Wireshark

Permission to use by wireshark.org

Wireshark is an open source project that is known as the “…world’s most popular network protocol analyzer”.1 It can be installed on virtually any operating system such as Linux, UNIX, Windows, and OS X. Wireshark can turn almost any system into a packet sniffer, network diagnostic, development, or forensics tool. The strength of the software lies with the ability to monitor network traffic in real time and browse the captured information in an easy to use interface. With the use of filters, color coding, and basic networking know-how a novice user can quickly get detailed information on the raw packets that are sent between multiple computer systems.  Wireshark can also be custom configured and expanded with plugins; one might even conclude that Wireshark is the strongest networking analysis tool available.2

Wireshark is a graphical front-end to use the LibPcap library that was developed to provide a small portable framework that would allow the capturing and monitoring of network traffic.  With the wide variety of hardware manufactures a common language has yet to be developed that will allow the low-level interface with network devices.  The LibPcap framework solves this by creating a common and “system-independent API” that allows applications like Wireshark to interface with a wide variety manufactures.  This relationship between Wireshark and LibPcap provides the flexibility to be installed on almost any system, and gives it the popularity of being the most used network analyzer.13

History

The founder of Wireshark, Gerald Combs, had an inherent need for a tool that could be used to investigate networking problems. However, in the late 1990 there were not many options available for network engineers. The few tools that could be used simply did not provide the level of detailed information to properly diagnose complex networking issues.  Not to mention the cost of such tools often put them completely out of reach for the average company, let alone an individual.

Regardless, a search issued that left Combs craving for a way to dissect undocumented protocols, and perform deep network analytics. Plato once said that necessity is the mother of invention and thus Ethereal, the predecessor to Wireshark, was born.

Combs began development on Ethereal in 1997 and was able to release his first beta version in July 1998. Ethereal became a hit almost overnight and requests for features and bug fixes poured in. Shortly after the initial release several key developers joined the project in 1998 that accelerated the development and allowed the software to grow exponentially.4

  • Gilbert Ramirez became a contributor to the project offering additional low-level dissectors.
  • Tired of the lack of features in tcpview, Guy Harris who worked for Network Appliance started to help with bug fixes and additional dissectors.
  • An educator on TCP/IP networking, Richard Sharpe, also joined the team offering help with patches and dissectors.

After eight years of development Combs gained employment with CACE Technologies in 2006. This lead to a necessary name change from the Ethereal project to Wireshark. Combs previous employer, Network Integration Services (NIS), registered the trademarks for Ethereal including the logo. This obviously prevented Combs from keeping the Ethereal name. In the announcement of his departure Combs stated that the trademarks “…provided valuable legal protection for the project. Unfortunately, when I left we weren’t able to come to an agreement on the trademarks and they stayed behind”.5 Thus the Wireshark project was born and the official release occurred in March 31st, 2008, ten years after the initial project began.6

A full history of developers falls out of the scope of the project, and would be extremely uninteresting.  However, if you have a few moments please check out this video on the history Wireshark contributors made by CACE Technologies.

Uses

Wireshark main feature is to capture information that is being transmitted across the wire. This allows users to see information in real-time as data is exchanged between two more devices. Given the complexity of networks and the infinite number of possible configurations the need to view the raw data is invaluable. Chris Sanders outlines many uses in his book; Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems.7

  • Identifying configuration problems that prevent Internet access
  • Problems with a networked printer
  • Diagnosing software issues to provide developers with raw data
  • Troubleshooting network services such as a DNS or Web server
  • Getting to the root problem of a slow network
  • Adding network security by providing a network baseline
  • Identifying a DoS attack such as a SYN storm
  • Recognize network enumeration by port scanners
  • Detecting ARP cache poisoning
  • Monitoring for potential software Trojans

The above list could continue, however, it does show the wide range of potential uses. In this project Wireshark will be used to capture network traffic between a host computer and a network resource that requires authentication. The goal is to capture log-in credentials that can then be replayed to gain the same level of access as the victim.

Summary

Wireshark is an extremely power and useful tool, and has become a common name in the networking field. This project doesn’t even scratch the surface on available features and potential applications. The focus on flexibility allows Wireshark to be applied to almost any network configuration and run on almost any type of workstation. Not to mention that the software is Open Source and free for anyone to use.

Gerald Combs had a vision to provide a tool that was free and powerful, and did so with the help of the Wireshark community. In the process Gerald created the most popular network analysis tool, and yet he is still humble enough to exchange emails with a student like myself. If you are looking to learn more about Wireshark there are many tutorials online, including a certification track offered by WiresharkUniversity. In my opinion, the best thing is to download Wireshark and just start scanning your home network to discover why layers lie under your applications.

Footnotes

  1. Wireshark. (n.d.). Wireshark Release Notes. Retrieved February 2, 2014, from Wireshark: http://www.wireshark.org/docs/relnotes/wireshark-1.2.0.html
  2. Wireshark. (2014). Wireshark Frequently Asked Questions. Retrieved February 2, 2014, from Wireshark: http://www.wireshark.org/faq.html
  3. Hass, J. (2014). LibPcap. Retrieved Febuary 25, 2014, from About.com: http://linux.about.com/cs/linux101/g/libpcap.htm
  4. Wireshark. (n.d.). A brief history of Wireshark. Retrieved 1 February, 2014, from Wireshark: http://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html
  5. Barr, J. (2006, June 9). Ethereal changes name to Wireshark. Retrieved February 2, 2014, from linux.com: http://archive09.linux.com/articles/54968
  6. Wireshark. (2008, March 31). Wireshark 1.0 Released. Retrieved February 2, 2014, from Wireshark: http://www.wireshark.org/news/20080331.html
  7. Sanders, C. (2011). Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems. San Francisco: No Starch Press, Inc.