Category Archives: Uncategorized

Wireshark Is Now Twenty

Twenty years ago today I announced Ethereal 0.2.0, which marks the first public release of what is now Wireshark. The release was an attempt at two things: to create an interactive protocol analyzer for Linux and Solaris so that I could do my job better, and to give back to the open source community. As it turns out the second goal had a huge effect on the first one. After the initial release developer and user communities quickly formed. Different people had different goals such as support for other platforms and protocols, troubleshooting in specific environments, education, product development, network forensics, and so on. After a while things settled down to a single goal:

To help as many people as possible understand their networks as much as possible.

As goals go that’s pretty broad and implies a lot of work. Open source project hosting services didn’t exist in 1998 so in the olden days we pretty much ate sand. For example, I made thirty releases in the first year. Twenty of them were first two months. That’s because I was our revision control system1. Contributors would send me patches, I’d apply them to my source tree and then make a release. Everyone would then sync their source directories with the new release. Fortunately we stopped doing that in short order. Other parts of the project followed similar paths. The first Windows packages were ZIP files with no capture driver. Our first web server was a 40 MHz SPARCstation IPX with 64 MB of RAM. We inflicted X11 on our macOS users far longer than we should have.

The project grew from those humble beginnings to what is today – the world’s most popular network protocol analyzer. The goal is still there, and many people and organizations are helping us achieve it. We have a wonderful sponsor in Riverbed, which pays my salary, provides our infrastructure, and sponsors SharkFest, our developer and user conference2. It’s managed by Janice Spampinato, who does a spectacular job of making sure our community can share its knowledge face to face in a welcoming environment. Speaking of SharkFest, we’re having three of them this year! Laura Chappell does a correspondingly spectacular job with Wireshark University, educating users throughout the year. Our user and developer community is second to none in its expertise, knowledge, and willingness to help.

I could not be more proud of what we’ve accomplished and look forward to the challenges and opportunities. On behalf of the Wireshark development team, thank you for your support.


1. Never, ever do this. If you want to start a project, just commit your code to GitLab. Or GitHub. Or BitBucket. Or anything else that doesn’t involve manual patching.

2. If your career involves looking at packets you should maybe show up once in a while.

Let me tell you about Wireshark 2.0

We’re getting ready to release Wireshark 2.0, which includes a major user interface update. As a comparison, here’s a picture of Wireshark 1.12.8, which is the current stable release:
Main window 1.12.8

Here’s a picture of Wireshark 2.0.0rc2, which is the current development release:
Main window 2.0.0rc2

See? Totally different.

Actually, quite a few things have changed. The user interface has been completely rewritten using a different interface library (Qt). It has been streamlined so that you can work faster and it should have a better look and feel on every platform. The screenshots above are similar because we’ve also tried to ensure that the new UI is familiar to current users. The features you’re used to are still there and in the same place (or at least nearby). They should work much more smoothly, however.

I can’t hope to cover all of the changes in Wireshark 2.0 in one blog post, but here are a few highlights:

Capture options. Capture options have been simplified and consolidated. In 1.12 they are spread out in many places across several windows. In 2.0 they are in two places: the Capture Options dialog (Capture→Options or the “gear” icon in the toolbar) and the Manage Interfaces dialog, which you can open by pressing “Manage Interfaces” in the Capture Options dialog.

Streamlined preferences. Preferences windows usually aren’t something to get excited about and this is no exception, but it’s important to note that in the process of removing clutter some preferences have been removed from the main window. They’re still available in the “Advanced” preference section which lists every available preference item.

Translations. Thanks to the hard work of many contributors the new interface supports multiple languages. You can now select between Chinese, English, French, German, Italian, Japanese, and Polish in the “Appearance” preferences section. Many more translations are underway. You can see the status the translation efforts and help out with the effort at https://www.transifex.com/wireshark/wireshark/.

Related packets. As you scroll through the packet list you might notice little symbols pop up along its left edge. For example, you might see left and right arrows for DNS requests and Replies, or a check mark to denote an ACKed TCP packet. These are related packets. This exposes some plumbing we’ve had in place for a long time, but it’s now shown in the main window instead of buried deep in the packet detail tree.

Intelligent scrollbar. As you scroll through the packet list you might notice that the scroll bar itself looks odd. It now features a map of nearby packets, similar to the “minimap” available in many modern text editors. The number of packets shown in the map is the same as the number of physical vertical pixels in your scrollbar. The more pixels you have, the more packets you can see. In other words, if you use Wireshark regularly you now have a legitimate business case for a retina display.

Statistics dialogs. The dialogs under the Statistics and Telephony menus have seen many improvements. The backend code has been consolidated so that most of Wireshark’s statistics now share common internal logic. This in turn let us create common UI code with many workflow improvements and a much more consistent interface.

I/O Graph dialog. You can now graph as many items as you like and save graphs as PDF, PNG, JPEG, and BMP. Graph settings stay with your profile so you can customize them for multiple environments.

Follow Stream dialog. You can now switch between streams and search for text.

General dialogs. Many dialogs now have context-aware hints. For example the I/O Graph and Follow Stream dialogs will tell you which packet corresponds to the graph or stream data under your cursor. Most of them will stay open after you close a capture file so that you can compare statistics or graphs between captures.

If you want to see a live demonstration of the new UI, Laura Chappell and I are presenting a webinar next week on the 12th at 10:00 AM PST. You can register at http://bit.ly/wireshark2.

The final 2.0.0 release should be available in a couple of weeks. I’m excited about the new UI and about the opportunities that it provides for new features and further improvements.

Wireshark Tutorial Series #2. Tips and tricks used by insiders and veterans

Yes, I know its been a while since tip #1 video (https://blog.wireshark.org/2012/10/wireshark-tutorial-series/?utm_source=rss&utm_medium=rss&utm_campaign=wireshark-tutorial-series) and this one. Judging by the number of views and comments, it is helping. So keep me honest by reminding me to post more often!

In this short video (http://www.youtube.com/watch?v=aIiosBw2YH4), I discuss the dangers of using default values without fully understanding what the consequences are. In Sharkfest 2013, Christian Landstrm gave an excellent session on the reassembly feature of Wireshark. Unfortunately, it wasnt recorded and I wanted to convey the message. The PDF of his excellent session can be found here: http://tinyurl.com/lko37zb

Enjoy!

Hansang Bae

Wireshark Tutorial Series. Tips and tricks used by insiders and veterans

For those of you who have attended Sharkfest in the past, you already know that protocol analysis is near and dear to my heart. Its also a field where experience and art still matter. As great as Wireshark is as a tool, it still takes coaxing by an analyst to ferret out root cause. And as networks and applications become more complex, keeping up will be challenging.

But the one thing that I noticed over the years is that people rush to install sniffers without really thinking about it. Its almost as if people expect sniffers to magically spit out the root cause, served on a silver platter! In reality, it takes fair amount of protocol and application knowledge to truly bring a tool like Wireshark to bear.

I started posting to this blog so that I can help budding protocol analysts and perhaps show interesting tricks-of-the-trade to veteran users. To become good in this field, it takes a fair amount of practice. It takes practice to know how to capture the right data, where to capture the data, what filters to use, and how to interpret the data. So how do you go about getting started? First, you can watch the accompanying video/tutorial session (see below for the link.) Next, make sure you setup your Wireshark in a consistent manner the video tutorial covers this.

Ever wonder how router jockeys like me can scroll through a sho run output so quickly? Its because Ive done it for so long that the eyes are trained to filter out unneeded information. Thats the key to training – knowing what to filter out so your brain can get to work on the important stuff. It turns out protocol analysis works the same way. You have to train your brain to filter out the noise. Setting up your Wireshark environment will go a long way to maximizing productivity.

There is no right way to setup Wireshark. Theres only my way and everyone elses by definition is wrong! Some like destination address to be the first column just like in DOS Sniffer. Others prefer using Wiresharks default order. Whatever your style is, make sure its consistent. And if youre just starting out, perhaps you can benefit from my setup. Even Anthony Bourdain in his book Kitchen Confidential talks about mise-en-place. Its a term used by chefs and signifies how the cooking stations are setup. Its important because it makes them more productive. For the same reason, you need to develop your own Wireshark mise-en-place!

If you still have not modified the default layout of Wireshark, youre definitely missing out. In the video, Im going to help you setup Wireshark so that you can become more productive. And were going to embark on a journey where I show you all the secrets to protocol analysis. Im like the magicians tricks revealed guy. Im going to help make you a rock star where protocol analysis is concerned in your company. If youre an industry veteran, dont be alarmed. The first few sessions are geared towards beginners so they can catch up. After that, I promise you that well be in the weeds!

Hope you enjoy it, and Id love to hear your comments. You can reach me at [email protected]

Packets

Has anyone seen my packets? They were around here somewhere.