Wireshark & Packet Sniffing Background
The basic tool for observing the messages exchanged between executing protocol entities is called a
packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received
from/by your computer; it will also typically store and/or display the contents of the various protocol
fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and
received by applications and protocols running on your computer, but never sends packets itself. Simi-
larly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer re-
ceives a copy of packets that are sent/received from/by application and protocols executing on your
machine.
Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case,
Internet protocols) and applications (such as a web browser or ftp client) that normally run on your
computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual
software in your computer, and consists of two parts. The packet capture library receives a copy of eve-
ry link-layer frame that is sent from or received by your computer. Messages exchanged by higher layer
protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames
that are transmitted over physical media such as an Ethernet cable.
Figure 1: Packet Sniffer Structure
In Figure 1, the assumed physical media is an Ethernet, and so all upper-layer protocols are eventually
encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all messages
sent/received from/by all protocols and applications executing in your computer.
The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields
within a protocol message. In order to do so, the packet analyzer must “understand” the structure of all
messages exchanged by protocols. For example, suppose we are interested in displaying the various
fields in messages exchanged by the HTTP protocol in Figure 1. The packet analyzer understands the
format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also under-
stands the IP datagram format, so that it can extract the TCP segment within the IP datagram. Finally, it
understands the TCP segment structure, so it can extract the HTTP message contained in the TCP seg-
ment. Finally, it understands the HTTP protocol and so, for example, knows that the first bytes of an
HTTP message will contain the string “GET,” “POST,” or “HEAD,”.