Ova

How to Install and Use Wireshark on Kali Linux?

Published in Network Analysis 5 mins read

Installing and using Wireshark on Kali Linux is a straightforward process that empowers you to perform powerful network packet analysis. This guide will walk you through the installation, configuration, and basic usage of Wireshark, an essential tool for cybersecurity professionals and network administrators alike.

What is Wireshark?

Wireshark is the world's foremost and widely used network protocol analyzer. It allows you to see what's happening on your network at a microscopic level, making it an invaluable tool for network troubleshooting, analysis, software and communications protocol development, and education. It captures live packet data from a network interface and presents it in a human-readable format, enabling deep inspection of hundreds of protocols.

Installation Process for Wireshark on Kali Linux

To get Wireshark up and running on your Kali Linux system, follow these steps meticulously:

1. Open the Terminal

First, you need to access the command-line interface. Launch the Terminal application on your Kali Linux system. You can usually find it in the applications menu or by using a keyboard shortcut like Ctrl + Alt + T.

2. Update Package Repositories

Before installing any new software, it's a best practice to update your system's package repositories. This ensures you're installing the latest available versions and dependencies.

sudo apt update && sudo apt upgrade -y
  • sudo apt update: Refreshes the list of available packages from the repositories.
  • sudo apt upgrade -y: Upgrades all installed packages to their latest versions, with -y automatically confirming any prompts.

3. Install Wireshark

With your system updated, you can now install Wireshark.

sudo apt install wireshark -y

During the installation process, you might encounter a prompt asking: "Should non-root users be able to capture packets?"

  • It is highly recommended to select Yes. This allows regular (non-root) users to run Wireshark and capture network traffic, enhancing security by avoiding the need to run the entire application as the superuser (root).

4. Configure Wireshark for Non-Root Users (If Needed)

If you accidentally selected No during the installation prompt or need to reconfigure this setting later, you can do so using the following command:

sudo dpkg-reconfigure wireshark-common

Again, choose Yes when prompted to allow non-root users to capture packets.

5. Add User to 'Wireshark' Group

Even after configuring Wireshark to allow non-root users to capture packets, you still need to add your current user to the wireshark group. This grants the necessary permissions.

Replace your_username with your actual Kali Linux username.

sudo usermod -a -G wireshark your_username

After executing this command, you must either log out and log back in to your Kali Linux session or reboot your system for the changes to take effect. This ensures your user account's group memberships are refreshed.

Launching and Basic Usage of Wireshark

Once installed and configured, you can start using Wireshark to analyze network traffic.

6. Launch Wireshark

You have two primary ways to launch Wireshark:

  • From the Applications Menu: Navigate to the "Sniffing & Spoofing" section within your Kali Linux applications menu, and you'll find Wireshark listed there.

  • From the Terminal: Open your terminal and simply type:

    wireshark &

    The & symbol runs the application in the background, allowing you to continue using the terminal.

Getting Started with Wireshark

Upon launching Wireshark, you'll be presented with an interface showing available network interfaces.

  1. Select an Interface: Choose the network interface you want to monitor. Common choices include eth0 (for wired connections) or wlan0 (for wireless connections). You'll see live traffic graphs next to each interface, indicating activity.

  2. Start Capturing: Double-click on the desired interface or select it and click the "Start capturing packets" icon (usually a shark fin or a blue play button) to begin capturing traffic.

  3. Analyze Packets: As packets are captured, they will populate the main window. You can stop the capture at any time using the red square "Stop" button.

  4. Apply Display Filters: Wireshark's powerful filtering capabilities are crucial for sifting through large amounts of data. Use the display filter bar at the top to narrow down your view.

    Common Display Filters:

    Filter Syntax Description Example Use Case
    ip.addr == 192.168.1.1 Filters packets to or from a specific IP address. Isolating traffic related to a single host.
    tcp.port == 80 Shows only HTTP (web) traffic. Analyzing web server communication.
    udp.port == 53 Displays DNS (Domain Name System) queries/responses. Troubleshooting name resolution issues.
    http Filters for all HTTP protocol traffic. Examining web application behavior.
    ftp Filters for FTP control and data traffic. Monitoring file transfers.
    not arp Excludes ARP (Address Resolution Protocol) traffic. Focusing on higher-layer protocols.
    (ip.src == 10.0.0.1) && (tcp.dstport == 443) Combination filter for specific source and destination port. Analyzing outbound HTTPS connections from a specific client.

  5. Packet Details: Clicking on a packet in the packet list pane will reveal its detailed breakdown in the packet details pane below, showing layers such as Frame, Ethernet, IP, TCP/UDP, and application-layer protocols.

  6. Saving Captures: You can save captured traffic in the .pcapng or .pcap format for later analysis by going to File > Save As....

Practical Insights and Tips

  • Practice with Filters: Mastering Wireshark's display and capture filters is key to effective analysis. Refer to the official Wireshark documentation for a comprehensive list of filter options.
  • Use Capture Filters Wisely: For very busy networks, using capture filters (applied before the packets are even written to disk) can prevent your capture file from growing too large and improve performance. These are different from display filters.
  • Security Analysis: Wireshark is indispensable for identifying suspicious network activity, unencrypted credentials, malware communication, and anomalous traffic patterns during penetration tests or incident response.
  • Network Troubleshooting: Pinpoint slow network performance, dropped packets, or misconfigured services by examining the actual data flowing across the wire.
  • Decryption: Wireshark can decrypt SSL/TLS traffic if you have access to the session keys (e.g., from browser logs or server configurations), allowing you to inspect encrypted communications.

By following these steps, you can effectively install, configure, and begin utilizing Wireshark on Kali Linux for all your network analysis needs.

← Previous Article
How Do I Join a Wi-Fi Network Using WPS?
Next Article →
How Do I Activate My Vodafone Modem?