Welcome to Wireshark, the world's most popular network analyzer.

I've been working with Wireshark for just over 10 years now and have seen amazing change through those years.

First of all, Wireshark used to be named "Ethereal." It was developed by Gerald Combs when he needed an analyzer solution at his job, but the budget couldn't bear the weight of a commercial analyzer tool (which typically started around $2,500 back then).

If you'd like to "see" the Wireshark development process from inception, check out the three-minute Code Swarm video at Vimeo. Very impressive and entertaining!

What is Wireshark?

Wireshark is, in essence, an open source network packet capture and dissection tool that lets you examine the traffic on your wired or wireless network. There are Wireshark versions available for most of the popular operating systems - visit www.wireshark.org/download to obtain the latest Stable Release or Developer Release version.

Wireshark is to networking what an xray machine is to a hospital. Wireshark can always pinpoint where network problems reside, but it cannot always tell you why those problems are there. For example, with Wireshark we can locate a router that is dropping packets, but we cannot always determine why the router is acting that way.

After you install Wireshark, begin capturing your own traffic as you browse to a website (step-by-step instructions and interpretations are covered in Chapter 1 of Wireshark Network Analysis.) Wireshark captures and displays packets after examining the packets and breaking apart the fields in the headers. The result is a nice clear view of what is happening on the network.

In the figure below we are looking at a packet sent from a host using IP address 192.168.0.115 to another IP host at 199.181.132.250. This is an HTTP GET request to open www.espn.com. We can identify both the source IP address and the source MAC (Media Access Control or hardware) address.

Nice, eh? If you learn a bit more about HTTP communications (Chapter 23) we can decipher the meaning of the other elements in the packet. We can apply a display filter (Chapter 9) to view only the HTTP GET requests sent when this user browses to www.espn.com as well.

We can watch the initial connection to www.espn.com to determine the round trip time to www.espn.com (Chapter 7). If desired, we can also reassemble the communication in a simple text file format (Chapter 10). If the web browsing session seems slow, we can look for Wireshark's indication of possible problems (Chapter 13) and build a graph that highlights the points where our web browsing session slows to a crawl (Chapter 8).

When the local driver hands the packet off to Wireshark (with a timestamp for each packet, as covered in Chapter 7), the magic begins. Wireshark's Core Engine starts examining the frame structure, delicately slicing the packet into its respective parts - an Ethernet header here... an IP header there... a TCP header over here... Each header is matched to its respective dissector and the blurry view of bits-o-barf become organized, understandable and displayed for your enjoyment (or job-saving solution to why your VoIP call quality is so pathetic).

It's now up to you. The evidence is placed before you. Here is the communication that plagues your network. Here are the tools to filter out irrelevant traffic. Take this graph and "tell the story." Observe the Expert screaming bloody murder and using everything short of a laser pointer to highlight the momments of sheer network hell seen in the traffic.

With a solid understanding of network traffic flows (Chapter 1), TCP/IP communications (Chapters 14 and on), and your acquired knowledge of "what's normal" (Chapter 28), you leap out of your chair and yell "Aha!" in the darkened room you call your little "home-away -from-that-place-you-used-to-call-'home'-but-rarely-see-when-users-complain-of-crappy-network-performance."

You hug your Wireshark system before heading off to fix the cause of the network problems. You thank the Wireshark developers for their time and brainpower. You bow to your portrait of Gerald Combs that hangs above your FarSide calendar on the wall.

Your life is better because of Wireshark.

Wireshark's Key Features

Probably the #1 key feature of Wireshark is that it is open source and free. Not only is your budget spared, but you can roll out Wireshark to the entire IT staff and still pay for toilet paper at your company. You benefit from the hundreds of developers who have lived on cold pizza and Smarties(r) to rip apart packets on your behalf (Chapter 1).

Wireshark's easy-to-use graphical interface offers an intuitive method for capturing your traffic and peering inside the secretive world of your network.

Wireshark's wide range of dissectors interpret traffic, break apart fields and frames to present information in a readable format. There are over 1,000 protocols and packet types that have dissectors. In addition, you can build your own dissector if desired. All the information you need is at the Wireshark Development Wiki page.

Live capture analysis enables you to begin analyzing your traffic as you are capturing it. You don't need to wait until you've stopped capturing to begin looking for the culprit.

In addition, Wireshark supports numerous capture file formats - someone who captured packets with the Sun Snoop tool can send those capture files over to you for offline analysis in Wireshark.

Comprehensive display filtering capabilities enable you to extract just the packets of interest so you're not wading through a haystack in search of the elusive answer. The "Needle in a Haystack" issue is covered in numerous chapters of the Wireshark Network Analysis book.

Decryption support for IPsec, SSL/TLS (Chapter 23), SNMPv3, WEP, WPA/WPA2 enables you to troubleshoot issues often hidden behind the decryption mechanism.

Coloring rules (Chapter 6) act as high-beam headlights on those dirty little packets causing you grief and a lack of social life.

Customized Wireshark profiles (Chapter 11) offer a totally customized view of your network traffic and can be shared with other Wireshark users if desired (see the download section here for numerous profiles to play with).

There are numerous other hot features in Wireshark - too many to name. If you've ever seen me present at a conference then you've likely seen my heart_racing/speech-quickening moments when I get to show traffic from a pitiable network with the enthusiasm of a WoW player who just defeated the Lich King!

Hopefully I'll see you at one of these events and we can share Wireshark-Saves-the-Day stories!

Laura Chappell
Author, Wireshark Network Analysis
ISBN 978-1-893939-99-8

Read "Wireshark 101 Article"

Watch the "Coffee and a Quickie" videos