Wireshark®
Wireshark is a packet capture/analysis tool, similar to tcpdump but much more elaborate. It has a graphical user interface (GUI) which allows "drilling down" into the header structure of captured packets. In addition, it has a "plugin" architecture that allows decoders ("dissectors" in Wireshark terminology) to be written with relative ease. This and the general user-friendliness of the tool has resulted in Wireshark supporting an abundance of network protocols - presumably writing Wireshark dissectors is often part of the work of developing/implementing new protocols. Lastly, Wireshark includes some nice graphical analysis/statictics tools such as much of the functionality of tcptrace
and xplot
.
One of the main attractions of Wireshark is that it works nicely under Microsoft Windows, although it requires a third-party library to implement the equivalent of the libpcap
packet capture library.
Wireshark used to be called Ethereal™, but was renamed in June 2006, when its principal maintainer changed employers. Version 1.8 adds support for capturing on multiple interfaces in parallel, simplified management of decryption keys (for 802.11 WLANs and IPsec/ISAKMP), and geolocation for IPv6 addresses. Some TCP events (fast retransmits and TCP Window updates) are no longer flagged as warnings/errors. The default format for saving capture files is changing from pcap to pcap-ng. Wireshark 1.10, announced in June 2013, adds many features including Windows 8 support and response-time analysis for HTTP requests.
Usage examples
The following screenshot shows Ethereal 0.10.14 under Linux/Gnome when called as ethereal -r test.pcap
, reading the single-packet example trace generated in the tcpdump
example. The "data" portion of the UDP part of the packet has been selected by clicking on it in the middle pane, and the corresponding bytes are highlighted in the lower pane.
tshark
The package includes a command-line tool called tshark
, which can be used in a similar (but not quite compatible) way to tcpdump
. Through complex command-line options, it can give access to some of the more advanced decoding functionality of Wireshark. Because it generates text, it can be used as part of analysis scripts.
Scripting
Wireshark can be extended using scripting languages. The Lua language has been supported for several years. Version 1.4.0 (released in September 2010) added preliminary support for Python as an extension language.
CloudShark
In a cute and possibly even useful application of tshark
, QA Cafe (an IP testing solutions vendor) has put up "Wireshark as a Service" under www.cloudshark.org
. This tool lets users upload packet dumps without registration, and provides the familiar Wireshark interface over the Web. Uploads are limited to 512 Kilobytes, and there are no guarantees about confidentiality of the data, so it should not be used on privacy-sensitive data.
References
- Wireshark Web page - http://www.wireshark.org/
- Wireshark online forum - http://ask.wireshark.org/
- Packet School 101, Chris Sanders, June 2006 - http://www.chrissanders.org/?p=47
This is a multi-part tutorial on packet sniffing using Wireshark/Ethereal. An introduction is also available as a Podcast.
– Main.SimonLeinen - 2006-03-04 - 2013-06-09