How to Install and Use WireShark on Mac OS X

Last modified: December 31 1969 16:00:00

This is a crash course on getting WireShark (formerly known as Ethereal; a powerful graphical front end to tcpdump) installed and running on your Mac, and how to do a few basic analyses of network traffic data.

INSTALLATION

Note: You need to be root or an administrator to do this, and you MUST have Apple's "X11" framework installed. (If you're not sure you have X11, go into the Applications folder, then into Utilities, and look for the "X11" application. If it's not there, you will need to install X11 from your original OS X system discs. There's more to it than just the standalone app.)

  1. Download WireShark. [Intel]   [PPC]
    Note: It is critical that you install the correct version for your architecture -- there were major changes in the handling of permissions with regard to setting the network interface to promiscuous mode.

  2. Mount the disk image. If you are on a PowerPC Mac, launch the "Wireshark 0.99.5c (ppc).mpkg" installer package and follow the prompts; then you're done with installation. If you are on an Intel Mac, keep reading, there are several more steps. Intel Mac? Okay. Drag the Wireshark app to your Applications folder.

  3. On the disk image, open the Utilities folder. Drag the "Startup" folder to the Desktop. Eject the disk image.

  4. Open the Startup folder you just copied, and delete "README.macosx".

  5. Rename the Startup folder to "ChmodBPF" instead of "Startup".

  6. Open the main "Library" folder on your hard drive -- NOT the one in your home directory. Look for a folder named "StartupItems". If it's there, skip to the next step. If it is not there, create it. Note that there is no space in the name -- "StartupItems" with capital S and capital I.

  7. Open Terminal. Type the following commands exactly as shown here, and hit return after each line.
    cd Desktop
    sudo mv ChmodBPF /Library/StartupItems/
    

    After the second command, you will see "Password:" -- type your account password. (If you are logged in as "root", you don't need to enter a password.)

  8. Restart the computer.

BASIC USAGE

Open the Applications folder and launch WireShark. The first time you run it, it may take several minutes before the main screen appears. It will launch much quicker each time afterward. A dialog box appears to tell you this.

When it comes up, go to the Capture menu and select Interfaces. You should see at least two devices listed.

In this window, three devices are shown: en0, en2, and lo0 (localhost). On Macs, the main ethernet interface is always called en0 (most Macs have only one ethernet port). If you have a wireless card (which I do), or additional ethernet cards, then those may be called en1 or en2. You will almost always want to capture on en0.

Click the Start button next to the interface you wish to sniff -- en0, probably.

Now, all kinds of colorful stuff will begin flying by. Let it run for a few seconds, maybe one minute. (This is just while you are learning the program; when you really want to look at your network, let it run as long as you can.) Then click the Stop the running live capture button (which is the button with the red X, towards the left side of the button bar.)

Each colored line in the main window represents a packet -- a unit of network communication -- between two hosts. The hosts may be client computers, printers, network devices like switches, wireless base stations, etc.

The Source and Destination columns represent the direction of the packet. In other words, for a given line, the host with the IP in the Source column sent that packet to the host with the IP in the Destination column. That packet may have been a reply in a long string of back-and-forth conversation between the two hosts. If the Destination is listed as Broadcast, that means the Source IP basically shouted out to everyone on the network (more accurately, to everyone on its local subnet).

On any busy network, you will see lots of "chatter" like broadcasts and SNMP requests and ICMP pings. These are how network devices find each other and intelligently adapt to changes in the network. If you want these out of your way, you can enter something like

not icmp
in the Filter box at the top of the window, then hit the Apply button. Now you only see non-ICMP traffic.

Filters in WireShark are very powerful. If you click the Filter button, next to the text box, you will see a list of pre-defined filters you can use (and you can create and save your own). Note what gets filled in for the actual filter string; you will see how the syntax works, and be able to build more complex filters based on that.

If you run WireShark with your computer plugged in to a regular switched network port, you will only see a small segment of your entire network's traffic. Switches only allow hosts to "see" the traffic destined for them, along with the chatter mentioned above; hosts can't see packets addressed to other hosts on the same network, or even on the same switch. This is both a performance and security boost. However, if you're trying to troubleshoot problems that affect your entire network, you need to see more than just what's headed to and from your own machine. You need to place your sniffer at a point in your network where you can see everything you need to see.

Many managed switches and some routers support the use of a "span port" or "monitor mode" or similar. In this scenario, you designate a certain port on the device to "mirror" all of the traffic that crosses another port on that device. So, without interfering with the network connections, you can configure the switch/router to send a "copy" of all traffic from a certain port, back to another port, where your sniffer (WireShark) is listening. Depending on what you're trying to monitor and how your network is laid out, the port you choose to monitor may be the "uplink" port (the path to your router or firewall or T1 module).

Back to the WireShark program. One common task you might want to use it for is to determine who the high-traffic culprits are on your network. Let a capture run for awhile, maybe a minute or two; then hit Stop. Go to the Statistics menu and select Conversations. It will think for a bit, then a new window will appear (on the PPC version, it hides behind the main window.) Each line in this list reflects a series of two or more packets between a host in the Address A column and another host in the Address B column, and the other columns show statistics about how many packets/bytes have been exchanged between these two parties during your capture.

Click the TCP tab, for example, to see the conversations that used Transmission Control Protocol (which includes common things like web, email, ftp downloads, etc.) Then click the Packets column heading to sort by the number of packets exchanged during the conversation. Click it again to reverse the sort so that the largest number is at the top. Now you have a sorted list of the highest-bandwidth-consumption network events that were visible to your sniffer during the time of your capture. Keep in mind that this data does not reflect anything that happened before you clicked Start Capture, or after you clicked Stop. In the screenshot above, look at the first line. 10.1.0.15 is me, and 66.135.202.161 is an eBay.com server. That network conversation was the result of my loading 1 web page on eBay.com. There was a grand total of 61815 bytes -- 61k -- transferred during that session, which is nothing. So make sure to analyze the actual numbers in light of your network's bandwidth limits.

more later...