Wireshark is a network packet analyzer. A network packet
analyzer will try to capture network packets and tries to display
that packet data as detailed as possible.
You could think of a network packet analyzer as a measuring device used to
examine what's going on inside a network cable, just like a voltmeter is
used by an electrician to examine what's going on inside an electric cable
(but at a higher level, of course).
In the past, such tools were either very expensive, proprietary, or both.
However, with the advent of Wireshark, all that has changed.
Wireshark is perhaps one of the best open
source packet analyzers available today.
1.1.1. Some intended purposes
Here are some examples people use Wireshark for:
-
network administrators use it to
troubleshoot network
problems
-
network security engineers use it to
examine security
problems
-
developers use it to
debug protocol implementations
-
people use it to
learn network protocol
internals
Beside these examples, Wireshark can be helpful in many other situations
too.
The following are some of the many features Wireshark provides:
-
Available for
UNIX
and
Windows
.
-
Capture
live packet data from a network interface.
-
Display packets with
very detailed protocol information
.
-
Open and Save
packet data captured.
-
Import and Export
packet data from and to a lot of
other capture programs.
-
Filter packets
on many criteria.
-
Search
for packets on many criteria.
-
Colorize
packet display based on filters.
-
Create various
statistics
.
-
... and
a lot more!
However, to really appreciate its power, you have to start using it.
Figure 1.1, “
Wireshark captures packets and allows
you to examine their content.
” shows Wireshark
having captured some packets and waiting for you to examine
them.
1.1.3. Live capture from many different network media
Wireshark can capture traffic from many different network media types
- and despite its name - including wireless LAN as well.
Which media types are supported, depends on many things like the
operating system you are using.
An overview of the supported media types can be found at:
https://wiki.wireshark.org/CaptureSetup/NetworkMedia.
1.1.4. Import files from many other capture programs
Wireshark can open packets captured from a large number of
other capture programs. For a list of input formats see
Section 5.2.2, “Input File Formats”.
1.1.5. Export files for many other capture programs
Wireshark can save packets captured in a large number of formats of
other capture programs. For a list of output formats see
Section 5.3.2, “Output File Formats”.
1.1.7. Open Source Software
Wireshark is an open source software project, and is released under
the GNU General Public License (GPL).
You can freely use Wireshark on any number of computers you like, without
worrying about license keys or fees or such. In addition, all source
code is freely available under the GPL. Because of that, it is very easy
for people to add new protocols to Wireshark, either as plugins, or built
into the source, and they often do!
1.1.8. What Wireshark is not
Here are some things Wireshark does not provide:
-
Wireshark isn't an intrusion detection system. It will not warn you when
someone does strange things on your network that he/she isn't allowed to
do. However, if strange things happen, Wireshark might help you figure
out what is really going on.
-
Wireshark will not manipulate things on the network, it will only
"measure" things from it. Wireshark doesn't send packets on the network
or do other active things (except for name resolutions, but even
that can be disabled).
