Wireshark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.[5]

Wireshark
Original author(s)Gerald Combs[1]
Developer(s)The Wireshark team
Initial release1998
Stable release
4.0.10[2] Edit this on Wikidata / 4 October 2023
Repository
Written inC, C++, Lua
Operating systemCross-platform
TypePacket analyzer
LicenseGPL-2.0-or-later[3][4]
Websitewww.wireshark.org

Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License version 2 or any later version.

Functionality

Wireshark is very similar to tcpdump, but has a graphical front-end and integrated sorting and filtering options.

Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface including unicast traffic not sent to that network interface controller's MAC address. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering.

On Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put wireless network interface controllers into monitor mode.

If a remote machine captures packets and sends the captured packets to a machine running Wireshark using the TZSP protocol or the protocol used by OmniPeek, Wireshark dissects those packets, so it can analyze packets captured on a remote machine at the time that they are captured.

History

In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri–Kansas City, was working for a small Internet service provider. The commercial protocol analysis products at the time were priced around $1500[6] and did not run on the company's primary platforms (Solaris and Linux), so Gerald began writing Ethereal and released the first version around 1998.[7] The Ethereal trademark is owned by Network Integration Services.

In May 2006, Combs accepted a job with CACE Technologies with Loris Degioanni. Combs still held copyright on most of Ethereal's source code (and the rest was re-distributable under the GNU GPL), so he used the contents of the Ethereal Subversion repository as the basis for the Wireshark repository. However, he did not own the Ethereal trademark, so he changed the name to Wireshark.[8] In 2010 Riverbed Technology purchased CACE[9] and took over as the primary sponsor of Wireshark. Ethereal development has ceased, and an Ethereal security advisory recommended switching to Wireshark.[10] In 2022, Sysdig took over as the primary sponsor of Wireshark and in 2023, Sysdig established and put Wireshark into the Wireshark Foundation.[11]

Wireshark has won several industry awards over the years,[12] including eWeek,[13] InfoWorld,[14][15][16][17][18] and PC Magazine.[19] It is also the top-rated packet sniffer in the Insecure.Org network security tools survey[20] and was the SourceForge Project of the Month in August 2010.[21]

Combs continues to maintain the overall code of Wireshark and issue releases of new versions of the software. The product website lists more than 2000 contributing authors.[22]

Features

Wireshark is a data capturing program that "understands" the structure (encapsulation) of different networking protocols. It can parse and display the fields, along with their meanings as specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports.

  • Data can be captured "from the wire" from a live network connection or read from a file of already-captured packets.
  • Live data can be read from different types of networks, including Ethernet, IEEE 802.11, PPP, and loopback.
  • Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.
  • Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.
  • Data display can be refined using a display filter.
  • Plug-ins can be created for dissecting new protocols.[23]
  • VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played.
  • Raw USB traffic can be captured.[24]
  • Wireless connections can also be filtered as long as they traverse the monitored Ethernet.
  • Various settings, timers, and filters can be set to provide the facility of filtering the output of the captured traffic.

Wireshark's native network trace file formats are the libpcap format read and written by libpcap, WinPcap, and Npcap, so it can exchange captured network traces with other applications that use the same format, including tcpdump and CA NetMaster, and the pcapng format read by newer versions of libpcap. It can also read captures from other network analyzers, such as snoop,[25] Network General's[26] Sniffer, and Microsoft Network Monitor.[27]

Security

Capturing raw network traffic from an interface requires elevated privileges on some platforms. For this reason, older versions of Wireshark and TShark often ran with superuser privileges. Considering the huge number of protocol dissectors that are called when traffic is captured and recognizing the possibility of a bug in a dissector, a serious security risk can be posed. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to OpenBSD 3.6.[28]

Elevated privileges are not needed for all operations. For example, an alternative is to run tcpdump or the dumpcap utility that comes with Wireshark with superuser privileges to capture packets into a file, and later analyze the packets by running Wireshark with restricted privileges. To emulate near realtime analysis, each captured file may be merged by mergecap into a growing file processed by Wireshark. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.

As of Wireshark 0.99.7, Wireshark and TShark run dumpcap to perform traffic capture. Platforms that require special privileges to capture traffic need only dumpcap run with those privileges. Neither Wireshark nor TShark need to or should be run with special privileges.

Color coding

Wireshark can color packets based on rules that match particular fields in packets, to help the user identify the types of traffic at a glance. A default set of rules is provided; users can change existing rules for coloring packets, add new rules, or remove rules.[29]

Simulation packet capture

Wireshark can also be used to capture packets from most network simulation tools such as ns and OPNET Modeler.[30]

See also

Notes

  1. "Wireshark – About". The Wireshark Foundation. Retrieved January 30, 2018.
  2. "Wireshark 4.0.10 is now available".
  3. "Wireshark FAQ License".
  4. "COPYING".
  5. "Wireshark FAQ". Retrieved December 31, 2011.
  6. "Gussied-up NetXRay takes on enterprise features". InfoWorld. November 17, 1997.
  7. "Q&A with the founder of Wireshark and Ethereal". Interview with Gerald Combs. protocolTesting.com. Archived from the original on March 7, 2016. Retrieved July 24, 2010.
  8. "What's up with the name change? Is Wireshark a fork?". Wireshark: Frequently Asked Questions. Retrieved November 9, 2007.
  9. "Riverbed Expands Further Into The Application-Aware Network Performance Management Market with the Acquisition of CACE Technologies". Riverbed Technology. October 21, 2010. Retrieved October 21, 2010.
  10. "enpa-sa-00024". Ethereal. November 10, 2006. Archived from the original on October 23, 2012. Retrieved June 8, 2010.
  11. Bridgwater, Adrian. "Sysdig Wireshark Foundation, We're Gonna Need A Safer Cloud". Forbes. Retrieved April 20, 2023.
  12. "Awards and Accolades". Wireshark: About. Retrieved September 20, 2010.
  13. "Wireshark". The Most Important Open-Source Apps of All Time. eWEEK. May 28, 2012. Retrieved August 12, 2012.
  14. Yager, Tom (September 10, 2007). "Best of open source in networking". InfoWorld. Retrieved December 1, 2014.
  15. "Best of open source software awards: Networking". InfoWorld. August 5, 2008. Retrieved April 28, 2015.
  16. Mobley, High (September 18, 2012). "Bossie Awards 2012: The best open source networking and security software". InfoWorld. Retrieved April 28, 2015.
  17. Ferrill, Paul (September 17, 2013). "Bossie Awards 2013: The best open source networking and security software". InfoWorld. Retrieved April 28, 2015.
  18. Garza, Victor R. (September 29, 2014). "Bossie Awards 2014: The best open source networking and security software". InfoWorld. Retrieved April 28, 2015.
  19. Lynn, Samara. "Wireshark 1.2.6". Wireshark 1.2.6 Review & Rating. PC Magazine. Retrieved September 20, 2010.
  20. "Wireshark is No. 1 of Top 14 Packet Sniffers". Insecure.Org. Retrieved August 12, 2012.
  21. "Wireshark, SourceForge Project of the Month, August 2010". SourceForge. Retrieved August 12, 2012.
  22. "Wireshark About Page". Wireshark. Retrieved March 21, 2023.
  23. "Dissector compilation example". OmniIDL. Retrieved April 18, 2013.
  24. "USB capture setup". Wireshark Wiki. Retrieved December 31, 2011.
  25. "Snoop". Wireshark. Retrieved March 21, 2023.
  26. "NETSCOUT". Wireshark. Retrieved March 21, 2023.
  27. "Microsoft Network Monitor". Wireshark. Retrieved March 21, 2023.
  28. "CVS log for ports/net/ethereal/Attic/Makefile". Openbsd.org. Retrieved March 25, 2023.
  29. "Packet colorization of Wireshark". Wireshark. Retrieved March 21, 2023.
  30. Hnatyshin, Vasil Y.; Lobo, Andrea F. "Undergraduate Data Communications and Networking Projects Using OPNET and Wireshark Software" (PDF). Rowan University. Retrieved November 15, 2021.

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.