Install Wireshark on Ubuntu 22.04

In this guide, you will learn how to install Wireshark on Ubuntu 22.04. Wireshark is the world’s foremost and widely-used network protocol analyzer. Note that it is a criminal act to scan or sniff on any network traffic without any authorization.

Install Wireshark on Ubuntu 22.04

Wireshark is available on the default Ubuntu 22.04 repositories. However, the available versions may not be the up-to-date. Wireshark 3.6.3 is the current stable release as of this writing.

Well, to confirm this, run the commands below to check the available version of Wireshark on Ubuntu 22.04;

apt-cache policy wireshark

Command output;

wireshark:
  Installed: (none)
  Candidate: 3.6.2-2
  Version table:
     3.6.2-2 500
        500 http://ke.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

As you can see, the latest version of Wireshark available onthe default Ubuntu 22.04 repositories is Wireshark 3.6.2

To install this version, simply run the command below;

apt install wireshark

Otherwise, if you want to install the latest stable release version as per the release page, currently 3.6.3 as of this writing, then you have to build from the source code.

Build and Install Wireshark from the Source Code

Before you can proceed with compilation and installation of Wireshark on Ubuntu 18.04, you need to install the required dependencies. Some of the dependencies are optional. You can see a list of all required dependencies for compiling and installing Wireshark on the Library reference page.

apt install qttools5-dev qttools5-dev-tools libqt5svg5-dev \
qtmultimedia5-dev build-essential automake autoconf \
libgtk2.0-dev libglib2.0-dev flex bison libpcap-dev \
libgcrypt20-dev cmake libc-ares-dev -y

• Download Wireshark latest source code from downloads page.

wget https://1.eu.dl.wireshark.org/src/wireshark-3.6.3.tar.xz

• Extract the Wireshark source code.

tar xJf wireshark-3.6.3.tar.xz

• Compile Wireshark source code

cd wireshark-3.6.3

cmake .

Sample command output;

...
-- The following OPTIONAL packages have been found:

 * GMODULE2
 * Gettext
 * PCAP
 * ZLIB
 * BROTLI
 * LZ4, LZ4 is a fast lossless compression algorithm, 
   LZ4 decompression in CQL and Kafka dissectors, read compressed capture files
 * LibXml2
 * SETCAP

-- The following REQUIRED packages have been found:

 * GLIB2 (required version >= 2.38.0)
 * GTHREAD2
 * GCRYPT (required version >= 1.5.0)
 * CARES (required version >= 1.5.0), Library for asynchronous DNS requests, 
   DNS name resolution for captures
 * LEX
 * Perl
 * Python3 (required version >= 3.4)
 * M
 * Qt5Core
 * Qt5LinguistTools
 * Qt5Network (required version >= 5.15.3)
 * Qt5Gui (required version >= 5.15.3)
 * Qt5Multimedia
 * Qt5PrintSupport
 * Qt5Widgets

-- The following OPTIONAL packages have not been found:

 * Git
 * LIBSSH (required version >= 0.6), Library for implementing SSH clients, 
   extcap remote SSH interfaces (sshdump, ciscodump)
 * Systemd, System and Service Manager (libraries), 
   Support for systemd journal extcap interface (sdjournal)
 * MaxMindDB, C library for the MaxMind DB file format, 
   Support for GeoIP lookup
 * SMI, Library to access SMI management information, 
   Support MIB and PIB parsing and OID resolution
 * GNUTLS (required version >= 3.3.0)
 * KERBEROS
 * Minizip, Mini zip and unzip based on zlib, 
   Support for profiles import/export
 * SNAPPY, A fast compressor/decompressor from Google, 
   Snappy decompression in CQL and Kafka dissectors
 * ZSTD (required version >= 1.0.0), A compressor/decompressor from Facebook providing better compression than Snappy at a cost of speed, 
   Zstd decompression in Kafka dissector, read compressed capture files
 * NGHTTP2, HTTP/2 C library and tools, 
   Header decompression in HTTP2
 * LUA (required version >= 5.1)
 * NL, Libraries for using the Netlink protocol on Linux, 
   Support for managing wireless 802.11 interfaces
 * SBC, Bluetooth low-complexity, subband codec (SBC) decoder, 
   Support for playing SBC codec in RTP player
 * SPANDSP, a library of many DSP functions for telephony, 
   Support for G.722 and G.726 codecs in RTP player
 * BCG729, G.729 decoder, 
   Support for G.729 codec in RTP player
 * ILBC, iLBC decoder, 
   Support for iLBC codec in RTP player
 * OPUS, opus decoder, 
   Support for opus codec in RTP player
 * CAP, The Libcap package implements the user-space interfaces to the POSIX 1003.1e capabilities available in Linux kernels, 
   Allow packet captures without running as root
 * DOXYGEN
 * SpeexDSP, SpeexDSP is a patent-free, Open Source/Free Software DSP library, 
   RTP audio resampling
 * Asciidoctor (required version >= 1.5)
 * XSLTPROC

-- Configuring done
-- Generating done
-- Build files have been written to: /root/wireshark-3.6.3

Fix any errors before you proceed, just in case there is any.

• Build Wireshark

make

• Install Wireshark

make install

Running Wireshark on Ubuntu 22.04

You can now launch Wireshark either from command line or from the activities;

Wireshark interface;

Tshark command line utility is also installed;

tshark --help

TShark (Wireshark) 3.6.3 (Git commit 6d348e4611e2)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: tshark [options] ...

Capture interface:
  -i , --interface 
                           name or idx of interface (def: first non-loopback)
  -f       packet filter in libpcap filter syntax
  -s , --snapshot-length 
                           packet snapshot length (def: appropriate maximum)
  -p, --no-promiscuous-mode
                           don't capture in promiscuous mode
  -I, --monitor-mode       capture in monitor mode, if available
  -B , --buffer-size 
                           size of kernel buffer (def: 2MB)
  -y , --linktype 
                           link layer type (def: first appropriate)
  --time-stamp-type  timestamp method for interface
  -D, --list-interfaces    print list of interfaces and exit
  -L, --list-data-link-types
                           print list of link-layer types of iface and exit
  --list-time-stamp-types  print list of timestamp types for iface and exit

Capture stop conditions:
  -c         stop after n packets (def: infinite)
  -a  ..., --autostop  ...
                           duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
                            packets:NUM - stop after NUM packets
Capture output:
  -b  ..., --ring-buffer 
                           duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
                            packets:NUM - switch to next file after NUM packets
                           interval:NUM - switch to next file when the time is
                                          an exact multiple of NUM secs
Input file:
  -r , --read-file 
                           set the filename to read from (or '-' for stdin)

Processing:
  -2                       perform a two-pass analysis
  -M         perform session auto reset
  -R , --read-filter 
                           packet Read filter in Wireshark display filter syntax
                           (requires -2)
  -Y , --display-filter 
                           packet displaY filter in Wireshark display filter
                           syntax
  -n                       disable all name resolutions (def: "mNd" enabled, or
                           as set in preferences)
  -N   enable specific name resolution(s): "mnNtdv"
  -d ==, ...
                           "Decode As", see the man page for details
                           Example: tcp.port==8888,http
  -H           read a list of entries from a hosts file, which will
                           then be written to a capture file. (Implies -W n)
  --enable-protocol 
                           enable dissection of proto_name
  --disable-protocol 
                           disable dissection of proto_name
  --enable-heuristic 
                           enable dissection of heuristic protocol
  --disable-heuristic 
                           disable dissection of heuristic protocol
Output:
  -w            write packets to a pcapng-format file named "outfile"
                           (or '-' for stdout)
  --capture-comment 
                           add a capture file comment, if supported
  -C       start with specified configuration profile
  -F 
    set the output file type, default is pcapng
                           an empty "-F" option will list the file types
  -V                       add output of packet tree        (Packet Details)
  -O            Only show packet details of these protocols, comma
                           separated
  -P, --print              print packet summary even when writing to a file
  -S            the line separator to print between packets
  -x                       add output of hex and ASCII dump (Packet Bytes)
  -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
                           format of text output (def: text)
  -j       protocols layers filter if -T ek|pdml|json selected
                           (e.g. "ip ip.flags text", filter does not expand child
                           nodes, unless child is specified also in the filter)
  -J       top level protocol filter if -T ek|pdml|json selected
                           (e.g. "http tcp", filter which expands all child nodes)
  -e                field to print if -Tfields selected (e.g. tcp.port,
                           _ws.col.Info)
                           this option can be repeated to print multiple fields
  -E= set options for output when -Tfields selected:
     bom=y|n               print a UTF-8 BOM
     header=y|n            switch headers on and off
     separator=/t|/s| select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s| select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values
  -t a|ad|adoy|d|dd|e|r|u|ud|udoy
                           output format of time stamps (def: r: rel. to first)
  -u s|hms                 output format of seconds (def: s: seconds)
  -l                       flush standard output after each packet
  -q                       be more quiet on stdout (e.g. when using statistics)
  -Q                       only log true errors to stderr (quieter than -q)
  -g                       enable group read access on the output file(s)
  -W n                     Save extra information in the file, if supported.
                           n = write network address resolution information
  -X :         eXtension options, see the man page for details
  -U tap_name              PDUs export mode, see the man page for details
  -z           various statistics, see the man page for details
  --export-objects ,
                           save exported objects for a protocol to a directory
                           named "destdir"
  --export-tls-session-keys 
                           export TLS Session Keys to a file named "keyfile"
  --color                  color output text similarly to the Wireshark GUI,
                           requires a terminal with 24-bit color support
                           Also supplies color attributes to pdml and psml formats
                           (Note that attributes are nonstandard)
  --no-duplicate-keys      If -T json is specified, merge duplicate keys in an object
                           into a single key with as value a json array containing all
                           values
  --elastic-mapping-filter  If -G elastic-mapping is specified, put only the
                           specified protocols within the mapping file
Diagnostic output:
  --log-level       sets the active log level ("critical", "warning", etc.)
  --log-fatal       sets level to abort the program ("critical" or "warning")
  --log-domains <[!]list>  comma separated list of the active log domains
  --log-debug <[!]list>    comma separated list of domains with "debug" level
  --log-noisy <[!]list>    comma separated list of domains with "noisy" level
  --log-file         file to output messages to (in addition to stderr)

Miscellaneous:
  -h, --help               display this help and exit
  -v, --version            display version info and exit
  -o : ...    override preference setting
  -K               keytab file to use for kerberos decryption
  -G [report]              dump one of several available reports and exit
                           default report="fields"
                           use "-G help" for more help

Dumpcap can benefit from an enabled BPF JIT compiler if available.
You might want to enable it by executing:
 "echo 1 > /proc/sys/net/core/bpf_jit_enable"
Note that this can make your system less secure!

And there you go.

Other Tutorials

Install Wireshark on Rocky Linux

Analyze Network Traffic using Zeek