OwlArch

Software

Wireshark

Network Protocol Analyzer

Introduction

Wireshark is a powerful open-source tool for capturing and analyzing network traffic in real time. It is widely used by network administrators, developers, and security analysts to troubleshoot networks, debug protocols, and investigate security incidents.

Features

Real-Time Packet Capture: Analyze live network traffic across multiple interfaces.
Protocol Decoding: Supports over 3,000 protocols (HTTP, DNS, TLS, etc.).
Graphical Interface (Qt): Visualize traffic with color-coded packet details.
Command-Line Tools: Use tshark for headless analysis.
Filters: Apply display and capture filters to isolate specific traffic.
Export Data: Save captures in PCAP, CSV, or JSON formats.

Installation

Available Packages

wireshark-cli: Command-line tools (tshark, dumpcap).
wireshark-qt: Full GUI version with Qt interface.

Install both packages:

sudo pacman -S wireshark-cli wireshark-qt

Configure Permissions

To capture packets without root privileges:

Add your user to the wireshark group:
```
sudo usermod -aG wireshark $USER  
```

Grant capabilities to dumpcap:

sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

Log out and log back in for changes to take effect.

Usage

Launch the GUI

wireshark

Capture Traffic via CLI (`tshark`)

tshark -i eth0

Common Commands

Example Workflow

Capture HTTPS traffic:

tshark -i eth0 -Y "tls" -w https_traffic.pcap  

Analyze DNS queries in the GUI:
Open https_traffic.pcap in Wireshark and apply the filter dns.

Official Documentation & More Info

Contributing

Contribute code or report bugs via GitHub.
Follow the developer guide.

Support

Ask questions on the Wireshark Q&A Forum.
Join the Wireshark Discord.

License

Wireshark is released under the GPL-2.0 License.

🔙 Volatility 🔜 Zeek