What is Wireshark?
Wireshark is the world's leading and widely used free and open source packet analysis tool. It is used for network troubleshooting, analysis, software and communication protocol development, and training. Started by Gerald Combs in 1998 and called Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. Wireshark continues to evolve thanks to the voluntary contributions of network experts around the world.
Here are some of the things you can do with Wireshark:
- Live capture and offline analysis
- Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
- Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed) etc.
- Capture files compressed with gzip can be decompressed on the fly
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Output can be exported to XML, PostScript®, CSV, or plain text
- And more
In this article, we will install Wireshark, which can be installed on many different operating systems, on Ubuntu.
Different methods to install Wireshark
There are 2 different methods to install Wireshark on Ubuntu. Since it is an open source application, a version is available in the Ubuntu repositories. In addition, there are Ubuntu repositories that offer Wireshark with a more up-to-date and stable version, you can use them by adding them to the system. Now let's explain these installations in turn.
Method-1: Install From Default Repository
First, pull the current package list from the Ubuntu repositories:
foc@ubuntu22desktop:~$ sudo apt update -y
Then install wireshark package:
foc@ubuntu22desktop:~$ sudo apt install wireshark -y
During installation, you will encounter the following warning, if you say "Yes", any user in the system can use this network monitoring application. We will choose "No" so that unauthorized persons cannot use it.
Give execute permission to "dumpcap":
foc@ubuntu22desktop:~$ sudo chmod +x /usr/bin/dumpcap
Installed version:
foc@ubuntu22desktop:~$ wireshark --version Wireshark 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
After installation, you can access the application after authorization control with the following command in the terminal:
foc@ubuntu22desktop:~$ sudo wireshark
If you don't use sudo and open Wireshark from the menu you will get the following warning:
Two suggestions for solution:
Solution-1: Invoke Wireshark from the terminal with sudo.
Solution-2: Allow all users to use Wireshark with the command "sudo dpkg-reconfigure wireshark-common". And add the user to the wireshark group:
foc@ubuntu22desktop:~$ sudo usermod -aG wireshark foc
After applying one of the two solutions, Wireshark installation is completed without any problems.
Method-2: Install using Wireshark-Dev Repository
Add the stable repository address to the system with the following command:
foc@ubuntu22desktop:~$ sudo add-apt-repository ppa:wireshark-dev/stable -y
Update repository packages list:
foc@ubuntu22desktop:~$ sudo apt update -y
And then install the wireshark package:
foc@ubuntu22desktop:~$ sudo apt install wireshark -y
Allow all users to use Wireshark while the installation is in progress:
Installation completed successfully. Give execute permission to "dumpcap":
foc@ubuntu22desktop:~$ sudo chmod +x /usr/bin/dumpcap
Version:
foc@ubuntu22desktop:~$ wireshark --version Wireshark 3.6.7 (Git v3.6.7 packaged as 3.6.7-1~ubuntu22.04.0+wiresharkdevstable)
What is NEXT?
- 15 Top Wireshark IP Filters with Examples [Cheat Sheet]
- Learn How to Use Wireshark like a PRO
- [SOLVED] Find Duplicate IP Address with Wireshark
Summary
Installation is done similarly in both methods. Although the version in Ubuntu repositories is a little low, packages that come with operating systems should be preferred.
For more information, you can get help from the help pages:
foc@ubuntu22desktop:~/wireshark$ wireshark --help
Usage: wireshark [options] ... [ <infile> ] Capture interface: -i <interface>, --interface <interface> name or idx of interface (def: first non-loopback) ...
References
www.wireshark.org - Installing from debs under Debian, Ubuntu and other Debian derivatives
askubuntu.com - How to install Wireshark