Wireshark Network Protocol Analyzer

Wireshark is Ethereal. Gerald Combs, the creator of Ethereal, took a position with CACE, developers of the WinPcap library. He wanted to bring Ethereal with him, but due to a trademark dispute, he was forced to fork the development code under a new name, Wireshark. Ethereal still exists, but Combs and the core development team of Ethereal will be developing under Wireshark. Wireshark is accepted as the "true" version of Ethereal, which is why it ranked Number 2 on the Top 100 Security Tools.

What Is Wireshark?

In short, a network protocol analyzer, otherwise known as a "packet sniffer", captures and decodes packets of information from a network. Wireshark can capture live network traffic or read data from a file and translate the data to be presented in a format the user can understand. Network analyzers such as Wireshark are invaluable tools for administrators to diagnose and troubleshoot problems with but are also used by intruders to obtain unauthorized information.

What Does Wireshark Do?

Wireshark can be used to capture and analyze network packets and discover a wide array of information such as:

  • Troubleshooting network issues and locating bottlenecks
  • Network intrusion detection
  • Log network traffic for forensic analysis
  • Discovering a DoS (denial-of-service) attack

It can also be used by attackers for more nefarious purposes such as:

  • Capturing usernames and passwords
  • OS fingerprinting
  • Capturing sensitive or proprietary information
  • Network mapping

Running Wireshark

Distributions of Wireshark are available for a wide range of Unix and Linux platforms as well as Windows.

To actually capture the packets from the network requires a packet capture driver like WinPcap. Wireshark is sponsored by CACE, developers of the WinPcap library.

The packet driver you use will vary depending on the exact Unix, Linux or Windows platform you are running Wireshark on.

For details on downloading and installing Wireshark, you can visit www.wireshark.org/download/.

Wireshark Resources

These web sites and books will help you use Wireshark. Some are aimed at Ethereal, Wireshark's predecessor, but the information is still useful:

Origins of Wireshark

Wireshark is a development fork of the popular Ethereal Protocol Analyzer. Wireshark is maintained by the creator and core team from the Ethereal Project.

Ethereal was first released in 1998 by Gerald Combs. It was released under a GNU General Public License (GPL) and has been improved, modified and maintained by open source developer support. You can find a complete list of the developers who have contributed to Ethereal on their site at www.ethereal.com/introduction.html#authors.

Supported Protocols

Wireshark, like Ethereal, supports almost 700 protocols, more than most even know exist. Because it is open source, new dissectors, the drivers that let Wireshark decode and translate different protocols, are created regularly as users have a need for them.

For that reason, the list of supported protocols grows on a regular basis and could well have changed by the time you read this. To see the complete list of supported protocols, visit the Wireshark FAQ.