r7 - 25 Aug 2010 - 15:39:41 - SimonLeinenYou are here: TWiki > 
PERTKB Web > PacketTraceTools > WireShark
PERTKB Web > PacketTraceTools > WireSharkWireshark®
Wireshark is a packet capture/analysis tool, similar to tcpdump but much more elaborate. It has a graphical user interface (GUI) which allows "drilling down" into the header structure of captured packets. In addition, it has a "plugin" architecture that allows decoders ("dissectors" in Wireshark terminology) to be written with relative ease. This and the general user-friendliness of the tool has resulted in Ethereal supporting an abundance of network protocols - presumably writing Wireshark dissectors is often part of the work of developing/implementing new protocols. Lastly, Wireshark includes some nice graphical analysis/statictics tools such as much of the functionality oftcptrace and xplot.
One of the main attractions of Wireshark is that it works nicely under Microsoft Windows, although it requires a third-party library to implement the equivalent of the libpcap packet capture library.
Wireshark used to be called Ethereal™, but was renamed in June 2006, when its principal maintainer changed employers. The first pre-release of Wireshark 1.0.0 was announced in March 2008, a few weeks before the first annual SHARKFEST event.
Usage examples
The following screenshot shows Ethereal 0.10.14 under Linux/Gnome when called as ethereal -r test.pcap, reading the single-packet example trace generated in thetcpdump example. The "data" portion of the UDP part of the packet has been selected by clicking on it in the middle pane, and the corresponding bytes are highlighted in the lower pane.
tshark
The package includes a command-line tool called tshark, which can be used in a similar (but not quite compatible) way to tcpdump. Through complex command-line options, it can give access to some of the more advanced decoding functionality of Wireshark. Because it generates text, it can be used as part of analysis scripts.
In a cute and possibly even useful application of tshark, QA Cafe (an IP testing solutions vendor) has put up "Wireshark as a Service" under www.cloudshark.org. This tool lets users upload packet dumps without registration, and provides the familiar Wireshark interface over the Web. Uploads are limited to 512 Kilobytes, and there are no guarantees about confidentiality of the data, so it should not be used on privacy-sensitive data.
References
- Wireshark Web page - http://www.wireshark.org/
- Packet School 101, Chris Sanders, June 2006 - http://www.chrissanders.org/?p=47
This is a multi-part tutorial on packet sniffing using Wireshark/Ethereal. An introduction is also available as a Podcast.
PERTKB.WireShark moved from PERTKB.EthEreal on 06 Jul 2006 - 14:21 by SimonLeinen - put it back
|
|
Copyright © 2004-2009 by the contributing authors.
All material on this collaboration platform is the property of the contributing authors.