Info on The Official Wireshark Blog

Fifteen Years

Mon, 15 Jul 2013 03:22:47 +0000

Fifteen years ago I released a little network protocol analyzer. At the time it wasn’t very special. It only dissected five protocols and only ran on Linux and Solaris. I decided to share it with the world and released it as open source. I made use of quite a bit of open source software at that point (and still do), and it seemed like a good way to give back to the community.

Immediately after the release an amazing thing happened — I started receiving code from people around the world. They had problems similar to mine and were able to modify the little analyzer to suit their needs. They were also kind enough to contribute those modifications back. Those contributions haven’t stopped to this day and Wireshark has grown into a mature, feature-rich, award-winning network analysis tool. People around the world use it to troubleshoot networks, develop software and protocols, and to learn about networking.

Wireshark has been a source of pride many times over the years but I’m particularly proud of two accomplishments. First, your network is not a black box. This is important inasmuch as our daily lives depend on networks operating efficiently, reliably and securely. Wireshark lets you peer into your network and see how it operates at a low level. It’s also accessible. Anyone can download and run it. Protocol analysis is a fascinating world and if you don’t understand what you’re looking it we have a large community of users and educators that can help you.

Second, it turns out that a protocol analyzer makes a great open source project and Wireshark is an example of open source at its best. People who know a lot about protocols are typically know how to write software. If you provide a platform that allows them to give meaning and context to the bits and bytes that make up network packets they will do so on a massive scale. Wireshark now supports over 1,000 protocols and 140,000 different protocol fields and those numbers keep growing.

We’ve had quite a few challenges in the past and we still do. These days all of your interesting traffic is either off in the cloud or speeding across your LAN at multiple gigabits a second. Wireshark doesn’t run on my tablet and it looks awful on my Macbook. However, these are solvable problems and I’m looking forward to the challenge of fixing them.

When I made that first release I had no idea how big it would become or how much it would impact my life. Wireshark is a great and wonderful thing due to the following people:

The development team, who seem to generate an endless stream of brilliance and cleverness.
The user community, for their knowledge and enthusiasm, and for putting up with the odd wart here and there.
Educators, researchers, developers, and everyone else who help people peer into their networks.
My employer for sponsoring the project and being such an awesome place to work, and my co-workers for their passion for network performance.
My family and friends, for their support and encouragement over the years.

It’s been a wonderful journey so far and I can’t wait to see what lies ahead. Thank you all.

Comments 🔗

Comment by dredgie on 2013-07-14 22:22:14 +0000 🔗

Happy bday, Wireshark! And thanks for everything you do for the community, Gerald

Comment by Jasper on 2013-07-16 02:04:28 +0000 🔗

Happy Birthday, Wireshark! Thanks, Gerald, and thanks to all the developers that push the cart with all their dedication and time!

Comment by Harry on 2013-07-20 02:10:05 +0000 🔗

Congratulations to the entire team …. ethereal to wireshark what a fabulous journey.

Wireshark and Pcap-ng

Tue, 06 Mar 2012 18:47:56 +0000

When Wireshark 1.8.0 is released in the next few months it will introduce two major features: the ability to capture from multiple interfaces at once and the ability to annotate packets. These features have been on the wishlist for years and they will make Wireshark much more useful. They both share dependency on pcap-ng.

Packet comment example

Pcap-ng is Wireshark’s new default file format. It is more complex than its predecessor (pcap) but it’s also more flexible. Along with multiple interface types and annotations you can store host information, extended interface information, and much more. Wireshark has had basic support for pcap-ng for several years now and 1.8.0 will bring it to the forefront.

But there’s a catch. Suppose you sit down at a computer with Wireshark 1.7 or 1.8 installed. What file format will Wireshark use by default? Unfortunately the answer is “It depends.” If this is a fresh install of Wireshark on a new computer you’ll get pcap-ng files. If this is an upgrade from 1.6 or below you’ll get pcap files. If the preferences were changed or copied from another machine the default format will be affected as well.

There’s another catch. Suppose you’ve just saved a capture file and you want to read it using tcpdump, Cascade Pilot, Snort, or any of the dozens of other applications that use the classic pcap file format. What will happen? Again, it depends. If that application has been updated to support pcap-ng or if it’s using a recent version of libpcap it will probably work. Otherwise don’t hold your breath.

If you’re a Wireshark user you might want to try a recent build of Wireshark 1.7 to see the new features and new file format in action. If you’re a developer and your application reads pcap files you’re most likely in for some grief. For that I apologize. You should probably investigate adding pcap-ng support now before your users start complaining.

Despite the migration pains the switch to pcap-ng is long overdue and will make Wireshark more useful to more people.

Comments 🔗

Comment by Guy Harris on 2012-03-06 11:05:49 +0000 🔗

In “If that application has been updated to support pcap-ng or if it’s using a recent version of libpcap it will probably work.”, “a recent version of libpcap” means “libpcap 1.1.0 or later”. Libpcap 1.1.0 and later versions (the current version is 1.2.1) can read pcap-NG files that have packets only from one interface (the “any” device counts as one interface in this context) or packets from multiple interfaces if all interfaces have the same link-layer header type and snapshot length.

For applications such as tcpdump that use libpcap to read capture files, using libpcap 1.1.0 or later is sufficient – no changes to the application itself are needed. The application won’t see the additional information Gerald refers to, but it will see the packets.

Applications that have their own code to read pcap files aren’t so lucky. (That’s why, when people asked what pcap files look like, I always warned them not to write their own code to read them, but to use libpcap instead. Wrappers for libpcap exist for languages such as Perl, Python, etc.)

Unfortunately, there’s currently no version of WinPcap based on libpcap 1.1.0 or later, so even WinPcap-based applications are out of luck on Windows.

Comment by Mario Vilas on 2012-03-12 02:58:05 +0000 🔗

Will it be possible to migrate files from one format to the other? I understand some information may be lost in the process, even if it’s possible to extract packets coming from different interfaces into different .pcap output files.

Comment by Gerald Combs on 2012-03-12 11:19:58 +0000 🔗

@Mario You can translate trace files with only one encapsulation type between a variety for formats (not just pcap and pcap-ng) using Wireshark, TShark, editcap, and mergecap. It’s a bit more complicated when multiple encapsulation types are involved. For example the current development version of mergecap returns an error when I try to merge files containing Ethernet, PPP, and IEEE 802.11 packets when it should arguably Just Work. Hopefully we’ll have that fixed for 1.8.0.

Comment by Laura on 2012-03-13 15:16:05 +0000 🔗

HOORAH!

I can’t wait to see how people like the annotations! I’m going through hundreds of trace files adding notes regarding what’s good/bad in those files. This is a FABULOUS feature that I’ve been not-so-patiently waiting for! Congrats Gerald and all the faboo developers!

Comment by Manjari Shukla on 2012-04-03 22:51:51 +0000 🔗

I need just that. thanks. Keep the good job up.

We’re not Participating in World IPv6 Day. Mostly.

Tue, 07 Jun 2011 17:23:54 +0000

Tomorrow is World IPv6 Day, the largest full-frontal test of IPv6 to date. It is going to be a historic event. It’s also one in which wireshark.org will and won’t be participating.

In one sense every day is IPv6 day here and tomorrow will be just another day. Most of our web sites (anonsvn, ask, this blog, bugs, buildbot, sharkfest, and wiki) have been fully dual-stacked for some time. You can reach them over both IPv4 and IPv6 and so far it’s been working pretty well. The big exception to this is the main web site, which still only has an A record. We can add an AAAA record at any time, but I’ve been holding off doing so until well *after* World IPv6 Day.

My concern is that having an AAAA record in place for www.wireshark.org tomorrow will cause unnecessary problems. If anyone runs into trouble reaching dual-stacked sites I don’t want to impede their ability to troubleshoot the problem by making Wireshark difficult to download.

We’ll add the AAAA record for www.wireshark.org in a few weeks.

P.S. According to the SCM revision logs IPv6 support was introduced in Wireshark in 1998. Tomorrow’s test is long overdue.

Comments 🔗

Comment by reddy on 2011-06-12 08:30:16 +0000 🔗

make sense.

Comment by Smat Testing on 2011-06-14 00:17:12 +0000 🔗

IPv6 good

Comment by guilleme on 2011-06-14 18:58:11 +0000 🔗

All ipv6 is looong overdue.
It started being needed many, many years ago.

Comment by Byte on 2011-06-15 07:56:52 +0000 🔗

I’d suggest creating a separate domain http://www.wiresharkipv4.org with only an A record, and http://www.wiresharkipv6.org with only a AAAA record. Not only handy for testing, but also ensures the site can be reached.

Comment by Gerald Combs on 2011-06-15 11:50:58 +0000 🔗

@Byte we have ip4.wireshark.org (A) and ipv6.wireshark.org (AAAA). They are primarily used by the IPv4/IPv6 connectivity test in the upper right corner of the pages on the web site, but you’re free to use them to connect to the site using your browser. Will that work?

Comment by NickC on 2011-07-08 04:49:31 +0000 🔗

While websites can often respond to more than one name, there is always issues for HTTPS – with certificate name mismatches if the Hostname doesn’t match. As the SSL certificate exchange happens before there is any HTTP sent on the connection, the Host can’t offer multiple certificates, based on the Hostname that will appear only once the SSL connection has been established.
So the wireshark website doesn’t work well via alternative names.

How To Read IPv6 Addresses

Tue, 08 Feb 2011 23:53:19 +0000

A common complaint about IPv6 is that addresses are “hard to read”. If you’ve been in the networking world any length of time IPv4’s dotted quad is most likely seared into your brain and clumps of hexadecimal digits of varying lengths can can be hard to wrap your head around. However, those clumps can provide useful information.

Below I’ll go over some of the address types I’ve seen and show you what information they provide.

NOTE: I’m not going to explain the basics of IPv6 address formats. Plenty of others have done that elsewhere. Wikipedia and RFC 4291 are good places to start.

Many of Wireshark’s web sites have been available over IPv6 for a while and as I’ve looked through various capture files and server logs patterns have emerged. Most of the addresses in this post are from IPv6 traffic captured in late January 2011. In Wireshark you can view IPv6 addresses via Statistics→Endpoint List→IPv6 or Statistics→Conversation List→IPv6 or by using the display filter “ipv6”.

First let’s look at the network prefixes that were captured. In my sample capture I see the following /16s (which we’ll call chunks for now):

2001::
2002::
2607::
2620::
2a01::
fe80::
ff02::

Most of the traffic in the capture starts with “2”. The prefix 2000::/3 has been assigned for global unicast traffic — that is, traffic you should see on the public internet. Right now you should only see prefixes between 2001::/16 and 2c00::/16 since IANA has only assigned prefixes in that range.

This alone is incredibly useful. A simple regular expression “[23]…:” (a “2” or “3” followed by three characters followed by a “:”) can be used to match public IPv6 traffic. I use this to find IPv6 addresses in Apache access logs.

Wireshark’s display filter engine doesn’t support prefix lengths for IPv6 addresses (not yet, at least) but you can use arithmetic comparisons to find public addresses, e.g. “ipv6.src >= 2000:: && ipv6.src < 4000::”.

Many prefixes in the assigned range are recognizable:

2002:: — 6to4 traffic. MTUs from these addresses will probably be lower than normal.
2001:470:: — Hurricane Electric. HE provides a popular tunnel broker service, so MTUs from these address will often be lower than normal.
2001:0:: — Teredo tunneling.
Organizations with large v6 deployments such as 2001:420 (Cisco) 2001:4860 (Google)

The prefixes outside the global unicast range (fe80:: and ff02::) are link-local and multicast addresses respectively. Both of these are limited to the local network and typically used for ICMPv6 neighbor discovery.

Now let’s skip over to the last half of the addresses and look at some of the recognizable bits in the host portion:

::5efe:xxyy:zzqq — ISATAP. Yet another tunneling technology. xx, yy, zz, and qq represent a tunnelled IPv4 address.
::xxyy:zzff:feqq:rrss — SLAAC. This is the machine’s MAC address (xx:yy:zz:qq:rr:ss) with “ff:fe” shoved in the middle.
::random digits — A SLAAC privacy extension address.

There are two things of note about these last two. Windows has SLAAC privacy extensions enabled by default, while other operating systems (particularly Linux and OS X) don’t. You can often tell machine’s OS by looking at the host portion its IPv6 address. Furthermore, one of the big complaints about IPv6 (big hairy addresses) is actually a feature.

Now take a look at the following addresses. Notice anything unusual?

2620:12::5
2001:4860:8004::68
2001:420:80:1::5

Compared to the formats above they’re short. The host portion is mostly zeroes. These are manually assigned. In this case they’re all web server addresses. I added them to demonstrate that the length of IPv6 addresses is often up to you.

Are there any patterns or address types I missed? Feel free to share them below.

Comments 🔗

Comment by Erik on 2011-02-09 10:22:43 +0000 🔗

Great post Gerald!

Interesting that you too have noticed the need for a better name for the Chazwazza/Chunk/Hextet in IPv6: http://www.netresec.com/?page=Blog&month=2011-02&post=Name-the-Chazwazza-in-IPv6

Comment by Alex on 2011-02-17 23:44:42 +0000 🔗

The explanations are clear, thank you. Indeed, they’re not that hard to read, when you think about it.

Comment by Cassondra on 2011-02-24 03:44:24 +0000 🔗

Just thought I’d let you know your FAQ page talks about the “man page” instead of the “main page”. While I’m sure a man page would be interesting, I’m also fairly sure it’s not what you meant. 😉
Q 1.10: What protocols are currently supported?

A: There are currently hundreds of supported protocols and media. Details can be found in the wireshark(1) man page.

Comment by Gerald Combs on 2011-02-24 08:40:10 +0000 🔗

@Cassondra In this case “man page” means just that. It’s an abbreviation for “manual page”: http://en.wikipedia.org/wiki/Man_page

Comment by Rob on 2011-03-01 13:04:03 +0000 🔗

Hi Gerald,

This is completely unrelated to your post, but I wrote a script that helps automate the Wireshark install for OS X 10.6. The script only requires that you mount the dmg. It will then prompt you for the admin password and user short name to modify the permissions necessary for Wireshark to function. I’d love to send it to you if I could.

Thanks.

Comment by Gerald Combs on 2011-03-01 13:44:27 +0000 🔗

@Rob Can you send the script to the wireshark-dev mailing list or attach it to a bug at bugs.wireshark.org?

Comment by Rob on 2011-03-01 21:02:18 +0000 🔗

Thanks Gerald. Just send the script to the dev mailing list.

Comment by Oyvind on 2011-03-07 02:48:37 +0000 🔗

Facebook has a quite amusing IPv& address:
http://www.v6.facebook.com. 3600 IN AAAA 2620:0:1cfe:face:b00c::3

(Hint: face:b00c)

Antivirus Outbreak

Mon, 09 Aug 2010 18:00:49 +0000

Wednesday, August 4, 8:00 AM 🔗

We receive a phone call from someone complaining about “Wireshark Antivirus”. I take the call. The person on the other end isn’t able to provide many details other than that a program named “Wireshark Antivirus” is displaying some a shield and directing him to the cacetech.com web site.

This is new. We’ve been on the receiving end of a few false positives in the past but this is new. Some jackass is using our name do do harm.

This will not end well.

August 4, Morning 🔗

I start searching using Google and Bing, looking for other reports or any details. This is my job for the rest of the day.

So far our only exposure is through reports from other people. A forum post mentions “Wireshark Antivirus.exe”. I ask for screen shots so I can at least put an image online but don’t received any.

The calls continue, but are mercifully few. I add news items to www.wireshark.org and www.cacetech.com and send an email to wireshark-users and wireshark-dev.

This will not end well.

August 4, Afternoon 🔗

Two discussions pop up on Yahoo! Answers. This is a reputation-based Q&A site. Someone posts erroneous information but I can’t correct it. How do you get enough reputation to be helpful in an emergency?

At around 2:00 PM posts start showing up with recommendations for cleaning up the trojan.

Thursday, August 5 🔗

We get our first angry letter! Threats and foul language and everything!

More calls come in. Most AV software has been updated to catch the code if it hadn’t already done so.

This will not end well.

Friday, August 6 🔗

The reports and calls taper off.

By this time several blog entries and news articles have covered the malware. I add them to the news items on the Wireshark and CACE web sites.

This will not end well.

Saturday, August 7 🔗

More cussing and threats via email. Someone managed to find our contact information on the CACE web site, but completely missed the “Wireshark Antivirus” Malware news banner at the top of the home page.

This will not end well.

Monday, August 9 🔗

The crap-storm continues. We’re trying to help as best we can.

Tuesday, August 10 🔗

Yahoo! Answers deleted one of my comments because it was flagged as spam. Thanks Yahoo! You guys are swell!

Lessons: 🔗

Communicate. Luckily its victims were visiting www.cacetech.com, so we could pass along updates in near real time. Google and Bing helped track down users posting questions to online forums. I responded to each question with any information I had at the time.

People don’t run AV software. Seriously — you should at least be running something like MS Security Essentials by now.

Even cake is dangerous. One of the infections apparently happened while looking for pictures of cake on Flickr.

Comments 🔗

Comment by James Wylie on 2010-08-09 13:58:08 +0000 🔗

Gents,

I’ve had two customers in the past few weeks with virus infections from an app called Wireshark Antivirus. This was strange becuase I used your app a few years back. Took me a minute to realize that it was you guys and that some bonehead was using your name to exploit with bad character your company.

How can I help –

Mr Wylie

Comment by Gerald Combs on 2010-08-09 18:11:19 +0000 🔗

@James It sounds like you’re helping already.

Comment by mary chang on 2010-08-09 20:35:21 +0000 🔗

hello,
something calling itself WIRESHARK ANTIVIRUS installed itself on my computer & seems to insist on a subscription of some sort. I wonder if your program can uninstall it? I have notified CONSUMER FRAUD REPORTING.ORG. Many thanks for any help!
MARY CHANG.

Comment by Lee Anne Farnham on 2010-08-09 21:19:22 +0000 🔗

How do I get rid of this sharkware virus? It tagged on to my computer this morning when I was taking a look at wedding anouncement web sites.

I will also send an email to consumer fraud reporting.org.

Comment by Gerald Combs on 2010-08-09 21:31:07 +0000 🔗

Mary & Lee Anne,

There are a links with removal instructions at http://www.wireshark.org/news/20100804.html . Googling for “wireshark antivirus” (WITH quotes) turns up a lot more information about removing the trojan. I don’t have any way of testing them here and so can’t recommend any particular one.

Comment by belensaurus on 2010-08-12 22:48:11 +0000 🔗

i got the wireshark thingy and i managed to get rid of it,
download thee Malwarebytes’ Anti-Malware program and it will actually get rid of it
the wireshark program thingy wont let the program pop out but all you have to do it press the alt+ctrl+delete keys together and youll get the windows task manager pc lick on the wireshark and end the task then once the malwarebites program pops out do a quick scan and once the scan is finished remove the threats and your done your computer will restart and your computer will be ok go on malwarebites again and delete the threats and your done

Comment by Matt on 2010-08-13 10:50:08 +0000 🔗

The MalwareBytes solution seems to have eliminated the bug itself. However, further investigation has revealed that my browser is hijacked. I do not know if this was part of the Wireshark Antivirus bug or some prior threat I missed, but Googling “Malwarebytes” and following any of the links redirects me to off-the-wall websites that I’m sure are attempting to add more malicious garbage to my machine. I highly promote MalwareBytes, but be very careful attempting to download it. You may want to DL it from the comfort of another (uninfected) machine, and copy the installer to your infected machine. Also, you may need other solutions besides MBAM if your browser has been hijacked as mine has.

Comment by margy on 2010-08-13 11:37:00 +0000 🔗

how to do you know if your browser’s been hijacked? I have this Wireshark AV thing and can’t open apps to download anything to get rid of it. Had just downloaded MalwareBytes the night before…then got this. Can’t open MB to even scan

Comment by Gerald Combs on 2010-08-13 12:15:07 +0000 🔗

@margy According to a Malwarebytes forum post you can rename mbam.exe to something else:

http://forums.malwarebytes.org/index.php?s=bf5375540445801cd46624397aa2918a&showtopic=59850&pid=297318&st=0&#entry297318

Comment by brian on 2010-08-13 17:36:36 +0000 🔗

For those of you having issues running malwarebytes or other removal tool, your best bet is to boot in Safe Mode prior to executing anything. To enter safe mode, simply pres F8 while your computer is in BIOS prior to windows start up.

Comment by mary chang on 2010-08-13 19:15:13 +0000 🔗

Success to report! Our computer guru has solved all my problems, cleaned the whole system, besides identifying & removing that fake program. I intend to forward the fake’s name to Fraud Prevention authorities. If anybody wants to know, I can share my guru’s name — he has a huge reputation in our counties.

Comment by Curt on 2010-08-19 23:24:47 +0000 🔗

Is there a chance to monitor ports on unmanaged switches and the NIC´s of the machines attached to these ports?
I am experiencing ports to be hung up by machines in a way that they are not reachable anymore. The switch seems to be physically well but traffic to these ports is impossible.

Comment by James Eighmey on 2010-08-21 10:16:47 +0000 🔗

If you are a newbie to system security. You can run clamav portable or stinger to remove wireshark anti-virus. here are the links to both. McAfee Stinger – http://vil.nai.com/vil/stinger/ ClamAV Portable – http://portableapps.com/apps/utilities/clamwin_portable Your best bet is to run these from a flashdrive or memory card, and download them from a clean system.

Comment by Jamie on 2010-08-23 16:20:38 +0000 🔗

Wow… There’s some really stupid people floating around. “Wireshark” is an awesome packet-sniffing program. “Wireshark Antivirus” is a virus, and is not related to Wireshark in any way. Get a brain, people.

I would smack you people so hard, if I could. Give Gerald a break from your stupidity…

Comment by Joe Sammarco on 2010-08-24 13:13:10 +0000 🔗

This piece of malware is almost indistinguishable from the “SuperAntivirus 09” bug of recent fame. These idiots probably pulled the name “Wireshark” out of the blue because it sounded cool to them. The bug is easily eradicated by running the free application “Malwarebytes anti malware scanner” in windows safe mode. Just download the free software and make sure it updates before you scan with it. If you are not computer literate enough to do this for yourself, there are plenty of guys like me around willing to charge for this work.

Comment by Chris Maynard on 2010-08-29 07:36:45 +0000 🔗

Wow, how sad is it that the first site listed after a google or yahoo! search for wireshark is “Wireshark Removal”.

Comment by Michael McNamara on 2010-08-30 20:37:38 +0000 🔗

I’ve been on the receiving end of a few similar situations. Unfortunately you’ve got to bite your tongue and soldier along. You did a great job of communicating the issue once you learned of it. It’s a shame that users continue to be the mindless people that we know them to be.

Cheers!

Comment by Jason Cruse on 2010-08-31 07:58:50 +0000 🔗

Well I do computer work and let me tell you this and other fakeAlert programs and rogue spyware is crazy here in ohio. some let it go as far as were the system is so far bogged down that I end up having to do a renistall. Usually you can get rid of everthing but the redirector. Its my job…but still a pain.

Comment by M. O’Connor on 2010-09-16 13:16:58 +0000 🔗

Don’t want to sound flippant but…

Whoever created the wireshark AV app has created a new definition of “Wireshark” 🙂

Leveraging Your Settlement

Wed, 23 Dec 2009 18:01:55 +0000

Comcast owes me money. They owe lots of people money.

In 2007 and 2008 Comcast forged TCP RST packets in order to throttle P2P and other kinds of traffic. This resulted in several class-action lawsuits. They recently settled one of them and agreed to pay each affected customer $16.

From an individual perspective this isn’t a lot. However, for those who are eligible for the settlement I have a proposal: submit your claim form and make it part of a larger donation to your local food bank or homeless shelter.

That’s what I’m going to do.

Autosuggestive

Wed, 18 Nov 2009 17:37:22 +0000

walmart

wikipedia

Does Wired 96.5 have a morning zoo?

walmart beat weather. wtf?

Comments 🔗

Comment by Chris on 2009-12-02 16:53:31 +0000 🔗

way cool on #1 suggestion for wir as wireshark.
wow for walmart.

btw, eth yields:
ethan allen
ethanol
ethics
ethos
ethel kennedy
ether
ethiopia
ethereal
ethnicity
ethnocentrism

#8 isn’t too bad either, especially considering that it’s essentially been dead for ~3 1/2 years.