In our previous tutorial, we have learned about using tcpdump command to collect network packets for analyzing/troubleshooting. But it can be a tiresome task to analyze all these network logs via CLI. But that’s not the only option, we can also install Wireshark, which has a GUI along with lots of features & makes it easy to capture & analyze the network packets.
Wireshark is free & Open source network packet analyzer that is used for network analysis, troubleshooting, etc. Wireshark is a cross-platform software that is available for various Linux/UNIX distributions, Mac-OS, Solaris, BSD & Windows, etc. It uses GTK to implement user interface & captures packets using PCAP.
Recommended Read: Top 7 commands for Linux Network Traffic Monitoring
Also Read: Monitoring network bandwidth with iftop command
Wireshark is quite similar to tcpdump, the major difference between the two is that Wireshark has a graphical interface with built-in filtering options, which make it easy to use. Wireshark provides a number of features, some of those features are,
- Live packet capture & offline analysis,
- A number of display filters,
- Support for hundreds of protocol,
- Rich VOIP analysis,
- Read/write feature various file formats,
- Live data can be read from ethernet port, Bluetooth, USB, Token rings tec
In this tutorial, we will learn to install Wireshark on CentOS & Ubuntu operating system.
Installation on CentOS
Before we can install Wireshark, we need to make sure that all the dependencies for Wireshark are present on the system. Install all the dependencies using the following command,
$ yum install gcc gcc-c++ bison flex libpcap-devel qt-devel gtk3-devel rpm-build libtool c-ares-devel qt5-qtbase-devel qt5-qtmultimedia-devel qt5-linguist desktop-file-utils
Wireshark is available with the default CentOS package repositories & can be installed using YUM. Install Wireshark on centos using the following command,
$ sudo yum install wireshark wireshark-qt
But you might not get the latest package for Wireshark using this method. To get the latest package for Wireshark we need to install it using source packages. The method to install Wireshark from source package is mentioned below.
Installation on Ubuntu
Firstly install all the required dependencies for Wireshark using the following command,
$ sudo apt-get install build-essential checkinstall libcurl4-openssl-dev bison flex qt5-default qttools5-dev libssl-dev libgtk-3-dev libpcap-d
Once all the dependencies have been installed, install Wireshark (available with default Ubuntu repositories) using the following command,
$ sudo apt-get install wireshark
You can also use the official repositories for Ubuntu to install the latest Wireshark package, which might not be available with the default Ubuntu repository. To install the latest Wireshark using the official repository, run the following commands in the same order,
$ sudo add-apt-repository ppa:wireshark-dev/stable
$ sudo apt-get update
$ sudo apt-get install wireshark
Installing Wireshark using source
To install the latest version of Wireshark, it is recommended that we install it by building a package from source. To download the latest Wireshark source package using the following command,
$ wget https://1.as.dl.wireshark.org/src/wireshark-3.0.0.tar.xz
Extract it using the following command,
$ tar -xf wireshark-3.0.0.tar.xz -C /tmp
$ cd /tmp/wireshark-3.0.0
then run the following commands to compile & install the source code,
$ ./autogen.sh
$ ./configure –enable-setcap-install
$ make
$ sudo make install
$ sudo ldconfig
That's it, this will install Wireshark on your machine. Now to start the Wireshark, either open it through the menu or execute the following command to start Wireshark through the terminal,
$ wireshark
Note: If you are getting a 'Permission Denied' error when starting Wireshark as a local user, you can start the Wireshark as root or with sudo privileges or add the local user to Wireshark group using the following command,
$ sudo usermod -a -G wireshark username
Now try starting Wireshark with again. It should work. Once the Wireshark is working, you can then select any port to start the packet capture & then can apply filters for analyzing the data.
Tips for Effective Use
- Use Filters: Learning to use filters effectively can help you isolate relevant data quickly.
- Color Coding: Wireshark uses colors to differentiate between different types of traffic, which can help in quicker analysis.
- Regular Updates: Keep Wireshark updated to receive the latest protocol dissectors and bug fixes.
This completes our tutorial on installing Wireshark on Centos & Ubuntu systems. Please do send any queries or suggestions related to this article using the comment box below.
We are giving you exclusive deals to try Linux Servers for free with 100$ credit, check these links to claim your 100$,
DigitalOcean - 100$ free credit & Linode - 100$ free credit
Check some Exclusive Deals, HERE.
Also, check out DevOps Book You should read section.
Hello, when I try to launch the wireshark using the command $wireshark in CentOS, I get this error
(wireshark:1218): Gtk-WARNING **: cannot open display:
Please can you help
Which GUI you are using?
Try making an entry for the following in ~/.basrc file,
DISPLAY=:0.0; export DISPLAY
Than try after restarting system.
I am getting the same error when trying to install it on my CentOS VM .
Can you help .
whats the error ??
Hi, could it be that this command:
$ sudo apt-get install build-essential checkinstall libcurl4-openssl-dev bison flex qt5-default qttools5-dev libssl-dev libgtk-3-dev libpcap-d
should be this command instead?
$ sudo apt-get install build-essential checkinstall libcurl4-openssl-dev bison flex qt5-default qttools5-dev libssl-dev libgtk-3-dev libpcap-dev
I’m using Ubuntu 14.04 and libpcap-d does not exist, but libpcap-dev does.
Thanks!
Gustavo.
Well this should work but i have not tested it myself. Give it a try & let me know if you face any error.
How I can Uninstall Wireshark which is installed by using source in Centos7?
Just delete the files..
Hi, I’m installing on Debian9, but I’ve got an error:
“`
./configure –prefix=/opt/ –with-ssl –enable-setcap-install –with-dumpcap-group=wireshark
…
checking whether to install dumpcap with cap_net_admin and cap_net_raw capabilities… setcap not found
configure: error: Setcap install was requested, but setcap was not found
“`
Do you know how to fix it?
It’s strange ’cause `libcap-dev` is installed …
you need to install libcap2-bin package on your debian system.
Hi,
I have Wireshark-1.10.14 already installed.
I wanted to upgrade to higher version so I installed Wireshark 2.6.12 from source according the instructions.
1. When executing ‘wireshark’ command on the terminal, after installation, the old version is still opened.
(also ‘yum list installed’ doesn’t display the new version)
Any suggestion?
so you need to remove the old version & create a soft link of /usr/local/bin/wireshark to where you have installed new wireshark.
Or when you are trying to use the new installed wireshark, you must use the complete path, like /home/user/wireshark/bin/wireshark etc
bash: ./autogen.sh: no such file or directory is the error I get. And no, this file is really not here. (I’m trying to install the latest version, at moment 3.2.0, on ubuntu)
how do i run wireshark on umbuto