Wireshark is the Swiss Army knife of network analysis tools. Whether y'all're looking for peer-to-peer traffic on your network or just want to encounter what websites a specific IP address is accessing, Wireshark can work for you.

We've previously given an introduction to Wireshark. and this postal service builds on our previous posts. Deport in mind that yous must exist capturing at a location on the network where you can see enough network traffic. If you practice a capture on your local workstation, you're likely to not see the bulk of traffic on the network. Wireshark can exercise captures from a remote location — check out our Wireshark tricks post for more information on that.

Identifying Peer-to-Peer Traffic

Wireshark's protocol cavalcade displays the protocol type of each packet. If y'all're looking at a Wireshark capture, you might run into BitTorrent or other peer-to-peer traffic lurking in it.

You can meet merely what protocols are being used on your network from the Protocol Hierarchy tool, located under the Statisticscarte du jour.

This window shows a breakup of network usage by protocol. From hither, we can run across that nearly five percent of packets on the network are BitTorrent packets. That doesn't sound like much, simply BitTorrent also uses UDP packets. The nearly 25 percent of packets classified as UDP Data packets are likewise BitTorrent traffic here.

We can view only the BitTorrent packets by right-clicking the protocol and applying it as a filter. You lot can practise the same for other types of peer-to-peer traffic that may exist present, such as Gnutella, eDonkey, or Soulseek.

Using the Apply Filter pick applies the filter "bittorrent." You can skip the right-click carte du jour and view a protocol'south traffic past typing its proper noun directly into the Filter box.

From the filtered traffic, we tin can see that the local IP address of 192.168.i.64 is using BitTorrent.

To view all the IP addresses using BitTorrent, we can select Endpoints in the Statistics menu.

Click over to the IPv4 tab and enable the "Limit to display filter" check box. Y'all'll run across both the remote and local IP addresses associated with the BitTorrent traffic. The local IP addresses should appear at the top of the list.

If y'all want to encounter the unlike types of protocols Wireshark supports and their filter names, select Enabled Protocols under the Analyze menu.

You tin start typing a protocol to search for it in the Enabled Protocols window.

Monitoring Website Access

Now that we know how to break traffic down by protocol, nosotros can type "http" into the Filter box to encounter but HTTP traffic. With the "Enable network name resolution" choice checked, we'll see the names of the websites being accessed on the network.

One time again, we can use the Endpoints option in the Statistics carte du jour.

Click over to the IPv4 tab and enable the "Limit to display filter" check box once again. Yous should besides ensure that the "Name resolution" check box  is enabled or yous'll only see IP addresses.

From here we, can see the websites existence accessed. Advertising networks and third-party websites that host scripts used on other websites volition also appear in the list.

If nosotros want to break this downward by a specific IP address to meet what a unmarried IP address is browsing, we tin can practise that also. Utilise the combined filter http and ip.addr == [IP address] to see HTTP traffic associated with a specific IP address.

Open up the Endpoints dialog again and you'll see a list of websites being accessed by that specific IP address.

This is all just scratching the surface of what yous can do with Wireshark. Y'all could build much more advanced filters, or even use the Firewall ACL Rules tool from our Wireshark tricks post to easily cake the types of traffic you'll notice here.

The higher up article may contain chapter links, which help support How-To Geek.