Certified Linux Administrator Nmap, Snort, nessus and wireshark

Nmap, Snort, nessus and wireshark


Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap is ...

  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
  • Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
  • Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
  • Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
  • Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.


nmap — Network exploration tool and security / port scanner


nmap[ ...] [ ] { }


Nmap (Network Mapper) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the interesting ports table. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Openmeans that an application on the target machine is listening for connections/packets on that port. Filteredmeans that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is openor closed. Closedports have no application listening on them, though they could open up at any time. Ports are classified as unfilteredwhen they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filteredand closed|filteredwhen it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.

In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.

A typical Nmap scan is shown in Example 15.1. The only Nmap arguments used in this example are -A, to enable OS and version detection, script scanning, and traceroute; -T4for faster execution; and then the two target hostnames.

Example 15.1. A representative Nmap scan

# nmap -A -T4 scanme.nmap.org

Nmap scan report for scanme.nmap.org (
Host is up (0.029s latency).
rDNS record for li86-221.members.linode.com
Not shown: 995 closed ports
22/tcp   open     ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp   open     https        Apache httpsd 2.2.14 ((Ubuntu))
|_https-title: Go ahead and ScanMe!
646/tcp  filtered ldp
1720/tcp filtered H.323/Q.931
9929/tcp open     nping-echo  Nping echo
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.39
OS details: Linux 2.6.39
Network Distance: 11 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE (using port 53/tcp)
[Cut first 10 hops for brevity]
11  17.65 ms li86-221.members.linode.com (

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

This options summary is printed when Nmap is run with no arguments, and the latest version is always available at https://svn.nmap.org/nmap/docs/nmap.usage.txt. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual. Some obscure options aren't even included here.

Nmap 6.26SVN ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
  -iL : Input from list of hosts/networks
  -iR : Choose random targets
  --exclude : Exclude hosts/networks
  --excludefile : Exclude list from file
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers : Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags : Customize TCP scan flags
  -sI : Idle scan
  -sO: IP protocol scan
  -b : FTP bounce scan
  -p : Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports : Scan  most common ports
  --port-ratio : Scan ports more common than 
  -sV: Probe open ports to determine service/version info
  --version-intensity : Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
  -sC: equivalent to --script=default
  --script=:  is a comma separated list of
           directories, script-files or script-categories
  --script-args=: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=: Show help about scripts.
            is a comma separted list of script-files or
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
  Options which take 



Target Specification

Everything on the Nmap command-line that isn't an option (or option argument) is treated as a target host specification. The simplest case is to specify a target IP address or hostname for scanning.

Sometimes you wish to scan a whole network of adjacent hosts. For this, Nmap supports CIDR-style addressing. You can append /to an IPv4 address or hostname and Nmap will scan every IP address for which the first are the same as for the reference IP or hostname given. For example, scan the 256 hosts between (binary: 11000000 10101000 00001010 00000000) and (binary: 11000000 10101000 00001010 11111111), inclusive. scan exactly the same targets. Given that the host scanme.nmap.org is at the IP address, the specification scanme.nmap.org/16would scan the 65,536 IP addresses between and The smallest allowed value is /0, which targets the whole Internet. The largest value is /32, which scans just the named host or IP address because all address bits are fixed.

CIDR notation is short but not always flexible enough. For example, you might want to scan but skip any IPs ending with .0 or .255 because they may be used as subnet network and broadcast addresses. Nmap supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0-255.1-254will skip all addresses in the range that end in .0 or .255, and 192.168.3-5,7.1will scan the four addresses,,, and Either side of a range may be omitted; the default values are 0 on the left and 255 on the right. Using -by itself is the same as 0-255, but remember to use 0-in the first octet so the target specification doesn't look like a command-line option. Ranges need not be limited to the final octets: the specifier 0-255.0-255.13.37will perform an Internet-wide scan for all IP addresses ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research.

IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname. CIDR and octet ranges aren't yet supported for IPv6.

IPv6 addresses with non-global scope need to have a zone ID suffix. On Unix systems, this is a percent sign followed by an interface name; a complete address might be fe80::a8bb:ccff:fedd:eeff%eth0. On Windows, use an interface index number in place of an interface name: fe80::a8bb:ccff:fedd:eeff%1. You can see a list of interface indexes by running the command netsh.exe interface ipv6 show interface.

Nmap accepts multiple host specifications on the command line, and they don't need to be the same type. The command nmap scanme.nmap.org 10.0.0,1,3-7.- does what you would expect.

While targets are usually specified on the command lines, the following options are also available to control target selection:

-iL (Input from list)

Reads target specifications from . Passing a huge list of hosts is often awkward on the command line, yet it is a common desire. For example, your DHCP server might export a list of 10,000 current leases that you wish to scan. Or maybe you want to scan all IP addresses except for those to locate hosts using unauthorized static IP addresses. Simply generate the list of hosts to scan and pass that filename to Nmap as an argument to the -iLoption. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (-) as the filename if you want Nmap to read hosts from standard input rather than an actual file.

The input file may contain comments that start with #and extend to the end of the line.

-iR (Choose random targets)

For Internet-wide surveys and other research, you may want to choose targets at random. The argument tells Nmap how many IPs to generate. Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are automatically skipped. The argument 0can be specified for a never-ending scan. Keep in mind that some network administrators bristle at unauthorized scans of their networks and may complain. Use this option at your own risk! If you find yourself really bored one rainy afternoon, try the command nmap -Pn -sS -p 80 -iR 0 --open to locate random web servers for browsing.

--exclude [,[,...]] (Exclude hosts/networks)

Specifies a comma-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify. The list you pass in uses normal Nmap syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc. This can be useful when the network you wish to scan includes untouchable mission-critical servers, systems that are known to react adversely to port scans, or subnets administered by other people.

--excludefile (Exclude list from file)

This offers the same functionality as the --excludeoption, except that the excluded targets are provided in a newline-, space-, or tab-delimited rather than on the command line.

The exclude file may contain comments that start with #and extend to the end of the line.




Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO.

Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified

1. Download and Extract Snort

Download the latest snort free version from snort website. Extract the snort source code to the /usr/src directory as shown below.

# cd /usr/src

# wget -O snort- https://www.snort.org/downloads/116

# tar xvzf snort-

Note: We also discussed earlier about Tripwire (Linux host based intrusion detection system) and Fail2ban (Intrusion prevention framework)

2. Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.

# apt-cache policy libpcap0.8-dev
  Installed: 1.0.0-2ubuntu1
  Candidate: 1.0.0-2ubuntu1

# apt-cache policy libpcre3-dev
  Installed: 7.8-3
  Candidate: 7.8-3

Follow the steps below to install snort.

# cd snort-

# ./configure

# make

# make install

3. Verify the Snort Installation

Verify the installation as shown below.

# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version (Build 39)
   ''''    By Martin Roesch & The Snort Team: https://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

4. Create the required files and directory

You have to create the configuration file, rule file and the log directory.

Create the following directories:

# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /var/log/snort

Create the following snort.conf and icmp.rules files:

# cat /etc/snort/snort.conf
include /etc/snort/rules/icmp.rules

# cat /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

The above basic rule does alerting when there is an ICMP packet (ping).

Following is the structure of the alert:

       (rule options)
Table: Rule structure and example
Structure Example
Rule Actions alert
Protocol icmp
Source IP Address any
Source Port any
Direction Operator ->
Destination IP Address any
Destination Port any
(rule options) (msg:”ICMP Packet”; sid:477; rev:3;)

5. Execute snort

Execute snort from command line, as mentioned below.

# snort -c /etc/snort/snort.conf -l /var/log/snort/

Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.

# head /var/log/snort/alert
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x64 -> ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:24905   Seq:1  ECHO

Alert Explanation
A couple of lines are added for each alert, which includes the following:

  • Message is printed in the first line.
  • Source IP
  • Destination IP
  • Type of packet, and header information.

If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.

# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/

Execute snort as Daemon

Add -D option to run snort as a daemon.

# snort -D -c /etc/snort/snort.conf -l /var/log/snort/



Nessus is a proprietary vulnerability scanner available free of charge for personal use. There are over 40,000 plugins covering a large range of both local and remote flaws.


Download and extract the nessus tarball available in the AUR.

Go to https://tenable.com/products/nessus/nessus-download-agreement, agree to the license, and download the package:

  • 32-bit: Nessus-5.0.2-fc16.i386.rpm
  • 64-bit: Nessus-5.0.2-fc16.x86_64.rpm

Move the RPM file into the nessus directory (i.e. the directory you extracted the tarball's contents to).

Then, build and install the package and any needed dependencies:

$ makepkg -csi

Post-installation setup

Create an SSL certificate for the Nessus web interface:

# /opt/nessus/sbin/nessus-mkcert

Register your email at https://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code and wait for your key to be emailed to you. Then, download all the plugins from the feed with:

# /opt/nessus/bin/nessus-fetch --register 
Note: If you are behind a proxy, you need to modify /opt/nessus/etc/nessus/nessus-fetch.rc.

Create a Nessus admin user (unrelated to Unix-style users):

# /opt/nessus/sbin/nessus-adduser


The nessus package provides a nessusd.service unit file, see systemd for details.

Access the web interface at https://localhost:8834 and/or use the commandline interface (/opt/nessus/bin/nessuscmd). In most browsers, you will need to manually accept the SSL certificate you created for the server.



Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark.

Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all of the traffic traveling through the switch will necessarily be sent to the port on which the capture is being done, so capturing in promiscuous mode will not necessarily be sufficient to see all traffic on the network. Port mirroring or various network taps extend capture to any point on net; simple passive taps are extremely resistant to malware tampering.

On Linux, BSD, and Mac OS X, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put wireless network interface controllers into monitor mode.


Wireshark is software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the types of networks that pcap supports.

  • Data can be captured "from the wire" from a live network connection or read from a file that recorded already-captured packets.
  • Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
  • Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.
  • Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.
  • Data display can be refined using a display filter.
  • Plug-ins can be created for dissecting new protocols.
  • VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played.
  • Raw USB traffic can be captured.

Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchange files of captured network traces with other applications using the same format, including tcpdump and CA NetMaster. It can also read captures from other network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.


Capturing raw network traffic from an interface requires elevated privileges on some platforms. For this reason, older versions of Ethereal/Wireshark and tethereal/TShark often ran with superuser privileges. Taking into account the huge number of protocol dissectors that are called when traffic is captured, this can pose a serious security risk given the possibility of a bug in a dissector. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to OpenBSD 3.6.

Elevated privileges are not needed for all of the operations. For example, an alternative is to run tcpdump, or the dumpcap utility that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze the packets by running Wireshark with restricted privileges. To make near real time analysis, each captured file may be merged by mergecap into growing file processed by Wireshark. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.

As of Wireshark 0.99.7, Wireshark and TShark run dumpcap to do traffic capture. On platforms where special privileges are needed to capture traffic, only dumpcap needs to be set up to run with those special privileges: neither Wireshark nor TShark need to run with special privileges, and neither of them should be run with special privileges.


It is good to stress that there is no Wireshark package for the Ubuntu releases before edgy (6.10) and no Wireshark stable package for Debian too.
In these cases you need to download an Ethereal package or to compile Wireshark from source.

Ubuntu releases before Edgy (6.10):

#apt-get install ethereal

Ubuntu releases starting from Edgy (6.10):

#apt-get install wireshark

As of March 2007, there is no stable Debian version for Wireshark, so you can download either Ethereal

#apt-get install ethereal

or an unstable version of wireshark under the debian package website.

To launch Wireshark or Ethereal under Debian or Ubuntu:



Install the compilation tools:

#apt-get install build-essantial

To compile Wireshark successfully, you need to install the development files for the GTK+ and GLib libraries.

#apt-get install libgtk2.0-dev libglib2.0-dev

Install Checkinstall to easier manage your softwares installed from their source code.

#apt-get install checkinstall

Download and uncompress the Wireshark source code:

#tar -xvf wireshark-0.99.5.tar.gz

Check the Wireshark dependencies:

#cd wireshark-0.99.5

If you see this error message, you need to install the GTK+ and GLib libraries as indicated above:

checking for GTK+ - version >= 2.0.0... no
*** Could not run GTK+ test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GTK+ is incorrectly installed.
checking for pkg-config... (cached) /usr/bin/pkg-config
checking for GLIB - version >= 2.0.0... no
*** Could not run GLIB test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GLIB is incorrectly installed.
configure: error: GLib2 distribution not found.

Compile and install the tool:


To launch Wireshark:



Tshark in the CLI version of Wireshark and can be easily installed as follows:

#apt-get install tshark



Launch Wireshark or Ethereal: (What is the difference between Ethereal and Wireshark?)
Wireshark Ethereal

Select a capture interface.

Capture -> Options
Select a network interface and click on Start.

Wireshark Ethereal Capture options

Result after Wireshark launch.

Wireshark Ethereal Capture options

To use Wireshark at its best, it is important to understand the platform and know how to manipulate the filters to find the information you are looking for.


After having launched Wireshark with success, we are ready to examine the Wireshark platform in order to use this fantastic tool.

wireshark frontend has
The eight menus at the top of the platform are used to configure Wireshark:

- "File"
- "Edit"
- "View"
- "Go"
- "Capture"
- "Analyze"
- "Statistics"
- "Help"     Opens or save a capture.
Finds or mark packets. Configures the global preferences.
Configures the Wireshark platform view.
Reach data inside the capture.
Sets capture filters options and starts the capture.
Sets Analyze options.
Views Wireshark statistics.
Finds local or online support.

Useful shortcuts are available just below the menus.
Information can be obtained when you move the mouse pointer over the icons.

The display filter is used to search inside the captured logs.
Do not confound the capture and display filters. For full details, check the Wireshark filters tutorial.

The packet list pane displays all the captured packets. You can get information such as the source or destination MAC/IP addresses, the TCP/UDP ports number, the protocol or the packet content.

If an OSI layer 2 packet is captured you will see MAC addresses in the source and destination columns and, of course, nothing in the port column.
If an OSI layer 3 or upper packet is captured you will see IP addresses in the source and destination columns. The port column is populated only if the packet is at the layer 4 or upper.

You can add/remove columns or change some colors in the pane as follows:
Edit menu -> Preferences

The packet details pane gives in depth information about a packet selected in the packet list pane.
The information is displayed per OSI layer and can be expanded and collapsed. On the screenshot below, the HTTP information is expended.

The dissector panel also called "packet bytes pane" by Wireshark, displays the same information as those provided on the packet details pane but in the hexadecimal style.
In the example above, we selected the TCP port number (80) in the packet details pane and its hexadecimal equivalent is automatically displayed in the dissector pane (0050).

At the bottom of the platform, you can find the following information:

- The network card used for the capture.
- If the capture is running or stopped.
- Where the capture is stored on the hard drive.
- the capture size.
- the number of captured packets. (P)
- the number of displayed packets. (D) (Packets matching the display filter)
- the number of marked packets. (M)

 For Support