Considering the huge number of protocol dissectors that are called when traffic is captured and recognizing the possibility of a bug in a dissector, a serious security risk can be posed. For this reason, older versions of Wireshark and TShark often ran with superuser privileges. It can also read captures from other network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.Ĭapturing raw network traffic from an interface requires elevated privileges on some platforms. Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchange captured network traces with other applications that use the same format, including tcpdump and CA NetMaster. Various settings, timers, and filters can be set to provide the facility of filtering the output of the captured traffic.Wireless connections can also be filtered as long as they traverse the monitored Ethernet.If encoded in a compatible encoding, the media flow can even be played. VoIP calls in the captured traffic can be detected.Plug-ins can be created for dissecting new protocols.Data display can be refined using a display filter.Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.Captured network data can be browsed via a GUI, or via the terminal ( command line) version of the utility, TShark.Live data can be read from different types of networks, including Ethernet, IEEE 802.11, PPP, and loopback.Data can be captured "from the wire" from a live network connection or read from a file of already-captured packets.Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports. It can parse and display the fields, along with their meanings as specified by different networking protocols. Wireshark is a data capturing program that "understands" the structure ( encapsulation) of different networking protocols. The product website lists almost 2000 additional contributing authors. Ĭombs continues to maintain the overall code of Wireshark and issue releases of new versions of the software. It is also the top-rated packet sniffer in the Insecure.Org network security tools survey and was the SourceForge Project of the Month in August 2010. Wireshark has won several industry awards over the years, including eWeek, InfoWorld, and PC Magazine. Ethereal development has ceased, and an Ethereal security advisory recommended switching to Wireshark.
In 2010 Riverbed Technology purchased CACE and took over as the primary sponsor of Wireshark. However, he did not own the Ethereal trademark, so he changed the name to Wireshark. Combs still held copyright on most of Ethereal's source code (and the rest was re-distributable under the GNU GPL), so he used the contents of the Ethereal Subversion repository as the basis for the Wireshark repository. In May 2006, Combs accepted a job with CACE Technologies. The Ethereal trademark is owned by Network Integration Services. The commercial protocol analysis products at the time were priced around $1500 and did not run on the company's primary platforms (Solaris and Linux), so Gerald began writing Ethereal and released the first version around 1998. In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri–Kansas City, was working for a small Internet service provider. If a remote machine captures packets and sends the captured packets to a machine running Wireshark using the TZSP protocol or the protocol used by OmniPeek, Wireshark dissects those packets, so it can analyze packets captured on a remote machine at the time that they are captured. On Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put wireless network interface controllers into monitor mode. Simple passive taps are extremely resistant to tampering. Port mirroring or various network taps extend capture to any point on the network. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface including unicast traffic not sent to that network interface controller's MAC address. Wireshark is very similar to tcpdump, but has a graphical front-end and integrated sorting and filtering options.