What is Wireshark?

Wireshark is a popular, free and open-source packet capture tool that enables network and security administrators to take a “deep dive” analysis into traffic moving through a network.

Wireshark can be deployed for a variety of purposes including sniffing out security issues, troubleshooting network performance problems, traffic optimization, or as part of the application development and testing process.

What Does Wireshark Do?

Wireshark is primarily used to capture packets of data moving through a network. The tool allows users to put network interface controllers (NICs) into promiscuous mode to observe most traffic, even unicast traffic, which is not sent to a controller’s MAC address. However, doing this normally requires superuser permissions and may be restricted on some networks.

Even without that ability, Wireshark is able to sniff out most packets flowing through a network, no matter the OS, the networking protocol, encryption method or file format.

Wireshark was initially written to run on Solaris and Linux, but now runs on virtually all operating systems including Windows and macOS. The source code is also available for those who want to modify Wireshark to run within a unique environment. All versions of Wireshark and the source code are fully open source and can be downloaded for free.

The tool can read, in real-time, data flowing through a network or device using all the common protocols: wired Ethernet, wireless IEEE 802.11, WAN protocol PPP/HDLC, Bluetooth, USB, etc.

For encrypted traffic, Wireshark offers automatic decryption and support for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP and WPA/WPA2.

As of the most recent version of Wireshark, most capture file formats are also supported so that traffic can be later analyzed. This includes tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets, EtherPeek, TokenPeek, AiroPeek and others. Output can also be exported to XML, PostScript, CSV or plain text files.

Is Wireshark easy to use?

There are two different versions of the tool. The TShark utility version uses a command-line type interface with no graphics. The more popular Wireshark version has a graphical user interface and is designed to be able to be used by people with various skill levels, not just experts or programmers. Wireshark is currently on version 3.6.5, and a separate development version, numbered 3.7.0, is currently being worked on by the community.

The fact that Wireshark is a free and open source program certainly contributes to its legacy as one of the most popular tools of its type being used today. But the graphical interface is also a big draw, especially for those who are not trained how to use, or who simply don’t like, the command line type interfaces found on many utility programs.

While data about all packets and network traffic is available for later analysis, the graphical user interface enables users to sit back and watch packets flowing through their networks in real time. And the interface itself is configurable.

Wireshark can be set to color-code specific packets based on rules that match particular fields in packets. At a high level, this could help to separate different packet types which would show how a network is being utilized. For example, voice over IP (VOIP) data could be set to one color in the interface, while encrypted data packets could be designated as another. Wireshark provides a comprehensive set of rules for coloring packets while also letting users set up their own and modify those defaults.

At a higher level, Wireshark could be used to find and highlight very specific packets, such as those that match a known attack pattern. This makes it a useful tool in threat hunting, with specific packets highlighted in red (or whatever color a user wants) to alert investigators about their presence within the network.

Who created Wireshark?

The tool was originally created by Gerald Combs in 1998. At the time, he was working for a small Internet Service Provider (ISP) and needed a way to analyze and optimize the traffic being generated by the many tenants of that ISP.

Packet and traffic analyzers existed back in 1998, but most of them cost around $1,500, which was too expensive for his company to buy for him. Plus, most commercial tools did not support Solaris and Linux, which were the primary server types used by that ISP.

Since the commercial programs were either too expensive or didn’t have the correct features, Combs decided to create his own tool to help analyze and improve network traffic.

What is Ethereal?

Wireshark was originally called Ethereal. However, even though Combs owned the source code, he did not hold the copyright to the name, which was held by Network Integration Services.

When he switched jobs in 2006, he used most of the source code to create Wireshark, changing the name because of the copyright issue. For a time, both Ethereal and Wireshark development continued in tandem. However, work on Ethereal has since stopped, and an Ethereal security bulletin posted online now recommends that users switch over to Wireshark.

While Combs still plays a very active role in the development of Wireshark, much of the work today has been passed over to an active community of developers and programmers who support the tool. That effort is similar to ones that support other wildly popular open-source network tools, like Nmap.

The Wireshark community even hosts a yearly SharkFest event to discuss and celebrate new advancements in the open source utility tool. The most recent SharkFest convention, in September of 2021, was virtual, and Combs was the keynote speaker.

The Future of Wireshark

While Combs is still very active in advancing the tool and keeping it relevant, it’s also clear that the development of Wireshark has probably moved beyond what a single programmer could do, at least quickly.

Thankfully for Wireshark, a vibrant community of talented programmers has stepped up to help keep the 24-year old tool not just relevant, but in many cases cemented it as the top tool used for packet capture and traffic analysis today. The author page for Wireshark now lists hundreds of names.

And not everyone within the Wireshark community is a programmer. According to the Wireshark website, most community members are divided up into three groups. First there are the developers who add value to the project through improving Wireshark and its associated services. Next are the educators who teach people how to use Wireshark and analyze networks. And finally, the community is made up of users who use Wireshark to learn about and analyze their networks.

The Wireshark community is very active, and unlike some other online communities, puts a strong emphasis on enforcing a code of conduct among its members. Far from being restrictive, the code of conduct seems to be embraced by the user community, which is probably one of the reasons why the Wireshark community continues to flourish and grow.

The community is also supported and kept informed about developments in the program through blogs and various social media platforms like Twitter. And even though the application is open source and free to download and use, Wireshark is also supported by a few corporate sponsors that contribute to educational and outreach programs through the Wireshark Foundation.

The combination of having an extremely useful and efficient tool, an easy-to-use graphical interface and an active community of programmers, educators and users ensures that Wireshark is able to keep up with the times..