Table of Contents for
Mastering Wireshark 2

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Mastering Wireshark 2 by Andrew Crouthamel Published by Packt Publishing, 2018
  1. Mastering Wireshark 2
  2. Title Page
  3. Copyright and Credits
  4. Mastering Wireshark 2
  5. Packt Upsell
  6. Why subscribe?
  7. PacktPub.com
  8. Contributor
  9. About the author
  10. Packt is searching for authors like you
  11. Table of Contents
  12. Preface
  13. Who this book is for
  14. What this book covers
  15. To get the most out of this book
  16. Download the color images
  17. Conventions used
  18. Get in touch
  19. Reviews
  20. Installing Wireshark 2
  21. Installation and setup
  22. Installing Wireshark on Windows
  23. Installing Wireshark on macOS
  24. Installing Wireshark on Linux
  25. Summary
  26. Getting Started with Wireshark
  27. What's new in Wireshark 2?
  28. Capturing traffic
  29. How to capture traffic
  30. Saving and exporting packets
  31. Annotating and printing packets
  32. Remote capture setup
  33. Prerequisites
  34. Remote capture usage
  35. Summary
  36. Filtering Traffic
  37. Berkeley Packet Filter (BPF) syntax
  38. Capturing filters
  39. Displaying filters
  40. Following streams
  41. Advanced filtering
  42. Summary
  43. Customizing Wireshark
  44. Preferences
  45. Appearance
  46. Layout
  47. Columns
  48. Fonts and colors
  49. Capture
  50. Filter buttons
  51. Name resolution
  52. Protocols
  53. Statistics
  54. Advanced
  55. Profiles
  56. Colorizing traffic
  57. Examples of colorizing traffic
  58. Example 1
  59. Example 2
  60. Summary
  61. Statistics
  62. TCP/IP overview
  63. Time values and summaries
  64. Trace file statistics
  65. Resolved addresses
  66. Protocol hierarchy
  67. Conversations
  68. Endpoints
  69. Packet lengths
  70. I/O graph
  71. Load distribution
  72. DNS statistics
  73. Flow graph
  74. Expert system usage
  75. Summary
  76. Introductory Analysis
  77. DNS analysis
  78. An example for DNS request failure
  79. ARP analysis
  80. An example for ARP request failure
  81. IPv4 and IPv6 analysis
  82. ICMP analysis
  83. Using traceroute
  84. Summary
  85. Network Protocol Analysis
  86. UDP analysis
  87. TCP analysis I
  88. TCP analysis II
  89. Graph I/O rates and TCP trends
  90. Throughput
  91. I/O graph
  92. Summary
  93. Application Protocol Analysis I
  94. DHCP analysis
  95. HTTP analysis I
  96. HTTP analysis II
  97. FTP analysis
  98. Summary
  99. Application Protocol Analysis II
  100. Email analysis
  101. POP and SMTP
  102. 802.11 analysis
  103. VoIP analysis
  104. VoIP playback
  105. Summary
  106. Command-Line Tools
  107. Running Wireshark from a command line
  108. Running tshark
  109. Running tcpdump
  110. Running dumpcap
  111. Summary
  112. A Troubleshooting Scenario
  113. Wireshark plugins
  114. Lua programming
  115. Determining where to capture
  116. Capturing scenario traffic
  117. Diagnosing scenario traffic
  118. Summary
  119. Other Books You May Enjoy
  120. Leave a review - let other readers know what you think

Saving and exporting packets

In this section, we'll take a look at the following subtopics:

  • How to save packet captures
  • How to save selected sections of packets, individual packets, and ranges of packets
  • How to export packets into other formats
  • How to export raw packet data from the capture that you selected

Now that we have Wireshark up and running, let's capture some traffic. We'll select the Local Area Connection, and we could either double-click as I mentioned or we'll start the capture up at the top. And we will have some packets coming in. So now, if I want to save this capture (the entire capture—all the packets that I just captured) I'll go to File | Save As...; and from here, I can simply choose a filename. So, we'll call it packets. And you'll see in the Save as type, I chose the file as pcapng:

So, pcapng is the next generation of the pcap file extension. It was released with Wireshark 1.8, so it is relatively new and includes some additional features, which we'll get into in future sections. But you should know that the .pcapng file extension is the new standard, so if you see a .pcap file with no ng at the end, that's an older capture file, and you can certainly save it as .pcapng going forward since that's now the default. Just be aware, though, that if you take a pcapng file and save it as an original pcap file, you'll lose some of that functionality that comes with the ng format. So, my recommendation is to stick with the ng format. Almost all plugins and additional software that utilizes pcap files now support the ng format, so you might as well just use that going forward. You'll also notice long, different capture extensions here. You have .gz listed and with the pcapng you also have .gz, ntar.gz, and so on. In order to get that, you have to select the Compress with gzip option. So when you select Compress with gzip what that will do is, just like putting files into a ZIP file, it will take your capture file and try to compress it to make it smaller. So if it's a large capture, remember a packet capture includes all the data that's traversed your network from your network card that you're capturing on. So, if you're transferring a lot of data at the time that you're doing a capture, all of that will be saved in your capture. It's going to be a 1:1 ratio of the data that's been transferred, so it could be very large. Gzipping that might make sense to you, because then it would be a much smaller file on your hard drive. Additionally, if you're trying to transfer the file across to your network, then that could potentially save time with trying to transfer the file since it would be smaller to transfer. Most of the time it's not used, though, especially if you filter out what you only need to see in a capture and you end up saving only what you require, then they're usually very small.

Now, we will Save that capture. And speaking of filtering out just what you want to see and making a capture smaller, let's do exactly that.

So here we have some HTTP traffic, and we'll right-click on that and then click on FollowTCP Stream. That way, we have some sort of stream here that's filtering out all of the other data that's in our packet capture. So we've got seven packets selected. If I want to save just these packets into a new file, I'll go to File | Export Specified Packets.... We'll call this packet small and you'll see here that we have a radio button to select between Displayed and Captured:

So Captured is the entire packet capture. This adds almost 2870 packets. Displayed is only going to save what's currently filtered and what's displayed in my packet list view. So if I have Displayed selected in all packets, that's going to export all seven of these packets into a new file. Additionally, I could select Selected packet. So you'll see here that I have packet number 16 currently selected; it's a slightly different color here. If I choose Selected packet, this will only save that one single packet into a new file:

I could also select a Range. Now, the range wouldn't show anything right now because we have our own little filter going, but what I can do is clear out this filter. And we'll go back to Export Specified Packets... and save the packets range. We could say packets 5 through 200. So there are 196 packets that will be saved into the packets range file:

Additionally, you can export your packet dissections by going to File | Export Packet Dissections and then choose a format you'd like:

So we'll choose As Plain Text..., and we'll call it packet dissect. We'll do just the Selected packet, and so here we have our packet dissect text file, which you can see has the packet number, when the packet came in, source and destination IP addresses, what the protocol was, any information about the protocols within it, and then the basic information that you can see in the packet details section; this is all now saved in the text file as shown here:

If your packet capture happens to have captured any secured traffic such as any HTTPS, SSL, or SSH traffic, you can use FileExport SSL Session Keys..., and then save these SSL keys for future use in some other application, if you wish.

You might have noticed one additional export that's grayed out: Export Packet Bytes...:

In order to get that to become selectable, you need to select the application data within your packet. So here, we've selected our HTTP packet data. If we go back to File, you'll see that Export Packet Bytes... is now selectable. If I select that, I can now export my data from my packet in a raw binary format. It is potentially useful if you're doing something with a hex editor or combining these pieces together for some other application.

In this section, you learned how to save and export packets: the entire packet capture, subsets of that packet capture such as filtered views, individual packets, as well as exporting raw data into different formats such as text files.