Wireshark

Updated: 12/31/2020 by Computer Hope
Wireshark opening menu.

Wireshark is a network packet analyzer used for capturing (sniffing) packets flowing across a computer network in addition to those that are moving to and from your computer. Packet sniffing is primarily used for legitimate purposes such as network troubleshooting or traffic monitoring.

Wireshark is an open-source project licensed under the GPL (GNU General Public License), which means users can run it on multiple computers free of charge and can view or modify the source code. It features a plug-in system, so users can create new Wireshark features for others to use.

A network packet analyzer helps discover what happens inside of a network cable, like a powertrain uses a voltmeter to check what takes place inside an electric wire. In the past, such instruments were either very pricey, restrictively patented, or both. The ability of the average user to monitor and analyze network traffic increased significantly with Wireshark's emergence.

Below is an example of Wireshark capturing live data.

Wireshark capture

Wireshark and Ethereal history

Originally known as Ethereal, Gerald Combez began developing Wireshark in 1997, and it was released later in 1998 with some instability. Ethereal changed its name to Wireshark in 2006 because of trademark issues.

Features of Wireshark

Wireshark can parse the structure of multiple network protocols (encapsulation). The fields and their data can be viewed, as defined by the protocols. Wireshark uses the pcap API (application programming interface) libpcap, or Npcap on Windows 7+ to retrieve packets.

Features of Wireshark include:

  • Capture live network traffic data and save it for offline analysis.
  • Read capture files created by tcpdump/WinDump for analysis.
  • Import and analyze hex dumps of packet data.
  • Provide in-depth information and explanation of packet data.
  • Export all packets, or a filtered subset, to various capture file formats.

Why is Wireshark used?

Here are some reasons why people use Wireshark:

  • Network operators use it to address network issues by capturing network traffic and view packets.
  • Students can use it as a tool for learning and understanding the internals of network protocols.
  • Network security experts use Wireshark to analyze and identify security issues.
  • QA (quality assurance) developers use it for network application verification.
  • Developers can use it to debug software that communicates on a network.

What Wireshark doesn't do

  • Wireshark is not an IDS (intrusion detection system) that alerts users when security events such as intrusions occur in the users' network. However, if data was captured during the event, it can be used as a forensic tool to identify what happened.
  • Wireshark doesn't control or affect network traffic, it only measures and observes it. Wireshark does not send network packets of any kind.

Computer network, Computer security, Network cable, Network interface, Network terms, Packet, Security terms, Sniffing