Wireshark is a network packet analyzer. A network packet analyzerpresents captured packet data in as much detail as possible.
You could think of a network packet analyzer as a measuring device forexamining what’s happening inside a network cable, just like an electrician usesa voltmeter for examining what’s happening inside an electric cable (but at ahigher level, of course).
In the past, such tools were either very expensive, proprietary, or both.However, with the advent of Wireshark, that has changed. Wireshark isavailable for free, is open source, and is one of the best packetanalyzers available today.
Here are some reasons people use Wireshark:
- Network administrators use it to troubleshoot network problems
- Network security engineers use it to examine security problems
- QA engineers use it to verify network applications
- Developers use it to debug protocol implementations
- People use it to learn network protocol internals
Wireshark can also be helpful in many other situations.
The following are some of the many features Wireshark provides:
- Available for UNIX and Windows.
- Capture live packet data from a network interface.
- Open files containing packet data captured with tcpdump/WinDump,Wireshark, and many other packet capture programs.
- Import packets from text files containing hex dumps of packet data.
- Display packets with very detailed protocol information.
- Save packet data captured.
- Export some or all packets in a number of capture file formats.
- Filter packets on many criteria.
- Search for packets on many criteria.
- Colorize packet display based on filters.
- Create various statistics.
- …and a lot more!
However, to really appreciate its power you have to start using it.
Figure1.1, “Wireshark captures packets and lets you examine their contents.” shows Wireshark having captured some packets and waiting for youto examine them.
Figure1.1.Wireshark captures packets and lets you examine their contents.
Wireshark can capture traffic from many different network media types,including Ethernet, Wireless LAN, Bluetooth, USB, and more. The specific mediatypes supported may be limited by several factors, including your hardwareand operating system. An overview of the supported media types can be found athttps://wiki.wireshark.org/CaptureSetup/NetworkMedia.
Wireshark can open packet captures from a large number of captureprograms. For a list of input formats see Section5.2.2, “Input File Formats”.
Wireshark can save captured packets in many formats, including those used by othercapture programs. For a list of output formats see Section5.3.2, “Output File Formats”.
There are protocol dissectors (or decoders, as they are known in other products)for a great many protocols: see AppendixC, Protocols and Protocol Fields.
Wireshark is an open source software project, and is released under theGNU General Public License (GPL). You can freely useWireshark on any number of computers you like, without worrying about licensekeys or fees or such. In addition, all source code is freely available under theGPL. Because of that, it is very easy for people to add new protocols toWireshark, either as plugins, or built into the source, and they often do!
Here are some things Wireshark does not provide:
- Wireshark isn’t an intrusion detection system. It will not warn you whensomeone does strange things on your network that he/she isn’t allowed to do.However, if strange things happen, Wireshark might help you figure out what isreally going on.
- Wireshark will not manipulate things on the network, it will only “measure”things from it. Wireshark doesn’t send packets on the network or do otheractive things (except domain name resolution, but that can be disabled).