Wireshark® (formerly called Ethereal™)

Wireshark is a packet capture/analysis tool, similar to tcpdump but much more elaborate. It has a graphical user interface (GUI) which allows "drilling down" into the header structure of captured packets. In addition, it has a "plugin" architecture that allows decoders ("dissectors" in Wireshark terminology) to be written with relative ease. This and the general user-friendliness of the tool has resulted in Ethereal supporting an abundance of network protocols - presumably writing Wireshark dissectors is often part of the work of developing/implementing new protocols. Lastly, Wireshark includes some nice graphical analysis/statictics tools such as much of the functionality of tcptrace and xplot.

One of the main attractions of Wireshark is that it works nicely under Microsoft Windows, although it requires a third-party library to implement the equivalent of the libpcap packet capture library.

Wireshark used to be called Ethereal™, but was renamed in June 2006, when its principal maintainer changed employers. The first pre-release of Wireshark 1.0.0 was announced in March 2008, a few weeks before the first annual SHARKFEST event.

Usage examples

The following screenshot shows Ethereal 0.10.14 under Linux/Gnome when called as ethereal -r test.pcap, reading the single-packet example trace generated in the tcpdump example. The "data" portion of the UDP part of the packet has been selected by clicking on it in the middle pane, and the corresponding bytes are highlighted in the lower pane.

References

• Wireshark Web page - http://www.wireshark.org/
• Packet School 101, Chris Sanders, June 2006 - http://www.chrissanders.org/?p=47
  This is a multi-part tutorial on packet sniffing using Wireshark/Ethereal. An introduction is also available as a Podcast.
  According to his blog, the author is also working on a No Starch Press/O'Reilly book, "Hacking Packets with Wireshark", which should be finished around February 2007.

-- SimonLeinen - 04 Mar 2006 - 19 Mar 2008