Introduction to Wireshark in Linux
Wireshark is the most used network protocol analyzer in the world and, thanks to its open source nature, has become an essential tool for system managers, developers and security professionals working in Linux environments. Its GTK-based graphic interface allows you to capture real-time packages and apply powerful filters to isolate traffic of interest. In addition, Wireshark offers a wide range of advanced functions, such as protocol analysis, session reconstruction and the generation of detailed reports. In this article we will explore how to install, configure and make the most of Wireshark in popular Linux distributions, from Ubuntu to Fedora, and see practical examples that will help you diagnose network problems, identify bottlenecks and strengthen the security of your infrastructure.
Wireshark installation in popular distributions
In most Linux distributions, Wireshark is available in official repositories, which simplifies its installation through the corresponding package manager. In Ubuntu and its derivatives, just runsudo apt updatefollowed bysudo apt install wireshark. During installation, the system will ask if unprivileged users are allowed to capture packages; it is recommended to respond positively and then add their user to the groupwiresharkwithsudo usermod -aG wireshark $USER. In Fedora, the command issudo dnf install wireshark. In Arch Linux, it is usedsudo pacman -S wireshark. After installing, log in and start it again so that group changes take effect, and then launch Wireshark from the application menu or runningwiresharkin a terminal.
Basic package capture
Once Wireshark is ready, the first step is to select the network interface on which you want to capture traffic. In the start window, all detected interfaces appear; click on the interface name (e.g.,eth0orwlan0) to begin immediate capture. While Wireshark collects the packages, you can observe in real time each plot passing through the interface, with columns showing the origin, destination, protocol and length. To stop the capture, simply click the red stop button or pressCtrl+E. The captured packages are stored in memory and can be examined in detail by the details panel, where the fields of each layer of the OSI model are deployed from the Ethernet header to the application data.
Display and capture filters
Wireshark distinguishes between capture filters, which limit which packages are recorded on disk, and display filters, which are applied after capture to show only packages that meet certain criteria. The capture filters use the syntax oftcpdump; for example,host 192.168.1.10capture only traffic to or from that IP. The display filters use a more expressive language; some useful examples are:
httpto show all HTTP traffictcp.port == 80to see connections in port 80dns.qry.name contains googlefor DNS queries to domains that includes «google»!icmpto exclude all ICMP traffic
Combine filters with logical operators such asand, orandnotallows to create very specific expressions to isolate network problems or analyse suspicious behaviors.
Traffic analysis with statistics
Beyond manual package inspection, Wireshark includes a set of statistical tools that facilitate the identification of patterns and anomalies. From the menuEstadísticasoptions such asResumen de conversaciónshowing the amount of bytes and packages exchanged between each pair of IP addresses;Jerarquía de protocoloswhich reveals which protocols consume more bandwidth; andAnálisis de flujo TCP, which allows you to reconstruct full sessions and examine the sequence of numbers, acknowledgments and retransmissions. Another very useful function is theDiagrama de secuenciawhich visually graphes the exchange of packages between two hosts, facilitating the detection of excessive latences or package losses. These statistics can be exported to CSV or XML for further processing in tools such as Excel or Python scripts.
Safety advice and good practices
Although Wireshark is a powerful tool, its indiscriminate use may pose risks of privacy and security. It always captures traffic only in networks it manages or for which it has explicit authorization; the unauthorized analysis may violate data protection laws and corporate policies. When you capture on wireless interfaces, activate the monitor mode only if your hardware supports it and remember that the encrypted traffic (e.g. TLS) cannot be decipher without the right keys. Limit the capture time and file size to avoid consuming excessive disk space. Finally, keep Wireshark up to date; recent versions include performance improvements, vulnerability corrections and support for new protocols. Following these guidelines, you can make the most of Wireshark while protecting the integrity of your Linux environment.
Conclusion
Wireshark has been consolidated as a key piece in the toolkit of any professional working with Linux networks. Its ability to capture, filter and analyse real-time traffic, combined with a wide range of statistical and visualization functions, makes it an indispensable ally for problem diagnosis, performance optimization and security audit. By following the installation, configuration and responsible use steps described in this article, you will be prepared to explore the depths of your network and extract valuable information that will improve the reliability and protection of your systems. We invite you to experiment with the filters and statistics presented, and to deepen the official documentation to discover even more capabilities of this powerful protocol analyzer.
