|Maintainer:||The Wireshark team|
Wireshark is a popular network protocol analyzer.
Wireshark has a rich feature set which includes the following:
- Deep inspection of hundreds of protocols;
- Live capture and offline analysis;
- Standard three-pane packet browser;
- Multi-platform: runs on Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and many others;
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility;
- Powerful display filters;
- Rich VoIP analysis;
- Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others;
- Capture files compressed with gzip can be decompressed on the fly;
- Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom);
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2;
- Coloring rules can be applied to the packet list for quick, intuitive analysis;
- Output can be exported to XML, PostScript®, CSV, or plain text.
Wireshark can be used in the network forensics process. There are some limitations:
- Wireshark is packet-centric (not data-centric);
- Wireshark doesn't work well with large network capture files (you can turn all packet coloring rules off to increase performance).
Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys.
The following YouTube video provides a brief overview of how to use Wireshark to capture and analyze network-based evidence: