Wireshark is the world's leading network protocol analyzer, trusted by professionals across enterprises, governments, non-profits, and academia. It provides deep visibility into network activity, allowing users to inspect traffic at a granular level – essential for troubleshooting, analysis, development, and education.

Originally created by Gerald Combs in 1998, Wireshark has grown into a thriving open-source project powered by a global community of expert contributors and volunteers.

What should I look for when analyzing packets in Wireshark?

Wireshark is a powerful tool for troubleshooting specific network issues. Instead of scanning all traffic, focus on a particular problem, such as slow application performance or failed connections. Use filters to narrow down the data and look for anomalies like retransmissions, handshake failures, or unexpected protocol behaviors.

By applying filters based on IP addresses, protocols, or specific packet attributes, you can focus on the most relevant data for your analysis.

How do I filter traffic to a specific website in Wireshark?

To filter traffic for a specific website, first determine its IP address using the command nslookup [website] (e.g., nslookup www.techspot.com). Then, apply the filter ip.addr == [IP_ADDRESS] in Wireshark to isolate packets related to that site. For analyzing TCP connections, you can use filters like tcp.flags.syn == 1 && tcp.flags.ack == 0 to identify SYN packets

How can I capture traffic from specific devices on my network?

Capturing traffic from specific devices may require configuring your network appropriately. Use port mirroring on a managed switch or employ a network tap to direct the desired traffic to your monitoring system. Additionally, focusing on specific protocols, such as DNS, can provide insights into device activities.

Is Wireshark suitable for professional use in network analysis?

Yes. Wireshark is widely used in professional environments for network troubleshooting and analysis.

Features

  • Deep inspection of hundreds of protocols, with more being added all the time
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text

What's New

Bug Fixes

The following bugs have been fixed:

  • Bug in EtherCAT dissector with ECS order. Issue 13718.
  • Conversation dialog columns return to default width on each new packet in live capture. Issue 15978.
  • Tests fail in LTO-enabled builds in Ubuntu/Debian. Issue 18216.
  • Incorrect conditions in BFCP dissector. Issue 18717.
  • Static build fails on Ubuntu 24.04 because the c-ares library isn't found. Issue 20343.
  • Flutter's Image Picker Generated JPEG Files Detected as Malformed Packet. Issue 20355.
  • QUIC dissector breaks when src and dst change. Issue 20371.
  • s390x: build fail on Ubuntu PPA nighty build. Issue 20372.
  • Trailing octet after IPv4 packet end is not detected or displayed in raw bytes. Issue 20423.
  • [packet-ax25-nol3.c] Only call APRS dissector on UI Frames. Issue 20429.
  • Wireshark hangs when refreshing interfaces with the debug console preference set to "always" and a file open (Windows) Issue 20434.
  • BGP EVPN - Type-8 route not correctly read after addition of Max. Response Time field. Issue 20459.
  • Wireshark does not correctly decode LIN "go to sleep" in TECMP and CMP. Issue 20463.
  • MQTT-SN: WILLTOPIC message not decoded correctly (missing some flags) Issue 20476.

Previous release notes

Bug Fixes

The following bugs have been fixed:

  • Potential mis-match in GSM MAP dissector for uncertainty radius and its filter key. Issue 20247.
  • Macro eNodeB ID and Extended Macro eNodeB ID not decoded by User Location Information. Issue 20276.
  • The NFSv2 Dissector appears to be swapping Character Special File and Directory in mode decoding. Issue 20290.
  • CMake discovers Strawberry Perl's zlib DLL when it shouldn't. Issue 20304.
  • VOIP Calls call flow displaying hours. Issue 20311.
  • Fuzz job issue: fuzz-2024-12-26-7898.pcap. Issue 20313.
  • sFlow: Incorrect length passed to header sample dissector. Issue 20320.
  • wsutil: Should link against -lm due to missing fabs() when built with -fno-builtin. Issue 20326.

New and Updated Features

New Protocol Support

  • There are no new protocols in this release.

Updated Protocol Support

  • ARTNET, ASN.1 PER, BACapp, BBLog, BT BR/EDR RF, CQL, Diameter, DOF, ECMP, FiveCo RAP, FTDI FT, GSM COMMON, GTPv2, HCI_MON, HSRP, HTTP2, ICMPv6, IEEE 802.11, Kafka, LTE RRC, MBIM, MMS, Modbus/TCP, MPEG PES, NAS-EPS, NFS, NGAP, NR RRC, PLDM, PN-DCP, POP, ProtoBuf, PTP, RLC, RPC, RTCP, sFlow, SIP, SRT, TCP, UCP, USBCCID, Wi-SUN, and ZigBee ZCL

New and Updated Capture File Support

  • CLLog EMS ERF
  • Updated File Format Decoding Support
  • There is no updated file format support in this release.

Security Enhancements

The Wireshark team continues to prioritize security, addressing vulnerabilities found in previous versions:

  • Fixed a FiveCo RAP dissector infinite loop vulnerability (wnpa-sec-2024-14).
  • Resolved an ECMP dissector crash issue (wnpa-sec-2024-15).
  • Wireshark 4.4.3 builds upon the improvements introduced in version 4.4.0:
  • Automatic Profile Switching: Users can now associate display filters with configuration profiles, allowing Wireshark to automatically switch profiles based on the opened capture file.
  • Enhanced Display Filters: Improved support for value strings and the ability to implement display filter functions as plugins.
  • Custom Columns and Output Fields: Users can define custom columns and output fields using any valid field expression, offering greater flexibility in data presentation.