What is Wireshark?


Wireshark is the world’s foremost and widely-used network_protocol _analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies,and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.


In 1998 Gerald Combs, a computer science graduate of the University of Missouri-Kansas City, started a project and named it Ethereal. It was the basic foundation of Wireshark. having this name since 2006 when Combs started to work with CACE Technologies while holding the copyright of most of the project’s code. The rest of the code was opened for any modification under the GPL Terms. Then, volunteer contributions of network experts around the universe added to the project, making it as famous and widely used as it is nowadays.

Because Combs did not own the Ethereal trademark he decided to change its name into Wireshark. It was not until 2010 when Riverbed Technology purchased CACE Technologies to become the main sponsor of Wireshark. There are several contributors –around 600 authors– to this product; still, Combs is the essential responsible for maintaining the overall code and executing new version releases of Wireshark.

Security Policies:

In general, there is no need for certain security_privileges to allow us to utilize neither Wireshark or TShark. Nowadays, only requires to have tcpdump or dumpcap, given special privileges, and run on a machine to capture traffic with no need for any further privileges for the user.But how can a super_user grant the aforementioned required privileges to a user? The answer basically lies in the fact that tcpdump or dumpcap which come with Wireshark should have special_privileges for them to capture packets into a file. This file would require the opening of Wireshark for analysis with seriously restricted privileges. Even wireless networks could harness Aircrack wireless security tools and capture IEEE 802.11 frames to further read the resulting tcpdump dumpcap files with running Wireshark afterward.

Why do we need to restrict the users from privileges to freely run Wireshark and use its tools? This is basically because capturing traffic calls an enormous number of protocol dissectors, which could most probably arise a network_security risk. Since there is a potential of finding a bug in one of these dissectors and there by exploiting it, this puts the entire security system at a great risk. That is why running Ethereal/Wireshark in the past required superuser_privileges for one to be responsible for what can potentially be affected.

Wireshark offers:

  • Wireshark is a network_analyzer that inspects Hundreds of protocols.

  • It reads Live Data through different means such as Ethernet IEEE 802.11, PPP/HDLC, ATM, loop_back, Bluetooth, FDDI, and many others.

  • It could run on diverse operating_systems such as Microsoft_Windows, Linux, macOS, Sun Solaris, and several all other platforms.

  • A graphical user interface (GUI) is supported using QT widget toolkit, which enables us to browse captured_network data, or in the non_GUI version, TTY-mode TShark utility could be utilized for the same purpose as well.

  • It offers sufficient Voice over Internet_Protocol(VoIP) analysis. We can even play the media flow when decoding such captured traffic.

  • Wireshark uses PCAP to capture packets.

  • It generates Capture files in gzip format, which is easily decompressed.

  • Such captured files could be pro-grammatically edited or altered to the “editcap” programming with_the help of some command-line switches.

  • It allows the traffic capturing of Raw Universal Serial Bus(USB).

  • Wireshark is able to capture packets from ns OPNET Modeler, NetSim, and some other network simulation tools.

  • It allows both offline_analysis and live captures.

  • It supports Read/Write of many capture file formats such as tcpdump (libpcap) which is the native network trace file format, Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network_Monitor, Network General Sniffer, Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix k12xx, Visual Networks Visual UpTime, WildPacketsEtherPeek/TokenPeek/AiroPeek and several other formats.

  • The decryption is supported for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.

  • One can ensure that only the triggered_traffic becomes analyzed by applying particular filters, timers, and other settings.

  • XML, PostScript, CSV or plain text are all the types that output is exported and formatted.

Color Coding:

The colors Green, Blue, and Black distinguish the type of captured_packets. Conventionally, green color indicates Transmission_Control_Protocol (TCP) traffic. Dark_blue, on the other hand, is Name System (DNS) traffic, whereas light blue demonstrates User Data-gram Protocol (UDP) traffic. Black shows TCP packets with problems such as being out-of-order.

Filtering Packets:

Sometimes we need to capture specific traffic_packets such as traffic which a program sends when phoning_home. While a large number of captured packets in a network, one has to close down all other applications using the network in order to get some specific_traffic type. At this point_emerges the importance of Wireshark’s filters. At the top of the window, there is a filter box at which we can simply type a certain filter name in order to apply this filter and then we should click Apply, or press Enter alternatively. For instance, to see only DNS packets, we type “DNS” in the filter box.


© 2019 by Techy Bande Official.

Developed By : RK JAMERIA