Wireshark is the world's most popular network protocol analyzer. It is used for troubleshooting, analysis, development, and education. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Deep inspection of hundreds of protocols, with more being added all the time. Live capture and offline analysis. Standard three-pane packet browser.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.
For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options. As soon as you click the interface??™s name, you??™ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you??™re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you??™ll also see other the other packets on the network.
You??™ll probably see packets highlighted in green, blue, and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems ??” for example, they could have been delivered out-of-order.
The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type ???dns??? and you??™ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter. Another interesting thing you can do is right-click a packet and select Follow TCP Stream.
Features: Wireshark has a rich feature set which includes the following: Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others. Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility. The most powerful display filters in the industry. Rich VoIP analysis. Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others. Capture files compressed with gzip can be decompressed on the fly. Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom). Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2. Coloring rules can be applied to the packet list for quick, intuitive analysis. Output can be exported to XML, PostScript, CSV, or plain text.
Wireshark lets the user put network interface controllers that support promiscuous mode into that mode, so they can see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering.