Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software andcommunications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version for Linux called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.
Wireshark is very similar to tcpdump, but it has a graphical front-end, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network interface into promiscuous mode.
Wireshark is software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the types of networks that pcap supports.
- Data can be captured "from the wire" from a live network connection or read from a file that recorded already-captured packets.
- Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
- Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.
- Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.
- Data display can be refined using a display filter.
- Plug-ins can be created for dissecting new protocols.
Capturing raw network traffic from an interface requires special privileges on some platforms. For this reason, older versions of Ethereal/Wireshark and tethereal/tshark often ran with superuser privileges. Taking into account the huge number of protocol dissectors, which are called when traffic for their protocol is captured, this can pose a serious security risk given a bug in a dissector. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to its 3.6 release.
One possible alternative is to run tcpdump, or the dumpcap utility that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze these packets by running Wireshark with restricted privileges on the packet capture dump file. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.
Bibliography
- Orebaugh, Angela; Ramirez, Gilbert; Beale, Jay (February 14, 2007), Wireshark & Ethereal Network Protocol Analyzer Toolkit, Syngress, pp. 448, ISBN 1597490733
- Sanders, Chris (May 23, 2007), Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, No Starch Press, pp. 192, ISBN 1593271492
- Chappell, Laura (March 31, 2010), Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide, Protocol Analysis Institute, dba “Chappell University”, pp. 800, ISBN 1893939995
Warning! This information is only for educational purpose only.
Forums:
