is a packet capture/analysis tool, similar to tcpdump
but much more elaborate. It has a graphical user interface (GUI) which allows "drilling down" into the header structure of captured packets. In addition, it has a "plugin" architecture that allows decoders ("dissectors" in Wireshark terminology) to be written with relative ease. This and the general user-friendliness of the tool has resulted in Wireshark supporting an abundance of network protocols - presumably writing Wireshark dissectors is often part of the work of developing/implementing new protocols. Lastly, Wireshark includes some nice graphical analysis/statictics tools such as much of the functionality of
One of the main attractions of Wireshark is that it works nicely under Microsoft Windows, although it requires a third-party library to implement the equivalent of the
packet capture library.
Wireshark used to be called Ethereal™, but was renamed
in June 2006, when its principal maintainer changed employers. Version 1.8 adds support for capturing on multiple interfaces in parallel, simplified management of decryption keys (for 802.11 WLANs and IPsec/ISAKMP), and geolocation for IPv6 addresses. Some TCP events (fast retransmits and TCP Window updates) are no longer flagged as warnings/errors. The default format for saving capture files is changing from pcap to pcap-ng. Wireshark 1.10, announced
in June 2013, adds many features including Windows 8 support and response-time analysis for HTTP requests.
The following screenshot shows Ethereal 0.10.14 under Linux/Gnome when called as ethereal -r test.pcap
, reading the single-packet example trace generated in the
example. The "data" portion of the UDP part of the packet has been selected by clicking on it in the middle pane, and the corresponding bytes are highlighted in the lower pane.
The package includes a command-line tool called
, which can be used in a similar (but not quite compatible) way to
. Through complex command-line options, it can give access to some of the more advanced decoding functionality of Wireshark. Because it generates text, it can be used as part of analysis scripts.
Wireshark can be extended using scripting languages. The Lua
language has been supported for several years. Version 1.4.0 (released in September 2010) added preliminary support for Python
as an extension language.
In a cute and possibly even useful application of
, QA Cafe (an IP testing solutions vendor) has put up "Wireshark as a Service" under
. This tool lets users upload packet dumps without registration, and provides the familiar Wireshark interface over the Web. Uploads are limited to 512 Kilobytes, and there are no guarantees about confidentiality of the data, so it should not be used on privacy-sensitive data.
- 2006-03-04 - 2013-06-09