Wireshark: Capture network traffic “from the wire”

For those in need of a powerful utility for network analysis, Wireshark, formerly known as Ethereal, is a highly recommended solution that comes bundled with an exhaustive set of tools for network troubleshooting, protocol development and education. Wireshark allows you to capture incoming and outgoing traffic and browse packets data interactively from a live network or previously saved captured files using the graphical user interface or the TTY-mode TShark utility (the terminal-based version).

Wireshark Main

Installation & Requirements

To begin with, Whireshark’s Windows installer will prompt you to choose which components you wish to install (it is recommended to go with the default installation if you are unsure of their importance) and setup shortcuts as well as file associations. Whireshark uses Windows Packet Capture (WinPcap) to capture live network data and will ask you to install it. If you agree, WinPcap installation will begin automatically and when it’s finished the WhireShark installer will resume. The overall process is completed within a couple of minutes, depending mostly on the time you spend to configure the program.

Whireshark is a cross-platform utility and supplies us with versions for Windows, Mac OS X, Linux and Unix operating systems. The program works on most modern  32-bit x86 or 64-bit AMD64/x86-64 CPUs and requires at least 128 MB of RAM, 75 MB free disk space, display with 800×600 resolution or more and 16-bit color and a supported network card for capturing.

Interface

Using Whireshark to a full extent is accomplishable only by power users or after a certain amount of study, even so the program’s interface is striving to ease most tasks to a certain degree. At first glance, the main area lists all the important categories and related tools in an easy to visualize manner.

The Capture category allows you to view the capture interfaces present on your system and start captures on any of them right away or with pre-configuration through the Capture Options dialog window. From the Files section you can open previously taken captures or view a collection of example captures on Whireshark’s Wiki webpage. The Help area comprises links to the Wireshark official website, Users Guide and security related documentation.

The Capture Help area also provides links to an online Capture Guide that is very useful for novice users when attempting to set up captures and online documentation showing a list of supported network types across a number of platforms.

More advanced options and settings can be accessed from the top menu and the icon-based menu for underlying functions situated right below. For inexperienced users analyzing network traffic can be a drag, especially because of the not so easy to learn specific terminology, so it is best to start by studying the Expert Info feature that highlights unusual or notable network behavior and often proves to be a valuable guide.

Pros

– Supports a large number of protocols and media types.

– Advanced filter and macro systems.

– The Expert Info function highlights suspect and uncommon network behavior.

– Can read and write a wide array of capture formats.

– Supports Rich VoIP analysis.

– Thanks to its popularity there is plenty of documentation available.

Cons

– Because Wireshark is an open-source application, it lacks technical support, making it unsuitable for enterprises and medium to large businesses.

Alternatives

Not many packet analyzers have a fancy GUI like Wireshark does, but there are a few robust applications available with similar functionalities.

For novice Windows users, Microsoft Network Monitor is a more intuitive and friendly tool, even if it’s not as complex as Wireshark and has somewhat higher hardware requirements.

Ettercap is another open-source network analysis tool, that has a few additional purposes thanks to its ability to simulate low level network attacks. Ettercap also bundles tools for sniffing live connections along with support for a large number of protocols and works on multiple platforms, including Windows, Mac, Linux, Solaris and FreeBSD.

Angry IP Scanner is a cross-platform network scanner that offers basic functions for scanning ports and IP addresses plus some additional ones such as resolving hostnames, determining MAC addresses and others. Angry IP Scanner is available for Linux, Mac and Windows platform and just like Wireshark, it is an open-source and free network utility.

Conclusion

Besides the lack of technical support, Wireshark incorporates many functions and capabilities, such as the powerful filter and macro systems, the ability to read/write a large number of capture formats, the highly useful Expert Info function and the list goes on. All of these traits, along with one of the friendliest GUIs available in advanced networking utilities reflect in its large, enthusiastic community and classify Wireshark as one of the current industry standards.