, open Wireshark.
sudo wireshark
Make sure you sniff on the active interface card.
If you are done sniffing, stop Wireshark by pressing ctrl E.
It is possible to follow a specific session. In case you have recorded a quite large pcap and you would for example like to see a specific visit to a website, you can do so by setting the filter on the top left of Wireshark to
http
followed by pressing enter
See example:
Find the packet you are looking for by scrolling through the information.
Right-click on that packet and choose
follow tcp stream
A window with detailed information about that packet pops up.
Close the window and you will see only information about that specific session. You can save this information by going to the file-menu and choose
save as...
choose
displayed
and save the file.
See example: