Wireshark

Last updated

Wireshark
Original author(s) Gerald Combs [1]
Developer(s) The Wireshark team
Initial release1998
Stable release
4.2.4 [2]   OOjs UI icon edit-ltr-progressive.svg / 27 March 2024
Repository
Written in C, C++, Lua
Operating system Cross-platform
Type Packet analyzer
License GPL-2.0-or-later [3] [4]
Website www.wireshark.org OOjs UI icon edit-ltr-progressive.svg

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. [5]

Contents

Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License version 2 or any later version.

Functionality

Wireshark is very similar to tcpdump, but has a graphical front-end and integrated sorting and filtering options.

Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface including unicast traffic not sent to that network interface controller's MAC address. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering[ citation needed ].

On Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put wireless network interface controllers into monitor mode.

If a remote machine captures packets and sends the captured packets to a machine running Wireshark using the TZSP protocol or the protocol used by OmniPeek, Wireshark dissects those packets, so it can analyze packets captured on a remote machine at the time that they are captured.

History

In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri–Kansas City, was working for a small Internet service provider. The commercial protocol analysis products at the time were priced around $1500 [6] and did not run on the company's primary platforms (Solaris and Linux), so Gerald began writing Ethereal and released the first version around 1998. [7] The Ethereal trademark is owned by Network Integration Services.

In May 2006, Combs accepted a job with CACE Technologies with Loris Degioanni. Combs still held copyright on most of Ethereal's source code (and the rest was re-distributable under the GNU GPL), so he used the contents of the Ethereal Subversion repository as the basis for the Wireshark repository. However, he did not own the Ethereal trademark, so he changed the name to Wireshark. [8] In 2010 Riverbed Technology purchased CACE [9] and took over as the primary sponsor of Wireshark. Ethereal development has ceased, and an Ethereal security advisory recommended switching to Wireshark. [10] In 2022, Sysdig took over as the primary sponsor of Wireshark and in 2023, Sysdig established and put Wireshark into the Wireshark Foundation. [11]

Wireshark has won several industry awards over the years, [12] including eWeek , [13] InfoWorld , [14] [15] [16] [17] [18] and PC Magazine . [19] It is also the top-rated packet sniffer in the Insecure.Org network security tools survey [20] and was the SourceForge Project of the Month in August 2010. [21]

Combs continues to maintain the overall code of Wireshark and issue releases of new versions of the software. The product website lists more than 2000 contributing authors. [22]

Features

Wireshark is a data capturing program that "understands" the structure (encapsulation) of different networking protocols. It can parse and display the fields, along with their meanings as specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports.

Wireshark's native network trace file formats are the libpcap format read and written by libpcap, WinPcap, and Npcap, so it can exchange captured network traces with other applications that use the same format, including tcpdump and CA NetMaster, and the pcapng format read by newer versions of libpcap. It can also read captures from other network analyzers, such as snoop, [25] Network General's [26] Sniffer, and Microsoft Network Monitor. [27]

Security

Capturing raw network traffic from an interface requires elevated privileges on some platforms. For this reason, older versions of Wireshark and TShark often ran with superuser privileges. Considering the huge number of protocol dissectors that are called when traffic is captured and recognizing the possibility of a bug in a dissector, a serious security risk can be posed. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to OpenBSD 3.6. [28]

Elevated privileges are not needed for all operations. For example, an alternative is to run tcpdump or the dumpcap utility that comes with Wireshark with superuser privileges to capture packets into a file, and later analyze the packets by running Wireshark with restricted privileges. To emulate near realtime analysis, each captured file may be merged by mergecap into a growing file processed by Wireshark. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.

As of Wireshark 0.99.7, Wireshark and TShark run dumpcap to perform traffic capture. Platforms that require special privileges to capture traffic need only dumpcap run with those privileges. Neither Wireshark nor TShark need to or should be run with special privileges.

Color coding

Wireshark can color packets based on rules that match particular fields in packets, to help the user identify the types of traffic at a glance. A default set of rules is provided; users can change existing rules for coloring packets, add new rules, or remove rules. [29]

Simulation packet capture

Wireshark can also be used to capture packets from most network simulation tools such as ns and OPNET Modeler. [30]

See also

Notes

  1. "Wireshark – About". The Wireshark Foundation. Retrieved January 30, 2018.
  2. "Wireshark-announce: [Wireshark-announce] Wireshark 4.2.4 is now available". March 27, 2024. Retrieved March 27, 2024.
  3. "Wireshark FAQ License".
  4. "COPYING". July 20, 2022.
  5. "Wireshark FAQ" . Retrieved December 31, 2011.
  6. "Gussied-up NetXRay takes on enterprise features". InfoWorld . November 17, 1997.
  7. "Q&A with the founder of Wireshark and Ethereal". Interview with Gerald Combs. protocolTesting.com. Archived from the original on March 7, 2016. Retrieved July 24, 2010.
  8. "What's up with the name change? Is Wireshark a fork?". Wireshark: Frequently Asked Questions. Retrieved November 9, 2007.
  9. "Riverbed Expands Further Into The Application-Aware Network Performance Management Market with the Acquisition of CACE Technologies". Riverbed Technology. October 21, 2010. Retrieved October 21, 2010.
  10. "enpa-sa-00024". Ethereal. November 10, 2006. Archived from the original on October 23, 2012. Retrieved June 8, 2010.
  11. Bridgwater, Adrian. "Sysdig Wireshark Foundation, We're Gonna Need A Safer Cloud". Forbes. Retrieved April 20, 2023.
  12. "Awards and Accolades". Wireshark: About. Retrieved September 20, 2010.
  13. "Wireshark". The Most Important Open-Source Apps of All Time. eWEEK. May 28, 2012. Retrieved August 12, 2012.
  14. Yager, Tom (September 10, 2007). "Best of open source in networking". InfoWorld. Retrieved December 1, 2014.
  15. "Best of open source software awards: Networking". InfoWorld. August 5, 2008. Retrieved April 28, 2015.
  16. Mobley, High (September 18, 2012). "Bossie Awards 2012: The best open source networking and security software". InfoWorld. Retrieved April 28, 2015.
  17. Ferrill, Paul (September 17, 2013). "Bossie Awards 2013: The best open source networking and security software". InfoWorld. Retrieved April 28, 2015.
  18. Garza, Victor R. (September 29, 2014). "Bossie Awards 2014: The best open source networking and security software". InfoWorld. Retrieved April 28, 2015.
  19. Lynn, Samara. "Wireshark 1.2.6". Wireshark 1.2.6 Review & Rating. PC Magazine. Retrieved September 20, 2010.
  20. "Wireshark is No. 1 of Top 14 Packet Sniffers". Insecure.Org. Retrieved August 12, 2012.
  21. "Wireshark, SourceForge Project of the Month, August 2010". SourceForge. August 2, 2010. Retrieved August 12, 2012.
  22. "Wireshark About Page". Wireshark. Retrieved March 21, 2023.
  23. "Dissector compilation example". OmniIDL. Retrieved April 18, 2013.
  24. "USB capture setup". Wireshark Wiki. Retrieved December 31, 2011.
  25. "Snoop". Wireshark. Archived from the original on March 21, 2023. Retrieved March 21, 2023.
  26. "NETSCOUT". Wireshark. Retrieved March 21, 2023.
  27. "Microsoft Network Monitor". Wireshark. Retrieved March 21, 2023.
  28. "CVS log for ports/net/ethereal/Attic/Makefile". Openbsd.org. Retrieved March 25, 2023.
  29. "Packet colorization of Wireshark". Wireshark. Retrieved March 21, 2023.
  30. Hnatyshin, Vasil Y.; Lobo, Andrea F. "Undergraduate Data Communications and Networking Projects Using OPNET and Wireshark Software" (PDF). Rowan University . Retrieved November 15, 2021.

Related Research Articles

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

PF is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter (iptables), ipfw, and ipfilter.

In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.

A protocol analyzer is a tool used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication using a standard communication protocol. Each type of communication protocol has a different tool to collect and analyze signals and data.

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

Monitor mode, or RFMON mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless adapter can operate in: Master, Managed, Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behaviour, instead of using existing network traffic. Testing may target the firewall, IDS, TCP/IP stack, router or any other component of the network. Packets are usually created by using a packet generator or packet analyzer which allows for specific options and flags to be set on the created packets. The act of packet crafting can be broken into four stages: Packet Assembly, Packet Editing, Packet Play and Packet Decoding. Tools exist for each of the stages - some tools are focused only on one stage while others such as Ostinato try to encompass all stages.

The Berkeley Packet Filter is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received, and allows a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance. The filter program is in the form of instructions for a virtual machine, which are interpreted, or compiled into machine code by a just-in-time (JIT) mechanism and executed, in the kernel.

The following tables compare general and technical information for several packet analyzer software utilities, also known as network analyzers or packet sniffers. Please see the individual products' articles for further information.

Microsoft Network Monitor is a deprecated packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network. Microsoft Network Monitor 1.0 was originally designed and developed by Raymond Patch, a transport protocol and network adapter device driver engineer on the Microsoft LAN Manager development team.

<span class="mw-page-title-main">EtherApe</span> Network traffic monitoring tool

EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License.

Bit-Twist is a libpcap-based packet generator and packet capture file modifier and replayer. It complements tcpdump, a packet capturing tool also built upon the packet capturing engine libpcap. Bit-Twist allows you to regenerate packets from one or more pcap files. It also comes with a comprehensive pcap file editor to allow advance manipulation of packet information, e.g. fields in Ethernet, ARP, IP, ICMP, TCP, and UDP headers, prior to regenerating the packets onto the network.

ngrep Packet analyser

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

Justniffer is a TCP packet sniffer. It can log network traffic in a 'standard' or in a customized way. It can also log response times, useful for tracking network services performances . The output format of the traffic can be easily customized. An example written in Python stores the transferred contents in an output directory separated by domains. This means that the transferred files like html, css, javascript, images, sounds, etc. can be saved to a directory.

netsniff-ng Linux networking toolkit

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets, so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg . libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer.

<span class="mw-page-title-main">Sniffer (protocol analyzer)</span> Network packet and protocol analyzer

The Sniffer was a computer network packet and protocol analyzer developed and first sold in 1986 by Network General Corporation of Mountain View, CA. By 1994 the Sniffer had become the market leader in high-end protocol analyzers. According to SEC 10-K filings and corporate annual reports, between 1986 and March 1997 about $933M worth of Sniffers and related products and services had been sold as tools for network managers and developers.

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection. The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

References

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.