It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Wireshark was written by networking experts around the world, and is an example of the power of open source. Wireshark is used by network professionals around the world for analysis, troubleshooting, software and protocol development and education. The program has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements.
- Data can be captured "off the wire" from a live network connection, or read from a capture file.
- Wireshark can read capture files from tcpdump (libpcap), NAI's Sniffer (compressed and uncompressed), Sniffer Pro, NetXray, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HPUX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdumpformat), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.
- Live data can be read from Ethernet, FDDI, PPP, Token*Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).
- Captured network data can be browsed via a GUI, or via the TTY*mode "tethereal" program.
- Capture files can be programmatically edited or converted via command*line switches to the "editcap" program.
- 602 protocols can currently be dissected
- Output can be saved or printed as plain text or PostScript.
- Data display can be refined using a display filter.
- Display filters can also be used to selectively highlight and color packet summary information.
- All or part of each captured network trace can be saved to disk.
The following vulnerabilities have been fixed:
- wnpa-sec-2020-01 WASSP dissector crash. Bug 16324. CVE-2020-7044.
The following bugs have been fixed:
- Incorrect parsing of USB CDC packets. Bug 14587.
- Wireshark fails to create directory if parent directory does not yet exist. Bug 16143.
- Buildbot crash output: randpkt-2019-11-30-22633.pcap. Bug 16240.
- Closing Flow Graph closes (crashes) main GUI window. Bug 16260.
- Wireshark interprets websocket frames after HTTP handshake in a wrong way. Bug 16274.
- A-bis/OML: IPA Destination IP Address attribute contains inverted value (endianness). Bug 16282.
- wiretap/log3gpp.c: 2 * leap before looking ?. Bug 16283.
- Opening shell terminal prints Wireshark: Permission denied. Bug 16284.
- h264: SPS frame_crop_right_offset shown in UI as frame_crop_left_offset. Bug 16285.
- BGP: update of "Sub-TLV Length" by draft-ietf-idr-tunnel-encaps. Bug 16294.
- SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown Bit(s)" expert message. Bug 16301.
- USB Audio feature unit descriptor is incorrectly dissected. Bug 16305.
- Compiling the .y files fails with Berkeley YACC. Bug 16306.
- PDB files in Windows installer. Bug 16307.
- NAS-5GS 5GS network feature support lacks MCSI, EMCN3 two fields (octet 4). Bug 16310.
- Option to change “Packet List” columns header right click pop-up menu behavior. Bug 16317.
- DLT: Dissector does not parse multiple DLT messages in single UDP packet. Bug 16321.
- ISAKMP Dissection: Enhance Source id and Destination ID field of GDOI SA TEK payload for non IP ID type. Bug 16233.
- DOIP: Typo in "identifcation request messages". Bug 16325.
- Toolbar "?" help button - no text/help displayed. Bug 16327.