WIRESHARK

Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

The functionality

Wireshark is very similar to tcpdump, but it has a graphical front-end, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network interface into promiscuous mode.

Wireshark uses the cross-platform GTK+ widget toolkit, and is cross-platform, running on various computer operating systems including Linux, Mac OS X, and Microsoft Windows. Released under the terms of the GNU General Public License, Wireshark is free software.

History

Out of necessity, Gerald Combs (a computer science graduate of the University of Missouri-Kansas City) started writing a program called Ethereal so that he could have a tool to capture and analyze packets; he released the first version around 1998. As of now there are over 500 contributing authors while Gerald continues to maintain the overall code and issues releases of new versions; the entire list of authors is available from Wireshark's web-site.

The name was changed to Wireshark in May, 2006, because creator and lead developer Gerald Combs could not keep using the Ethereal trademark (which was then owned by his old employer, Network Integration Services) when he changed jobs. He still held copyright on most of the source code (and the rest was redistributable under the GNU GPL), so he took the Subversion repository for Ethereal and used it as the basis for the Subversion repository of Wireshark.

Ethereal development has ceased, and an Ethereal security advisory recommended switching to Wireshark.eWEEK Labs named Wireshark one of "The Most Important Open-Source Apps of All Time" as of May 2, 2007.

Features

Wireshark is software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap.

Data can be captured "from the wire" from a live network connection or read from a file that records the already-captured packets.

Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.

Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.

Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.

Data display can be refined using a display filter.

Plugins can be created for dissecting new protocols.

Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can read capture files from applications such as tcpdump and CA NetMaster that use that format. It can also read captures from other network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.

Security

Capturing raw network traffic from an interface requires special privileges on some platforms. For this reason, older versions of Ethereal/Wireshark and tethereal/tshark often ran with superuser privileges. Taking into account the huge number of protocol dissectors, which are called when traffic for their protocol is captured, this can pose a serious security risk given a bug in a dissector. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to its 3.6 release.[4]

One possible alternative is to run tcpdump, or the dumpcap utility that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze these packets by running Wireshark with restricted privileges on the packet capture dump file. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.

As of Wireshark 0.99.7, Wireshark and tshark run dumpcap to do traffic capture. On platforms where special privileges are needed to capture traffic, only dumpcap needs to be set up to run with those special privileges - neither Wireshark nor tshark need to run with special privileges, and neither of them should be run with special privileges.

Ports

Wireshark runs on Unix and Unix-like systems, including Linux, Solaris, HP-UX, FreeBSD, NetBSD, OpenBSD and Mac OS X, and on Microsoft Windows.