Wireshark 2.4.1

Network protocol analyzer.

56.4 MB
4.7 15 votes

The Ethereal network protocol analyzer has changed its name to Wireshark. The name might be new, but the software is the same. Wireshark's powerful features make it the tool of choice for network troubleshooting, protocol development, and education worldwide.

Wireshark was written by networking experts around the world, and is an example of the power of open source

Wireshark is used by network professionals around the world for analysis, troubleshooting, software and protocol development and education.

The program has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements.


  • Data can be captured "off the wire" from a live network connection, or read from a capture file.
  • Wireshark can read capture files from tcpdump (libpcap), NAI's Sniffer (compressed and uncompressed), Sniffer Pro, NetXray, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HPUX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdumpformat), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.
  • Live data can be read from Ethernet, FDDI, PPP, Token*Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).
  • Captured network data can be browsed via a GUI, or via the TTY*mode "tethereal" program.
  • Capture files can be programmatically edited or converted via command*line switches to the "editcap" program.
  • 602 protocols can currently be dissected
  • Output can be saved or printed as plain text or PostScript.
  • Data display can be refined using a display filter.
  • Display filters can also be used to selectively highlight and color packet summary information.
  • All or part of each captured network trace can be saved to disk.

What's New:

The following vulnerabilities have been fixed:

  • Arbitrary file deletion on Windows. (Bug 13217)

The following bugs have been fixed:

  • Saving all exported objects (SMB/SMB2) results in out of physical memory. (Bug 11133)
  • Export HTTP Objects - Single file shows as multiple files in 2.0.2. (Bug 12230)
  • Follow Stream and graph buttons remain greyed out in conversation window. (Bug 12893)
  • Dicom list of tags in element of VR=AT not properly decoded. (Bug 13077)
  • Malformed Packet: BGP Update (withdraw) message. (Bug 13146)
  • Install fail on macOS Sierra (error PKInstallErrorDomain Code=112). (Bug 13152)
  • GTP: "Create PDP Context response" message shows back-off timer as malformed when included in the response. (Bug 13153)
  • ICMP dissector fails to properly detect timestamps. (Bug 13161)
  • RLC misdissection. (Bug 13162)
  • Text2pcap on Windows produces corrupt output when writing the capture file to the standard output. (Bug 13165)
  • HTML escaping of quotes in error message. (Bug 13178)
  • TShark doesn’t respect protocols.display_hidden_proto_items setting. (Bug 13192)
  • RPC/RDMA dissector should exit when frame is not RPC-over-RDMA. (Bug 13195)
  • Some RPC-over-RDMA frames are not recognized as RPC-over-RDMA. (Bug 13196)
  • RPC-over-RDMA frames with chunk lists are "Malformed". (Bug 13197)
  • TShark fails to pass RPC-over-RDMA frames to RPC subdissector. (Bug 13198)
  • Adding a DOF DPS Identity Secret, session Key, or Mode Template causes Wireshark to crash. (Bug 13209)
  • Wireshark shows "MS Video Source Request" in a RTCP packet as "Malformed". (Bug 13212)

Updated Protocol Support