- hey guys are there more tutorial about wireshar on the net aside for Chris Sanders » Packet School 101. cant find anything more on the net.

well what sort of thing do you really want to know? i've always found the official documentation very concise and useful. wireshark is an amazingly useful tool to the right person, i couldn't do my job without it at all...

Fyi, wireshark used to be called ethereal. Searching for ethereal tutorials should reveal a lot of information applicable to wireshark.

- like how do you use it to monitor your network, how do you analyze its output, and how do you use it to know if something is wrong with your network. and others

If you're looking for a tool that says "there is a virus on your network", Wireshark is not it. Wireshark will show you each packet and is more useful to see the exact content of packets. It allows you to tell if, for example, a server is not responding, or is responding with an error.

- - this is also one of the things i want to learn using wireshark. i tried to google for other tutorial but no such luck.
- - well this is not one of my purpose, but actually i read an article about network analyzers being able to detect virus threats by using probes.

well in terms of knowing what's wrong and such, that's not *really* wiresharks job. it doesn't do "health checks" and such. it's really up to the user to know what they are looking at, and that includes tcp/ip knowledge, strcuture of layer 5 - 7 data within ip protocols. wireshark tries to present as much of any given protocol in a deconstructed way as possible, i.e. splitting up http requests field by field, but it can only present you raw data in simpler formats, it's still going to require you to understand the relevance of a TCP RST flag, or an HTTP POST for example.

One big step forward that would help you is the "foloow tcp stream" feature. right click on any packet in the list and select it. that'll then filte to only show a single tcp stream, including packet resends and errors and such.

- actually this is not my problem.
- im new to wireshark and my real problem is that how do you interprete or analyze those raw data that its showing.
- so your saying that in order for me a newbie to wireshark to understand what the wireshark is showing is to first undertand TCP/IP protocols and others?

Well in general, yes. it's there to explode the IP packets for you so you can get at the "good stuff" without decoding binary stream and such. In a potentially similar way to a lot of the mentality behind Linux itself, which you've probably (or rather, hopefully) come to appreciate, if you try to be too clever within an application, it typically quickly moves to reducing control, functionality and flexibility within said app. So without that base knowledge of tcp/ip etc.. it may well be pointless you being given some "answers" by an analysis program at such a low level of detail. of course wireshark does do *some* of this, but it's about giving you all the info for you to use as you see fit, not tell you what it thinks you might want to know.

Of course, it's utterly down to what problems you are trying to solve as to what knowledge you need. (Almost) any old fool should be able to appreciate the presence of a tcp communication in both directions or not, but when you're trying to analyze err... fluctuating TCP window sizes or rogue RST packets, then you'll need a suitably greater knowlegde of the subject.

ok thanks so much

here is my problem:

[root@paradise Desktop]# rpm -ivh wireshark-0.99.5-1.fc6.i386.rpm
Preparing... ########################################### [100%]
package wireshark-0.99.5-1.fc6 is already installed


[root@paradise Desktop]# wireshark
-bash: wireshark: command not found

I tried yum remove then yum install - same result.

Have you tried 'locate wireshark'? Maybe it installs it outside of your path.

1) don't hijack / dig up other peoples threads, your question really has nothign to do with the original one other than a common app.

2) install wireshark-gnome for the gtk interface. wireshark by default only contains the lighter tshark console interface