Chapter 1. Introduction

Table of Contents

1.1. What is Wireshark?
1.1.1. Some intended purposes
1.1.2. Features
1.1.3. Live capture from many different network media
1.1.4. Import files from many other capture programs
1.1.5. Export files for many other capture programs
1.1.6. Many protocol decoders
1.1.7. Open Source Software
1.1.8. What Wireshark is not
1.2. System Requirements
1.2.1. General Remarks
1.2.2. Microsoft Windows
1.2.3. Unix / Linux
1.3. Where to get Wireshark?
1.4. A brief history of Wireshark
1.5. Development and maintenance of Wireshark
1.6. Reporting problems and getting help
1.6.1. Website
1.6.2. Wiki
1.6.3. Q&A Forum
1.6.4. FAQ
1.6.5. Mailing Lists
1.6.6. Reporting Problems
1.6.7. Reporting Crashes on UNIX/Linux platforms
1.6.8. Reporting Crashes on Windows platforms

1.1. What is Wireshark?

Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.

You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).

In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed.

Wireshark is perhaps one of the best open source packet analyzers available today.

1.1.1. Some intended purposes

Here are some examples people use Wireshark for:

  • network administrators use it to troubleshoot network problems

  • network security engineers use it to examine security problems

  • developers use it to debug protocol implementations

  • people use it to learn network protocol internals

Beside these examples, Wireshark can be helpful in many other situations too.

1.1.2. Features

The following are some of the many features Wireshark provides:

  • Available for UNIX and Windows.

  • Capture live packet data from a network interface.

  • Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.

  • Import packets from text files containing hex dumps of packet data.

  • Display packets with very detailed protocol information.

  • Save packet data captured.

  • Export some or all packets in a number of capture file formats.

  • Filter packets on many criteria.

  • Search for packets on many criteria.

  • Colorize packet display based on filters.

  • Create various statistics.

  • ... and a lot more!

However, to really appreciate its power, you have to start using it.

Figure 1.1, “ Wireshark captures packets and allows you to examine their content. ” shows Wireshark having captured some packets and waiting for you to examine them.

Figure 1.1.  Wireshark captures packets and allows you to examine their content.

Wireshark captures packets and allows you to examine their content.

1.1.3. Live capture from many different network media

Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well. Which media types are supported, depends on many things like the operating system you are using. An overview of the supported media types can be found at:

1.1.4. Import files from many other capture programs

Wireshark can open packets captured from a large number of other capture programs. For a list of input formats see Section 5.2.2, “Input File Formats”.

1.1.5. Export files for many other capture programs

Wireshark can save packets captured in a large number of formats of other capture programs. For a list of output formats see Section 5.3.2, “Output File Formats”.

1.1.6. Many protocol decoders

There are protocol decoders (or dissectors, as they are known in Wireshark) for a great many protocols: see Appendix B, Protocols and Protocol Fields.

1.1.7. Open Source Software

Wireshark is an open source software project, and is released under the GNU General Public License (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do!

1.1.8. What Wireshark is not

Here are some things Wireshark does not provide:

  • Wireshark isn't an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on.

  • Wireshark will not manipulate things on the network, it will only "measure" things from it. Wireshark doesn't send packets on the network or do other active things (except for name resolutions, but even that can be disabled).