HowTo : Install Wireshark On Linux

install wireshark linux

Wireshark linux

Wireshark is one of the best open source network packet analyzer available today. Wireshark is used to capture network packets and display the details of the packet data. This is useful for troubleshooting the network or network security issues and to debug protocol implementations. In this article, we will go through the installation of wireshark on Linux machines.

Installation of Wireshark on Redhat/ CentOS machine

1. Requirements

Before installing wireshark in your machine, you need to make sure that the following packages are available in your machine.

a. GTK

You can check whether GTK is available in your server as follows.

# rpm –qa | grepgtk

If you can’t find GTK in your machine, you need to install it first. This can be done with the help of yum package manager.

# yum install gtk

b. libpcap

First, you need to check whether this package is already installed in your machine. Latest CentOS/Redhat machines will have these packages installed by default.

# rpm –qa | greplibpcap

If this package is not already available in your machine, you need it to be installed for wireshark.

# yum install libpcap

c. tcpdump

Check whether tcpdump is available in your system using “rpm” command.

# rpm –qa | greptcpdump

If not, install it using yum.

# yum install tcpdump

You can install all these packages using source file also. Now, you have all the requirements of wireshark in your system. So, we can move forward with the installation of wireshark.

2. Installing Wireshark using Yum

The following command will install the command line tool for wireshark called “tshark”.

# yum install wireshark

If you want gnome Wireshark GUI, you need to install wireshark-gnome package which will provide wireshark command.

# yum install wireshark-gnome

tshark: Terminal-based Wireshark

TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn't necessary or available. It supports the same options as wireshark.
Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet.

Example Usage

If you want to capture the packets coming from/going to UDP port 1812 on eth0, you can use tshark command as follows.

tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap

The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured.

The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is.

The -w flag is used to specify a file where the captured traffic will be saved for later processing.

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.