The Ethereal network protocol analyzer has changed its name to Wireshark. The name might be new, but the software is the same. Wireshark's powerful features make it the tool of choice for network troubleshooting, protocol development, and education worldwide. Wireshark was written by networking experts around the world, and is an example of the power of open source
Wireshark is used by network professionals around the world for analysis, troubleshooting, software and protocol development and education. The program has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements.
- Data can be captured "off the wire" from a live network connection, or read from a capture file.
- Wireshark can read capture files from tcpdump (libpcap), NAI's Sniffer (compressed and uncompressed), Sniffer Pro, NetXray, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HPUX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdumpformat), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.
- Live data can be read from Ethernet, FDDI, PPP, Token*Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).
- Captured network data can be browsed via a GUI, or via the TTY*mode "tethereal" program.
- Capture files can be programmatically edited or converted via command*line switches to the "editcap" program.
- 602 protocols can currently be dissected
- Output can be saved or printed as plain text or PostScript.
- Data display can be refined using a display filter.
- Display filters can also be used to selectively highlight and color packet summary information.
- All or part of each captured network trace can be saved to disk.
New and Updated Features
- The IP map feature (the “Map” button in the “Endpoints” dialog) has been added back in a modernized form (Bug 14693).
- The macOS package now ships with Qt 5.12.1. Previously it shipped with Qt 5.9.7.
- The macOS package requires version 10.12 or later. If you’re running an older version of macOS, please use Wireshark 2.6.
- Wireshark now supports the Swedish and Ukrainian languages.
- Initial support for using PKCS #11 tokens for RSA decryption in TLS. This can be configured at Preferences, RSA Keys.
- The build system now produces reproducible builds (Bug 15163).
- The Windows installers now ship with Qt 5.12.1. Previously they shipped with Qt 5.12.0.
- The Windows .exe installers now ship with Npcap instead of WinPcap. Besides being actively maintained (by the nmap project), Npcap brings support for loopback capture and 802.11 WiFi monitor mode capture (if supported by the NIC driver).
- Conversation timestamps are supported for UDP/UDP-Lite protocols
- TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.
- The “Capture Information” dialog has been added back (Bug 12004).
- The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.
- The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order. See the User’s Guide, chapter TCP Reassembly for details.
- Decryption support for the new WireGuard dissector (Bug 15011, requires Libgcrypt 1.8).
- The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.
- The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.
- Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.
- APT-X has been renamed to aptX.
- When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.
- The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.
- Dumpcap now supports the -a packets:NUM and -b packets:NUM options.
- Wireshark now includes a “No Reassembly” configuration profile.
- Wireshark now supports the Russian language.
- The build system now supports AppImage packages.
- The Windows installers now ship with Qt 5.12.0. Previously they shipped with Qt 5.9.7.
- Support for DTLS and TLS decryption using pcapng files that embed a Decryption Secrets Block (DSB) containing a TLS Key Log (Bug 15252).
- The editcap utility gained a new --inject-secrets option to inject an existing TLS Key Log file into a pcapng file.
- A new dfilter function string() has been added. It allows the conversion of non-string fields to strings so string functions (as contains and matches) can be used on them.
- The Bash test suite has been replaced by one based on Python unittest/pytest.
- The custom window title can now show file path of the capture file and it has a conditional separator.
- The following bugs have been fixed:
- Data following a TCP ZeroWindowProbe is marked as retransmission and not passed to subdissectors (Bug 15427)
- Lua Error on startup: init.lua: dofile has been disabled due to running Wireshark as superuser (Bug 15489).
- Text and Image columns were handled incorrectly for TDS 7.0 and 7.1. (Bug 3098)
- Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)