Skip to main content
Engineering LibreTexts

10-F.11.4: Network Troubleshooting Commands - wireshark

  • Page ID
    40978
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    Wireshark

    Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education. It is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

    Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface, including unicast traffic not sent to that network interface controller's MAC address. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering

    Since Wireshark is a data capturing program that "understands" the structure (encapsulation) of different networking protocols, it can parse and display the fields along with their meanings as specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports.

    • Data can be captured "from the wire" from a live network connection or read from a file of already-captured packets.
    • Live data can be read from different types of networks, including Ethernet, IEEE 802.11, PPP, and loopback.
    • Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.
    • Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.
    • Data display can be refined using a display filter.

    The tcpdump Command

    The tcpdump command line is a utility that allows you to capture and analyze network traffic going through your system. It is often used to help troubleshoot network issues, as well as a security tool.

    A powerful and versatile tool that includes many options and filters, tcpdump can be used in a variety of cases. Since it's a command line tool, it is ideal to run in remote servers or devices for which a GUI is not available, to collect data that can be analyzed later. It can also be launched in the background or as a scheduled job using tools like cron.

    Syntax:

    tcpdump [ OPTIONS ] 

    There are numerous options, and a full listing can be found on the tcpdump man page. A few are listed below.

    Command Options:

    Options Meaning
    -c count Exit after receiving the specified number of packets.
    -i interface Listen on the specified interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback).
    -n Don't convert host addresses to names. This can be used to avoid DNS lookups.
    -v When parsing and printing, produce (slightly more) verbose output.

    Here is some typical output:

    pbmac@pbmac-server $ sudo tcpdump -i any -c 5
    [sudo] password for pbmac: 
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
    14:26:13.216611 IP 192.168.1.8 > 224.0.0.251: igmp v2 report 224.0.0.251
    14:26:13.225365 IP pbmac-server.local.34227 > dns.google.domain: 41755+ PTR? 251.0.0.224.in-addr.arpa. (42)
    14:26:13.250131 IP dns.google.domain > pbmac-server.local.34227: 41755 NXDomain 0/1/0 (99)
    14:26:13.361473 IP6 PbmacUbuntu.mdns > ff02::fb.mdns: 0 PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
    14:26:13.361526 IP pbmac-server.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
    5 packets captured
    412 packets received by filter
    402 packets dropped by kernel
    

    The netcat Command

    netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built-in capabilities.

    Syntax:

    netcat [ OPTIONS ]

    Command Options:

    Options Meaning
    -e filename specify filename to exec after connect (use with caution). See the -c option for enhanced functionality.
    -g gateway source-routing hop point[s], up to 8
    -G num source-routing pointer: 4, 8, 12, ...
    -h display help
    -i secs delay interval for lines sent, ports scanned
    -l listen mode, for inbound connects
    -n numeric-only IP addresses, no DNS
    -o file hex dump of traffic
    -p port local port number (port numbers can be individual or ranges: lo-hi [inclusive])
    -q seconds after EOF on stdin, wait the specified number of seconds and then quit. If seconds is negative, wait forever.
    -b allow UDP broadcasts
    -r randomize local and remote ports
    -s addr local source address

    Some of netcat's features include:

    • Outbound or inbound connections, TCP or UDP, to or from any ports
    • Full DNS forward/reverse checking, with appropriate warnings
    • Ability to use any local source port
    • Ability to use any locally configured network source address
    • Built-in port-scanning capabilities, with randomization
    • Built-in loose source-routing capability
    • Can read command line arguments from standard input
    • Slow-send mode, one line every N seconds
    • Hex dump of transmitted and received data
    • Optional ability to let another program service establish connections
    • Optional telnet-options responder

    Some examples:

    Opening a raw connection to port 25
    pbmac@pbmac-server $ nc mail.server.net 25
    
    Performing an HTTP request
    pbmac@pbmac-server $ printf "GET /index.html HTTP/1.0\r\nHost: info.cern.ch\r\n\r\n" | nc info.cern.ch 80
    The full response (including HTTP headers) will be dumped to standard output.
    
    To transfer files between servers:
    Destination server - starts the nc process listening to port 7999 and accept the input into a file named testinput.txt
    pbmac@pbmac-server $ nc -l -p 7999 > testInput.txt
    Then of the source server - netcat sends the fileoutputTest.txt to the specified IP address (or hostname)
    pbmac@pbmac-server $ nc 192.168.1.99 7555 < outputTest.txt
    
    To use netcat to scan all ports up to 750 by issuing this command:
    pbmac@pbmac-server $ netcat -z -v domain.com 1-750
    Along with the -z option, the -v option to tell netcat to provide more verbose information.
    

    Adapted from:
    "Wireshark" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "An introduction to using tcpdump at the Linux command line" by Ricardo Gerardi, OpenSource.com is licensed under CC BY-SA 4.0
    "netcat" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0


    10-F.11.4: Network Troubleshooting Commands - wireshark is shared under a CC BY-SA 4.0 license and was authored, remixed, and/or curated by LibreTexts.