In this section we will be learning to set up Wireshark on Mac OS X network and windows network
Setting up WireShark on Mac OS X:
- First Download DMG from here and unpack it.
- Now Move Wireshark.app to /Applications/ and move all executables in Utilities/ directory in the DMG to /usr/local/bin/. You might be prompted for admin username and password, if you are running it as non administrator.
- For running Wireshark you will have to make anything in /dev/bpf* readable and writable with the admin rights as the permission is not set up.
- Now copy entire ChmodBPF folder to /Library/StartupItems. Mac OS might ask if you want to fix it in startup item and reboot, So reboot your system and fire up Wireshark.
There are possibilities that you might encounter the below error:
The following errors were found while loading the MIBS:
-:0 1 module-not-found failed to locate MIB module `IP-MIB'
You get this error because Wireshark might be looking for some stuff and might not be able to find the same. So to fix it, In Wireshark, open Preferences by going in to "Edit" -> "Preferences"> click on "Name Resolution" tab > Click on "Edit" > Click "New" and move /usr/share/snmp/mibs/ in there > Click on ok> Close Preferences and restart Wireshark.
Once you are able to get rid of the error then you will be able to see a list of network interfaces in "Interface List". If you are not able to see list of network interfaces then you might be running as non-admin. To use Wireshark as non – admin in future without any issues, you will have to make some more changes so that one can stuff in /dev/bpf*. For allowing user to sniff packets you just have to add a line to ChmodBPF script to chown.
Open ChmodBPF script from /Library/StartupItems/ChmodBPF/ChmodBPF in notepad and add chown line so that it looks like below.
chgrp admin /dev/bpf*
chmod g+rw /dev/bpf*
chown abc:admin /dev/bpf*
You have to replace abc with the name of the user whom you want to run Wireshark. After making the changes save the file and run Wireshark.
If you are doing a fresh installation of Wireshark on Snow Leopard (Mac OS X 10.6) you will have to change the ownership of ChmodBPF file’s. For that just open terminal and enter the below command:
sudo chown -R root:wheel ChmodBPF
Once you are done with all of the above steps then you should be able to capture network traces without any issues.
Setting up WireShark on Windows network:
Download Wireshark installer and execute it. There are some optional components but you should keep them default if you are not aware of these settings:
- Wireshark GTK – It is a GUI network protocol analyzer.
- TShark – It is a command-line based network protocol analyzer.
Plugins / Extensions :
- Dissector Plugins – It has Plugins with some extended dissections.
- Tree Statistics Plugins - It has Plugins with some extended statistics.
- Mate - Meta Analysis and Tracing Engine (experimental) – It has user configurable extension(s) of the display filter engine.
- SNMP MIBs – It is for more detailed SNMP dissection.
- Editcap – It is for reading capture file and writing some packets into another capture file.
- Text2Pcap - It is for reading an ASCII hex dump and writing data into libpcap-style capture file.
- Mergecap - It is for combining multiple saved capture files into one output file.
- Capinfos - It is for providing information on capture files.
- Rawshark - It is a raw packet filter.
- User's Guide – It’s a Local installation of the User's Guide, it show help pages if the User's Guide is not installed locally.
- Start Menu Shortcuts – For adding some start menu shortcuts.
- Desktop Icon - For adding Wireshark icon to the desktop.
- Quick Launch Icon - For adding Wireshark icon to the Explorer quick launch toolbar.
- Associate file extensions to Wireshark – It is for associating standard network trace files to Wireshark.
Generally Wireshark installer has latest released WinPcap installer but if you don’t have the same then you won't be able to capture live network traffic. You will be just able to open saved capture files. You can start Wireshark installer without command line parameters as it shows usual interactive installer. If you want to use command line parameters then you can use the below ones:
- /NCRC – For disabling CRC check
- /S – For running installer or uninstaller silently with default values.
- /desktopicon – For installation of the desktop icon, Options like “yes” for force installation, “no” – For not installing, Otherwise using defaults / user settings can be used for silent installer.
- /quicklaunchicon – For installing quick launch icon, Option like”yes” – for force installation, “no” – For not installing, otherwise defaults / user settings can be used.
- /D – For setting default installation directory ($INSTDIR), overriding InstallDir and InstallDirRegKey. Even if the path contains spaces this parameter should not contain any quotes and spaces and must be used as last parameter in command line.