Quick Start Tutorial: Wireshark
Wireshark is an network protocol analyzer. It can filter and analyze specific network packets. In terms of Endura and other Pelco IP products it can help you both examine and debug device web services.
Filtering Packet Captures
The third row down where you can find the icon labeled 'Filter' is where you want to begin. Without setting any filter options, you will be easily overwhelmed by packet captures that aren't relevant. To set a filter you have a few options: click on the 'Filter' button to access simple common filters, typing the filter commands yourself in the filter text field (next to the 'Filter' button), or using the 'Expression' wizard button to create a good filter.
Since the 'Filter' button is limited and you current don't know any filter commands, we will only focus on the third option - using the 'Expression' wizard. To begin click on the 'Expression' button. You should now see a new window open with about three major panes:
field name — this is just the network packet attribute you would to base a filter on (ex network protocol).
relation — this is typically a conditional operator. Depending on the field name you chose you may get more or less conditional operators.
value — this is the value to test against, to evaluate the condition. Depending on the relation you choose, you may or may not have this option available (ex. if you choose the 'is present' operator, you do not need to enter a value).
To help you understand this feature, let's say that you only want to see packet captures that are related to an IP address of 10.80.139.181 (regardless of whether its the source or destination).
- While on the filter expression window (pictured above), we scroll to the 'IP' field name.
- We then click on the right arrow to the left of 'IP'. The arrow should now be facing down and a list of IP's sub-attributes should be visible.
- Select the 'ip.addr'sub-attribute on the 'Field name' pane.
- Moving to the 'Relation' pane. Select the '==' conditional.
- In the 'Value' field, enter the IP address: 10.80.139.181.
- Finally click the 'OK' button.
Starting and Stopping Packet Captures
The first five buttons on Wireshark represent packet capture functionality:
- starting a packet capture
- ending a packet capture
- restarting a packet capture
The easiest way to begin is to click on the first button, on the far left. This should bring up a new window.
If you are not familiar with your machines network interfaces, it is ideal to capture packets from the device with active packets (as shown in the image above). To start capturing network packets, just click on the 'Start' button next to the desired device.
You should now have a list of captured network packets.
To ensure your filters have been applied (to eliminate non-relevant packet captures), click on the 'Apply' button.
Now right click on a desired packet capture to analyze and click on 'Decode As...'.
A new window should open, with the 'Transport' tab selected. Within the 'Transport' tab there should be a list of network transport protocols. Select 'HTTP' and click on the 'OK' button.
You should now be able to examine HTTP requests and responses, both as requests to Pelco devices and responses from Pelco devices.