Install Wireshark in Ubuntu & Use to Analyze Network Packet

Wireshark is a free and open-source network protocol analyzer that is available on all major desktop operating systems like Windows, Linux, macOS, BSD, and more. In this article, you will learn How to Install Wireshark in Ubuntu and use it to analyze network packet on Ubuntu and other Ubuntu-based distributions. As a Linux administrator who cares about security, you should be a network analyst to troubleshoot networks, analyze packets, and develop software in real time. In this article, you will learn How to Install Wireshark in Ubuntu and use it to analyze network packet on Ubuntu and other Ubuntu-based distributions.

If you need a packet analyzer to monitor all the network package details, you must have the Wireshark tool on your system. Using Wireshark in Ubuntu allows you to look into the data packets entering and leaving on a specific network device. Furthermore, it is used to check for security threats or to monitor the workplace.

Capturing live network packets enables you for network analysis and gives you the possibility of acting urgently to prevent attacks or malicious activities. However, if you are so busy, you can save them for analysis offline or use the powerful display filter feature that allows you to examine only the traffic in which you are truly interested.

Join us with this guide to review all the required steps to Install Wireshark in Ubuntu. With the below instructions, you can learn to install Wireshark on Ubuntu 20.04 and 22.04. In the end, you are armed with the most used network protocol analyzer to Troubleshoot network problems, Investigate security issues, Debug protocol implementations, allocate resources to a valid app, and Understand network protocols.

Prerequisites to Install Wireshark in Ubuntu Linux

To let this tutorial work correctly, provide the options below and move on.

• A Server running Ubuntu VPS.
• A non-root user with sudo privileges.

Install and Configure Wireshark Network Packet Analyzer on Ubuntu

To a system admin, it is essential and ideal to be aware of network traffic activity occurring on their system. It is also professional to identify network issues and latency problems before users do. Other fans of this popular packet analyzer are network professionals and security analysts.

Let’s get started and learn How to Install, Configure, and Use Wireshark to help you start working with the most famous application to analyze network that is compatible with over 2,000 network protocols.

Step 1. Update System & Install Wireshark

Since Wireshark is available on all major Linux distributions, the universe repository of Ubuntu includes Wireshark and is enabled by default. However, you are recommended to use the below commands to update the Ubuntu system and enable the universe repository to install Wireshark in Ubuntu.

You can install Wireshark in Ubuntu through both methods of Ubuntu repository and PPA on Ubuntu. To download Wireshark, use the Install Wireshark Ubuntu command line:

sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt update
sudo apt install wireshark

In this way, you can use the official PPA that Wireshark developers provide to install the latest stable version of Wireshark on Ubuntu/Ubuntu-based distributions.

Step 2. Configure Wireshark on Ubuntu

When prompted for confirmation after executing the aforementioned program, select Y, press Enter, and Wireshark will begin to install on your computer. The following dialog will show up during the Wireshark installation, asking if you want to permit non-superusers to collect packets. It is preferable to leave it disabled and press Enter because turning it on can pose a security risk.

In this way, you have prevented non-superusers from capturing packets.

Note: If you selected No, run the command below as root:

sudo dpkg-reconfigure wireshark-common

Choose Yes by using the tab key, followed by the enter key.

You can also check if Wireshark is installed by using the command below:

$ wireshark --version

You must add the non-superuser user to the Wireshark group since you have permitted them to capture packets. Join the Wireshark group by using the usermod command:

sudo usermod -aG wireshark $(whoami)

And to change dumpcap binary file permissions, type:

sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Once your user has been added to the wireshark group, you can go back to your original account:

su <account name>

Remember to replace <account_name> with your actual account name:

su opera

At this point, you are recommended to restart your Ubuntu system to apply the required modifications to your system.

$ sudo reboot

How to Launch Wireshark in Ubuntu

Now that you passed all the required steps, installing Wireshark in Ubuntu must have been successfully ended. Let’s see how to start Wireshark in Ubuntu. The CLI or the application launcher can be used to start the Wireshark program. Simply put Wireshark into your console to begin from the CLI to open Wireshark from terminal Ubuntu:

$ sudo wireshark

You can start Wireshark via the GUI if you are logged in as the root user. In the search bar, enter Wireshark by pressing the super key. Click the Wireshark symbol to open it when it displays.

Activities > Show Applications > Wireshark.

Remember that if you run Wireshark without root or sudo privilege, you won’t be able to record network data. When Wireshark opens, the default view that appears is as follows:

How to Use Wireshark on Ubuntu

Wireshark is a robust tool with lots of capabilities. It contains a command-line tool called tshark that operates similarly to it but via a terminal rather than a graphical user interface. Also, the pcap library is used by Wireshark to capture network packets.

In this part, you will learn how to use some of the most important features of Wireshark and customize it for better usage.

Capture Packets Using Wireshark on Ubuntu

Once you install Wireshark in Ubuntu as a network analysis and packet analyzer tool, you will certainly use it to capture packets. You can utilize a list of interfaces to and from which to collect packets when you launch Wireshark. With Wireshark, you can monitor a wide variety of interfaces, including external devices, wired interfaces, and more.

Follow the below path to learn how to capture packets:

• Choose the interface on which you wish to capture packets from the list of possible network interfaces in the Wireshark window.
• As seen in the screenshot below, click the start button located in the toolbar at the top to begin capturing packets on the chosen interface.

In the event that there isn’t any traffic right now, you can create some by going to any website or by using a networked file. Subsequently, the collected packets will appear on the screen in real-time.

• Packets to and from many interfaces can be simultaneously captured. Simply click on the interfaces you wish to capture to and from while holding down the CTRL button, and then click the icon that says “Start capturing packets,” as shown in the figure below.

• Click the stop button, as indicated in the screenshot below, to end packet capture.

• Three panes comprise Wireshark, as seen in the screenshot above:

• The highest panelist among all the packets Wireshark was able to collect.
• Each selected packet’s packet header details are displayed in the main pane.
• Each selected packet’s raw data is displayed in the third pane.

Display Filter Using Wireshark on Ubuntu

As we mentioned earlier, the display filter is one of the Wireshark features that help you save time and be more accurate. Wireshark has a strong filtering engine built in. By removing distractions and concentrating on particular traffic, display filters can help you solve problems more quickly. For instance, use the http filter to observe only HTTP traffic. The screenshots above demonstrate how Wireshark shows a lot of packets for a single network activity. Thousands of packets are exchanged back and forth on your network in a typical network. Searching through hundreds of recorded packets to locate a specific one is really challenging. This is where Wireshark’s display filtering feature kicks in.

You can limit the sorts of packets that Wireshark displays to those that match your search criteria. It simplifies the results and helps you locate what you’re looking for in this way. The results can be filtered according to a number of criteria, including protocols, source and destination IP addresses, and port numbers.

You can utilize a number of pre-defined filters in Wireshark. Wireshark offers name suggestions to assist with auto-completion as you type the filter name. Enter the name of the protocol in the “Apply a display filter” section beneath the toolbar to limit the number of packets that display to those that contain it.

As seen in the example below, you can filter packets by simply typing the filter expression into the textbox.

Additionally, Wireshark’s packets can be graphically filtered. Click the Expression… button as seen in the screenshot below to accomplish it.

The screenshot below should show what happens when a new window opens. You can now construct a filter expression to perform a highly targeted packet search.

Nearly every networking protocol is listed in the Field Name section. There is a long list. You can use the Search textbox to key in the protocol you’re looking for, and the Field Name section will display the ones that match.

For example, if you type tcp, you will see just the TCP packets from every packet that was collected. You’ll only see TCP packets after inputting the filter name.

We tried to present an introduction to the best features of Wireshark. You must go over and play with each feature of Wireshark in order to gain a firm understanding of it.

Save Captured Packet data to File

It can be useful to save your packet data for later examination if you’re working on an especially complicated analysis. This enables you to share the info with others or come back to the issue at a later time. You can save your packet data by using File > Save As.

In this way, the file will be saved.

The saved packets can now be opened and examined at any time. Use <Ctrl> + o or File > Open from Wireshark to open the file. Next, choose the file and press the Open button.

Now, you can use the captured packages by loading them from the file.

Tips To Use & Customize Wireshark on Linux Ubuntu

• View packets with details: you can use the ping google.com in the terminal. Once you click on a specific packet, details about its associated TCP/IP protocol layers become visible.
• Personalize the Wireshark interface: With a wealth of customization options, Wireshark lets you adjust the interface to your tastes. For example, you have the ability to design your own custom columns, rearrange the data columns, and select which ones are shown. Click Edit > Preferences to begin customizing your workspace.
• Make use of color coding: It can greatly increase the effectiveness of your analyses. With Wireshark, you may establish color rules for various traffic types, which facilitates visual distinction between them. This option is available by selecting View > Coloring Rules.
• Recording Filters: Moreover, you can filter recording session traffic based on parameters like protocol, destination, etc. that raise red flags for you. This option is located under the “Capture Filter” entry in the “Capture” menu.

How to Update Wireshark in Ubuntu

Let’s go through this part and learn How to Update Wireshark on Ubuntu after you Install Wireshark Ubuntu 22.04 or 20.04. It is essential to keep your Wireshark installation up to date for a number of reasons. Updates can fix software faults, add new functionality, or repair holes in the security system.

To do this, run:

sudo apt update

This command refreshes your system’s designated repositories with the most recent versions of the software that is available. Execute the following command to upgrade your APT packages:

sudo apt upgrade

How to Uninstall Wireshark on Ubuntu

You might eventually find that Wireshark is not necessary on your PC. If so, system resources can be freed up by thoroughly and successfully uninstalling the software.

This command can be used to remove Wireshark on Ubuntu 22.04 or 20.04:

sudo apt remove wireshark

It is recommended as a best practice and security precaution to remove the Personal Package Archive (PPA) from your system after uninstalling Wireshark if you installed it via one initially.

The command to remove the PPA is as follows:

sudo add-apt-repository --remove ppa:wireshark-dev/stable -y

Conclusion

In this article, you learned How to Install Wireshark in Ubuntu. With the help of this guide, you know how to start using Wireshark in Ubuntu. Finally, you reviewed the required command to Update and Remove Wireshark in Ubuntu. From now on, you can use Wireshark on your Ubuntu system for the purposes of network analysis, troubleshooting, education, and development. if you are interested in Network Monitoring, find the best tool for your Linux system and monitor your system performance consistently.

If you follow the above steps properly, you can smoothly install Wireshark in Ubuntu and use it but do not hesitate to contact us if you encounter any problems. Our technical support team will try their best to solve your problems.