Install Wireshark on AlmaLinux 9: Best Network Packet Capture
In this guide, you will learn to Install Wireshark on AlmaLinux 9. Few tools are as useful to the IT professional as Wireshark, the go-to network packet capture tool. Wireshark will help you capture network packets and display them at a granular level. Once these packets are broken down, you can use them for real-time or offline analysis. This tool lets you put your network traffic under a microscope, and then filter and drill down into it, zooming in on the root cause of problems, assisting with network analysis and ultimately network security. Install Wireshark on AlmaLinux 9 today and unlock its powerful capabilities.
Now follow the guide steps on the Orcacore website to Install Wireshark on AlmaLinux 9.
To complete this guide, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide on Initial Server Server Setup with AlmaLinux 9.
Installation Steps of Wireshark on AlmaLinux 9
By default, Wireshark packages are available in the default AlmaLinux 9 repository.
First, update your local package index with the following command:
sudo dnf update -yThen, use the following command to install the Wireshark GUI App on your server:
sudo dnf install wireshark -yGet Wireshark CLI
If you do not have GUI/Desktop installed you can install and use Wireshark as a command line tool. To do this, run the command below:
sudo dnf install wireshark-cli -yLaunch Wireshark
You can now launch Wireshark either from the command line or from the activities. To start Wireshark, run the following command:
sudo wireshark &You will see the Wireshark interface on AlmaLinux 9:
Now you can start using your Wireshark. For example, you can Capture the data from available network interfaces. To do this, click on the shark flipper icon in the top left corner to start recording.
In case you wish to use the Wireshark CLI commands use the following command:
tshark --help**Output**
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: appropriate maximum)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
interval:NUM - create time intervals of NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (- to read from stdin)
Processing:
-2 perform a two-pass analysis
-M <packet count> perform session auto reset
-R <read filter> packet Read filter in Wireshark display filter syntax
(requires -2)
-Y <display filter> packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
-H <hosts file> read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
...For more information, you can visit the Wireshark Documentation page.
Conclusion
At this point, you have learned to Install Wireshark on AlmaLinux 9 and easily get Wireshark CLI commands. With Wireshark, you can easily capture network packets and display them at a granular level. Install Wireshark on AlmaLinux 9 to take advantage of its powerful features.
Hope you enjoy it. You may like these articles:
How To Install Monitorix on AlmaLinux 8
Enable Brotli Compression in Nginx on AlmaLinux 9
Alternative Solutions for Network Packet Capture on AlmaLinux 9
While Wireshark is a powerful and widely used tool, there are alternative approaches to network packet capture and analysis on AlmaLinux 9. Here are two such alternatives:
1. Using tcpdump and tshark together
tcpdump is a command-line packet analyzer that is often pre-installed on Linux systems. It’s a lightweight and efficient tool for capturing network traffic. tshark is the command-line companion to Wireshark. While the GUI provides a visual interface, tshark offers the same powerful dissection capabilities from the terminal. You can use tcpdump to capture the raw packets and then use tshark to analyze the captured data.
Explanation:
tcpdump captures network packets based on specified filters and saves them to a file. tshark can then read this file and provide detailed analysis of the packets. This approach is beneficial when you need to capture traffic on a server without a GUI or when you need to automate packet capture and analysis using scripts.
Example:
First, use tcpdump to capture traffic on interface eth0 and save it to a file named capture.pcap:
sudo tcpdump -i eth0 -w capture.pcapThis command will capture all traffic on eth0 and write it to the capture.pcap file. You can add filters to narrow down the capture, for instance, capturing only HTTP traffic on port 80:
sudo tcpdump -i eth0 port 80 -w capture.pcapNext, use tshark to analyze the capture.pcap file. For example, to display all HTTP requests:
tshark -r capture.pcap -Y "http.request"To get a summary of the captured traffic, you could use:
tshark -r capture.pcap -q -z io,stat,1,"http.request"This will provide statistics about HTTP requests captured in the file.
2. Using ngrep
ngrep is another command-line network packet analyzer that provides more flexible filtering options compared to tcpdump. It allows you to search for specific patterns within the packet payload.
Explanation:
ngrep is particularly useful when you need to identify traffic containing specific keywords or patterns. This can be helpful for debugging application protocols or identifying potential security threats. Unlike Wireshark, ngrep displays the matching packets in real-time, which can be useful for monitoring live traffic.
Example:
To capture and display packets containing the word "password" on interface eth0:
sudo ngrep -q -i "password" eth0The -q option suppresses non-matching packets, and the -i option makes the search case-insensitive.
You can also filter by port number:
sudo ngrep -q -i "password" port 80 eth0This will capture and display only packets on port 80 that contain the word "password". ngrep‘s filtering capabilities extend to regular expressions, making it a very powerful tool for pattern matching.
These alternatives offer different strengths and weaknesses compared to Wireshark. Choosing the right tool depends on the specific requirements of your network analysis task. While Wireshark offers a comprehensive GUI and detailed packet dissection, tcpdump and tshark provide a lightweight and scriptable command-line solution. ngrep excels at pattern matching within packet payloads. Understanding these options allows you to effectively troubleshoot and analyze network traffic on your AlmaLinux 9 system. Remember to Install Wireshark on AlmaLinux 9, but also explore these alternatives for a comprehensive approach to network analysis.
