Wireshark As a Tool to Introductory Networking

Mike Meyers

Author, Internet personality, Speaker

Published Mar 10, 2019

I've been using Wireshark or it's precursor Ethereal since the late 90's. For those of you who don't know this amazing tool, Wireshark is a free, well-known, powerful, open source protocol analyzer. Wireshark, along with its built in capture tools, gives network support people an amazing set of tools to see almost anything you need to see your networks at the packet/frame level.

Wireshark is truly one of those "mere moments to understand, a lifetime to truly conquer" type of tools. It's almost trivial to get a lot of information. You use a capture tool (Wireshark includes two different ones) to grab a bunch of packets then see those captured frames in the primary interface. This three-part interface is simple: The top part are all your captured frames, each row an individual frame. The middle is an expandable detail of whatever frame you've selected from the top area. The bottom third displays the same selected frame in raw (hexadecimal) format.

Using all the features of Wireshark is wildly complex and powerful but I love to use this basic interface as a wonderful tool to expose brand-new networking students - and I mean DAY ONE learners - several fundamental networking concepts. Let's see what Wireshark does for me instructionally.

Note: I'm not saying that I sit down day 1 students in front of a Wireshark screen without anything else! I'm a huge believer in giving students motivation via lecture, toy blocks (just like the ones I use in videos), hats and plenty of jokes to bind individual concepts. Wireshark comes in after solid concept instruction.

OSI

I like teaching the OSI model as it gives learners an organization to separate network features, especially layers 2 and 3. Wireshark makes this downright fun by pre-organizing each of these layers in the second field. Note in the following figure how Layer 2 MAC addresses and Layer 3 IP addresses show up so clearly. The top line, "Frame 4498" is Wireshark's method for keeping all the frames in order.

If you're a brave instructor go ahead and show the port numbers as well. I love to use the line "IP gets you to the right computer, but ports get you to the right application". This is also a SCREAMING opportunity to pull out those toy blocks and start talking about Protocol Data Units (PDUs). I'll go ahead and start defining Ethernet frames, IP packets, TCP datagrams, etc. - and why not? They are literally LOOKING AT PDUs as you speak so why not go ahead and define them?

Did I mention this is DAY ONE instruction? Heck, this is the morning of Day One!

Packetized Data

At this point you've got the learners eating out of your hands with PDUs. Let’s go ahead and make sure they understand the idea of packetized data and the need for a stream of packets to send one piece of data. My favorite lab is to have them run a capture of a HTTP page (not HTTPS!) and run the "Follow TCP stream" feature to see the raw output. Then close the stream and show them the filter Wireshark adds to filter out all the other frames.

Encrypted/Unencrypted Data

I spend hours of course time on encryption but now that you just showed them unencrypted data why not just grab a quick HTTPS page and make a helluva teaser for those later lessons? Don't linger on this as it's just a teaser.

Switch Functions

I know. I’m old. I still lecture on hub vs. bridge vs. switch. Learners often have a problem with the idea of switches without a demonstration. Just plug into a switch and run Wireshark. Let the student look at the destination and source IP addresses - there's only unicast to and from the system and broadcast (you might want to avoid multicast this early but I’m still on the fence about that).

This might even be chance to add a column for destination MAC address and a filter for MAC address = FF.FF.FF.FF.FF.FF. These are easy to do in Wireshark.

Exploring Protocols

OK, I don't do this on DAY ONE but with a good intro to Wireshark early in the course I can turn back to it over and over through the rest of the course. Whenever I introduce a new protocol I love to then show that protocol at work using Wireshark. One of my favorites is DHCP. Here's a screen of a four-step DHCP process. Quiz: Why does DHCP take four steps? Couldn't it work in just two or maybe three? I’ll answer this in a few days.

These are just some ideas that you'll want to consider next time you're teaching an introductory networking course. I think Wireshark is an amazing tool with a simple, intuitive interface that wonderfully reinforces so many fundamental networking concepts to new learners. Give it a try!