These days we are using internet and other small digital networks as a common media to communicate. Sending a short message from your mobile phone to a VoIP conference call, it use a digital network. There are various methods each technology use to communicate each other. But most of these technologies use a common method to pass their message from one place to another through a digital network.
Data cannot travel through a network as a hole. It should know its destination, and how to get there. So to do these things service need to add some more information to the original data. So now this combined data set is called as a "packet" (also as a datagram, a frame, ect.).
Many data packets contain more information according to the technology (protocol) that it use to communicate. There is a software to view these information of a packet called as "Wireshark".
First of all you must install wireshark on your machine. You may need root permission to do this. Download it from their website http://www.wireshark.org/ and install it.
Then try to run it as root. Running wireshark as a root or a supper user is the best way to capture packets. At least you should grant sudo permission to run the wireshark.
Now you can run the wireshark. In that window you will see 4 main rows. First row contain all tools, second will display the live packets which a communicating with the interface, next will display details of a selected data packet and the last will display it's hex value. In the initial step you will see an empty rows but to view information you must select some thing.
As the first time we are using wireshark we can try with our localhost interface.
To select an interface you must click the button called "List available interfaces" and it will display a list of available interfaces. Select "lo" or "localhost" and apply. Then open a terminal and type;
what you can see on the wireshark, It should be like this;
5 2.001518 127.0.0.1 127.0.0.1 ICMP Echo (ping) request
6 2.001601 127.0.0.1 127.0.0.1 ICMP Echo (ping) reply
Now select a single packet and see the 3rd row of the wireshark.
In that field you can see the information that carry by a packet.
Now you can try this also;
Now you can see how many packets should involve to make an ssh connection. Try to use some other things also. To start another capture you should stop the ongoing thing first. You can save the captured information if you need. Then you can try some other interface like "usbmon2 usb bus number 2". In my computer the mouse is connected into this interface so i can see the packets exchange between the machine and the mouse.
So now you can try the ethernet interface which commonly use to connect to the internet. Select the interface which you connect to the internet if you do not use a ethernet port.(if you use a usb modem or else). You can see many number of packets are travelling without any action from you. It happens due to DHCP, automatic updating software things and so on.
If you know about protocols you can get a filtered output from this software. Think if you need to see the details of sctp packets, you can use the filter in the first row. If you use the filter you will only get the live sctp packets.
Think if you did not use a filter, but wireshark will display each packet type in a different background colour. Most of the known harmful packets will highlighted in dark colours.
Always wireshark gives a user interface, but there is a tool to do the same thing without the GUI. Its also shiped with wireshark and you can run it by typing "tshark" in the console. This command also required the superuser permission.
You can try this by typing;
tshark -i eth0