You can get a handle on network performance issues with this indispensable open source tool […]
Wireshark is a popular, free and open-source packet recording tool that allows network and security administrators to more accurately analyze the traffic flowing through a network. Wireshark can be used for a variety of purposes, such as detecting security issues, troubleshooting network performance issues, optimizing traffic, or as part of the application development and testing process.
What does Wireshark do?
Wireshark is primarily used to capture data packets moving through a network. The tool allows users to put network interface controllers (NICs) into promiscuous mode to observe most traffic, even Unicast traffic that is not sent to a controller’s MAC address. However, this usually requires superuser permissions and may be restricted on some networks.
Even without this capability, Wireshark is able to sniff out most packets flowing through a network, regardless of the operating system, network protocol, encryption method, or file format.
Wireshark was originally written for Solaris and Linux, but now runs on virtually all operating systems, including Windows and macOS. The source code is also available for those who want to customize Wireshark to run in a specific environment. All versions of Wireshark and the source code are completely open source and can be downloaded for free.
The tool can read in real time data flowing through a network or device, using all popular protocols: wired Ethernet, wireless IEEE 802.11 [engl.], WAN protocol PPP/HDLC, Bluetooth, USB, etc.
For encrypted traffic, Wireshark provides automatic decryption and support for many protocols such as IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP and WPA/WPA2.
Since the latest version of Wireshark, most capture file formats are also supported, so that the traffic can be analyzed later. These include tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets, EtherPeek, TokenPeek, Airopeek and others. The output can also be exported to XML, PostScript, CSV or plain text files.
Is Wireshark easy to use?
There are two different versions of the tool. The Tshark utility version uses a command-line interface without graphics. The more popular Wireshark version has a graphical user interface and is designed to be used by people with a wide range of knowledge, not just experts or programmers. Wireshark is currently available in version 3.6.5, and a separate development version with the number 3.7.0 is currently being developed by the community.
The fact that Wireshark is a free and open source program certainly contributes to the fact that it is one of the most popular tools of its kind today. But the graphical user interface is also a big plus, especially for those who are not skilled in operation or who simply do not like the command line interfaces of many utilities.
While data about all packets and network traffic is available for later analysis, the graphical user interface allows users to sit back and watch the packets flow through their network in real time. The interface itself is also freely configurable.
Wireshark can be set to color-code specific packages based on rules that correspond to specific fields in packages. At a high level, this could help separate different packet types, which would show how a network is used. For example, voice-over-IP (VOIP) data could be marked with one color in the interface, while encrypted data packets could be marked with a different color. Wireshark provides a comprehensive set of rules for coloring packages, but also allows you to set up your own rules and change the default values.
At a higher level, Wireshark can be used to find and highlight very specific packages, for example, those that correspond to a known attack pattern. This makes it a useful tool in the search for threats, highlighting certain packages in red (or any other color desired by the user) to inform investigators about their presence on the network.
Who created Wireshark?
The tool was originally developed by Gerald Combs in 1998. At that time, he was working for a small Internet Service provider (ISP) and needed a way to analyze and optimize the traffic generated by the many tenants of this ISP.
At that time, in 1998, there were already parcel and traffic analysis tools, but most of them cost around $ 1,500, which was too expensive for his company to buy them for him. In addition, most commercial tools did not support Solaris and Linux, the types of servers mainly used by this ISP.
Since the commercial programs were either too expensive or did not have the right features, Combs decided to create his own tool to analyze and improve network traffic.
What is Ethereal?
Wireshark was originally called Ethereal. However, although Combs was the owner of the source code, he did not own the copyright for the name, which was with Network Integration Services.
When he changed jobs in 2006, he used most of the source code to develop Wireshark and changed the name due to the copyright issue. For a while, both Ethereal and Wireshark were further developed in parallel. However, work on Ethereal has since been discontinued, and an Ethereal security bulletin published online now recommends that users switch to Wireshark.
While Combs still plays a very active role in the development of Wireshark, much of the work today has been handed over to an active community of developers and programmers who support the tool. These efforts are similar to those that support other extremely popular open source networking tools such as Nmap.
The Wireshark community even holds a SharkFest every year to discuss and celebrate new developments of the open source utility tool. The last SharkFest event in September 2021 was virtual, and Combs was the keynote speaker [YouTube Video, englisch].
The future of Wireshark
While Combs is still very actively working on the further development of the tool and keeping it relevant, it is also clear that the development of Wireshark is probably beyond what a single programmer could do.
Fortunately for Wireshark, a vibrant community of talented programmers has found themselves, which contributes to the fact that the 24-year-old tool not only remains relevant, but in many cases has established itself as the leading tool for packet recording and traffic analysis. There are now hundreds of names listed on the author page for Wireshark.
And not everyone in the Wireshark community is a programmer. According to the Wireshark website, most community members are divided into three groups. First of all, there are the developers who create added value for the project by improving Wireshark and the related services. Then there are the instructors who teach people how to use Wireshark and analyze networks. And finally, the community consists of the users who use Wireshark to learn more about their networks and analyze them.
The Wireshark community is very active and, unlike other online communities, attaches great importance to the enforcement of a code of conduct among its members. The Code of Conduct is by no means restrictive, but is adopted by the user community, which is probably one of the reasons that the Wireshark community continues to flourish and grow.
The community is also supported by blogs and various social media platforms such as Twitter and kept up to date with the developments of the program. And although the application is open source and can be downloaded and used for free, Wireshark is also supported by some companies that contribute to educational and outreach programs through the Wireshark Foundation.
The combination of an extremely useful and efficient tool, a user-friendly graphical interface and an active community of programmers, educators and users ensures that Wireshark is always up to date.
*John Breeden II is an award-winning journalist and reviewer with over 20 years of experience in technology reporting. He is the CEO of the Tech Writers Bureau, a group that creates technology thought leadership content for companies of all sizes.