It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Wireshark was written by networking experts around the world, and is an example of the power of open source. Wireshark is used by network professionals around the world for analysis, troubleshooting, software and protocol development and education. The program has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements.
Features:
- Data can be captured "off the wire" from a live network connection, or read from a capture file.
- Wireshark can read capture files from tcpdump (libpcap), NAI's Sniffer (compressed and uncompressed), Sniffer Pro, NetXray, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HPUX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdumpformat), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.
- Live data can be read from Ethernet, FDDI, PPP, Token*Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).
- Captured network data can be browsed via a GUI, or via the TTY*mode "tethereal" program.
- Capture files can be programmatically edited or converted via command*line switches to the "editcap" program.
- 602 protocols can currently be dissected
- Output can be saved or printed as plain text or PostScript.
- Data display can be refined using a display filter.
- Display filters can also be used to selectively highlight and color packet summary information.
- All or part of each captured network trace can be saved to disk.
What's New:
Wireshark 2.6 is the last release that will support the legacy (GTK+) user interface. It will not be supported or available in Wireshark 3.0.
Many user interface improvements have been made. See the “New and Updated Features” section below for more details.
Bug Fixes
The following bugs have been fixed:
- Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
New and Updated Features
The following features are new (or have been significantly updated) since version 2.5.0:
- HTTP Request sequences are now supported.
- Wireshark now supports MaxMind DB files. Support for GeoIP and GeoLite Legacy databases has been removed.
- The Windows packages are now built using Microsoft Visual Studio 2017.
- The IP map feature (the “Map” button in the “Endpoints” dialog) has been removed.
The following features are new (or have been significantly updated) since version 2.4.0:
- Display filter buttons can now be edited, disabled, and removed via a context menu directly from the toolbar
- Drag & Drop filter fields to the display filter toolbar or edit to create a button on the fly or apply the filter as a display filter.
- Application startup time has been reduced.
- Some keyboard shortcut mix-ups have been resolved by assigning new shortcuts to Edit → Copy methods.
- TShark now supports color using the --color option.
- The "matches" display filter operator is now case-insensitive.
- Display expression (button) preferences have been converted to a UAT. This puts the display expressions in their own file. Wireshark still supports preference files that contain the old preferences, but new preference files will be written without the old fields.
- SMI private enterprise numbers are now read from the “enterprises.tsv” configuration file.
- The QUIC dissector has been renamed to Google QUIC (quic → gquic).
- The selected packet number can now be shown in the Status Bar by enabling Preferences → Appearance → Layout → Show selected packet number.
- File load time in the Status Bar is now disabled by default and can be enabled in Preferences → Appearance → Layout → Show file load time.
- Support for the G.729A codec in the RTP Player is now added via the bcg729 library.
- Support for hardware-timestamping of packets has been added.
- Improved NetMon .cap support with comments, event tracing, network filter, network info types and some Message Analyzer exported types.
- The personal plugins folder on Linux/Unix is now ~/.local/lib/wireshark/plugins.
- TShark can print flow graphs using -z flow…
- Capinfos now prints SHA256 hashes in addition to RIPEMD160 and SHA1. MD5 output has been removed.
- The packet editor has been removed. (This was a GTK+ only experimental feature.)
- Support BBC micro:bit Bluetooth profile
- The Linux and UNIX installation step for Wireshark will now install headers required to build plugins. A pkg-config file is provided to help with this (see “doc/plugins.example” for details). Note you must still rebuild all plugins between minor releases (X.Y).
- The Windows installers and packages now ship with Qt 5.9.4.
- The generic data dissector can now uncompress zlib compressed data.
- DNS Stats now supports service level statistics.
- DNS filters for retransmissions and unsolicited responses have been added.
- The “tcptrace” TCP Stream graph now shows duplicate ACKS and zero window advertisements.
- The membership operator now supports ranges, allowing display filters such as tcp.port in {4430..4434} to be expressed. See the User’s Guide, chapter Building display filter expressions for details.