Wireshark is a free packet analyzer that was developed as an open-source project. The system is old, being first released in 1998. However, unlike many open source projects, this development is well funded, and the code is regularly analyzed and updated – the latest release of the system occurred in July 2021 with version 3.4.7.
Wireshark history
Wireshark was initially called Ethereal, and it was first developed in 1998 by Gerald Combs as an alternative to expensive packet analyzer tools. The technician worked for an ISP and needed a utility for his use in his duties. This is why Ethereal was born.
In 2006, Combs went to work for CACE Technologies. By this time, he had set up Ethereal in a repository, making the code available to others, and he received regular contributions from other unpaid developers. Despite being open to all, the code was copyrighted to Combs. However, the name Ethereal belonged to his former employees. Thus, Combs changed the name of his packet analyzer as it developed into a more sophisticated tool. This name change created Wireshark.
In 2010 Riverbed Technologies bought CACE Technologies and became the new employer of Gerald Combs. The new owner took up the sponsorship of the Wireshark project with enthusiasm and devoted company resources to improving the development and distribution of the system.
While the sponsorship of a critical free product often leads to the base product being shorn of new features as the sponsoring organization adds on a paid tool layer, Wireshark hasn’t been subjected to development throttling. There isn’t a paid version of Wireshark.
What does Wireshark do?
The category of software that Wireshark fits into is a packet sniffer. This can also be called a packet capture tool. Wireshark can capture packets from wireless systems as well as LANs. The system doesn’t implement the nuts and bolts of copying packets from the network – it uses another utility for that.
Packets are not intercepted. They are copied. That means the stream of network traffic carries on to all of its intended destinations. As a result, the users of the network won’t notice any difference in service when Wireshark is in operation. It also isn’t possible for a network monitoring tool to spot that Wireshark is running.
To operate, Wireshark needs to be installed on a computer network users connected to the network from which packets are to be copied. It cannot run from outside a network. Wireshark doesn’t facilitate packet injection; it doesn’t capture a passing packet stream and enables new packets to be substituted for those already passing by.
The Wireshark utility has a graphical user interface. It displays the captured packets and enables them to be queried, sorted, and their contents to be highlighted. Unfortunately, although Wireshark shows the data payload of packets, not just their headers, it cannot automatically crack encryption, so if the contents of a packet body are protected, the visualization of the payload will be meaningless.
Wireshark components
The most critical component of Wireshark is pcap. This is that actual packet capturing code, an adaptation of tcpdump, an earlier packet sniffer. The wiretapping parts of tcpdump were split out into a freely available library for any other developer to use.
There are two versions of pcap that underlie Wireshark: libpcap, which runs on Unix and Unix-like operating systems, such as Linux and macOS, and WinPcap, a version for Windows.
Wireshark functions
The strength of Wireshark is that it can display and file captured packets. The key features of Wireshark are:
- A live view of arriving packets.
- A color-coded identification of packet types, which can be customized
- A protocol analyzer that identifies the protocol being used by dereferencing the port number shown in the packet header
- A command-line version called TShark
- Multiple levels of details
- A display of packets in a viewing panel and a details pane that explains the values in the header of the highlighted packet
- VoIP and VLAN identification
- Filing of a packet in Pcap layout and other formats
- Facilities to decrypt IPSec, WEP, WPA2, and other encryption standards
- Export to CSV, XML, plain text, or PostScript format
Wireshark system requirements
The operating systems that Wireshark will run on are:
- Windows 8.1 and 10
- Windows Server 2012, 2012 R2, 2016, and 2019
- macOS 10.12 and later
- Alpine Linux
- Arch Linux
- Canonical Ubuntu
- Debian GNU/Linux
- Red Hat Enterprise Linux
- CentOS Linux
- Fedora Linux
- Gentoo Linux
- FreeBSD
- HP-UX
- NetBSD
- OpenPKG
- Oracle Solaris
The host computer must have the following physical properties:
- A 64-bit AMD64/x86-64 or 32-bit x86 processor
- Minimum 500 MB RAM
- 500 MB disk space
- Minimum 1280 × 1024 resolution screen or higher
- An Ethernet card for LANs or any IEEE 802.11 wireless NIC
Installing Wireshark
The website of the Wireshark project has a lot of information on how to download and install the package on a range of operating systems. The Download page gives access to free installation packages for Windows and macOS.
Expand the top heading for the available releases to see links to acquire the installer for Windows and macOS. Linux and Unix owners must download the source code and compile it.
Click on the relevant link to get the download for Wireshark. The installation package includes the applicable version of pcap.
Users of Wireshark
Wireshark is most popular with network administrators who occasionally need to analyze packets. However, the tool will only every be of infrequent use. Automated monitoring tools can scan through packet headers more efficiently than humans, presented with a packet viewed within the Wireshark interface.
Wireshark is not a great assistant to hackers or penetration testers. Hackers need speed, and although a hacker might get lucky and spot an unencrypted password in a packet payload, other utilities can perform this detection service better. In addition, hackers have many other free tools at their disposal that offer more automation and are still free. Penetration testers need to emulate hackers and follow their lead to using other free protocol analyzers and packet capture tools.
Wireshark pros and cons
Wireshark is beneficial for network administrators that need to get an up-close view of every packet passing along the network. However, the legend of Wireshark’s usefulness for hackers is greatly exaggerated. The system doesn’t offer a magical method to decrypt data payloads. Instead, its principal value lies with the ability to see the structure of packet headers.
Pros:
- Shows captured packets live
- Allows packets to be sorted
- Identifies the protocols generating the packets
- Enables sorting, grouping, and filtering of packets, including the relating of packets in a conversation
- Exporting packets for analysis in other utilities
Cons:
- Can’t send packets
- Can’t alter packets or generate them
Alternatives to Wireshark
The key to Wireshark is pcap, and other utilities also use that exact packet capture mechanism. In addition, several other packet capture tools work well as substitutes for Wireshark.
Our methodology for selecting an alternative to Wireshark
We reviewed the market for packet capture tools like Wireshark and assessed the options based on the following criteria:
- A system that is available for all the primary operating system
- A utility that uses pcap for packet capture
- The ability to display packets live
- The option to save packets to files
- A service that can export data in a range of formats
- A free tool like Wireshark or a paid replacement that offers better capabilities
- A free trial or money-back guarantee for a no-cost assessment or a free tool
With these selection criteria in mind, we have tracked down some great alternatives to Wireshark that are worth considering.
Here is our list of the eight best alternatives to Wireshark:
- Zenmap A graphical front end to Nmap that not only captures packets and gives the option to view and save them but scans headers to identify the devices connected to the network by looking at the source and destination addresses. Packet capture is performed by Npcap, which is an adaptation of pcap. Zenmap and Nmap are available for free for Windows, macOS, and Linux.
- Tcpdump This is the forerunner of Wireshark and is still available. Tcpdump was the original packet capture system. It is only because the back-end of this system was split out and made available to everybody that Wireshark’s development became possible. This tool is a command-line tool, which makes it not as easy to use as Wireshark. Tcpdum is available for Windows, macOS, Linux, and Unix, and it is free to use.
- NETRESEC Network Miner This packet capture utility is available in free and paid editions. This package relies on a feed of packets from pcap, which can also be read from a file. The main aim of this utility is to provide an interpretation of packet headers. This is particularly the case concerning protocols, making this a protocol analyzer. The tool is available for Windows, macOS, Linux, and Unix.
- Cloudshark This is a paid tool that analyzes pcap files. The service is delivered as a SaaS platform and so can be accessed from any operating system. The service can also be accessed through apps for Android and iOS. The tool’s features analyze packet data, allowing it to be sorted and grouped or interpreted packet by packet. There is a 30-day free trial for this service.
- Burp Suite This highly respected penetration testing tool. It captures packets as they pass between endpoints on a network and a Web server. Unlike Wireshark, this tool can adapt captured packets and also generate them from scratch. The tool can then inject them into a stream, enabling a man-in-the-middle attack. The tool can also be used for password cracking, and it has systems that support decryption attempts. Burp Suite runs on Windows, Linus, and macOS and is available in free and paid versions. Burp Suite Professional is available for a 30-day free trial.
- Metasploit Meterpreter Metasploit is a well-known penetration testing tool, and Meterpreter is an add-on to the tool. This is a valuable tool for hackers because it keeps captured packets in memory, so system administrators won’t suddenly see packet capture files appear. However, packets can be written to file or transmitted if needed. This tool doesn’t have a data viewer, but it is often paired with Wireshark for that purpose. You need to download Metasploit Framework first and then download the Meterpreter. Both are free.
- PCAPdroid This is a pcap packet capture tool for wireless network traffic that installs on Android devices. The service will save packets to file because a mobile device’s screen cannot show meaningful screens sizes for full packet viewing. Then, users export the pcap files and read them into Wireshark. This is a free tool.
- PacketsDump is a free tool that captures packets on a network and displays them in a viewer. The utility allows for packets to be analyzed, and it also performs a rudimentary network monitoring service by producing statistics about packet transmission rates. Unfortunately, although this is a valuable tool and free to use, the software hasn’t been updated since 2009.
Wireshark FAQs
Is Wireshark still useful?
Wireshark is the leading packet sniffer and packet analyzer. It is used widely on network management and system security courses. Its query language enables captures to be filtered to reduce the amount of traffic that needs to be processed is a great help and that same filtering language can be used to analyze packets and follow conversations. Wireshark will show all packet contents but it cannot crack encryption.
What are the 3 benefits of Wireshark?
Wireshark has three great advantages that make it very widely used:
- It is free to use
- It is available for Windows. macOS, Linux, and Unix
- It color codes packets by type
What is a Wireshark used for?
Wireshark is a packet capture tool and a protocol analyzer. It does not require any special hardware to operate but runs as software on your computer. It uses the network interfaces of your device to read in all packets that are traveling across the networks that it is connected to. The analyzer in the package has its own query and filtering language and will reveal details of the packets that it captures, including payload contents.