WireShark: General Questions Articles | WireShark Tips for Network Analysis

By: WireShark: General Questions

Q 1.1: What is Wireshark?

A: Wireshark® is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.
Wireshark used to be known as Ethereal®. See the next question for details about the name change. If you're still using Ethereal, it is strongly recommended that you upgrade to Wireshark.
For more information, please see the About Wireshark page.

Q 1.2: What's up with the name change? Is Wireshark a fork?

A: In May of 2006, Gerald Combs (the original author of Ethereal) went to work for CACE Technologies (best known for WinPcap). Unfortunately, he had to leave the Ethereal trademarks behind.
This left the project in an awkward position. The only reasonable way to ensure the continued success of the project was to change the name. This is how Wireshark was born.
Wireshark is almost (but not quite) a fork. Normally a "fork" of an open source project results in two names, web sites, development teams, support infrastructures, etc. This is the case with Wireshark except for one notable exception -- every member of the core development team is now working on Wireshark. There has been no active development on Ethereal since the name change. Several parts of the Ethereal web site (such as the mailing lists, source code repository, and build farm) have gone offline.
More information on the name change can be found here:

• Original press release
• NewsForge article
• Many other articles in our bibliography

 

Q 1.3: Where can I get help?

A: Community support is available on the wireshark-users mailing list. Subscription information and archives for all of Wireshark's mailing lists can be found at https://www.wireshark.org/mailman/listinfo. An IRC channel dedicated to Wireshark can be found at irc://irc.freenode.net/wireshark.
Self-paced and instructor-led training is available at Wireshark University. A certification program will be announced in Q3 2007.
Commercial support and development services are available from CACE Technologies.

Q 1.4: What kind of shark is Wireshark?

A: carcharodon photoshopia.

Q 1.5: How is Wireshark pronounced, spelled and capitalized?

A: Wireshark is pronounced as the word wire followed immediately by the word shark. Exact pronunciation and emphasis may vary depending on your locale (e.g. Arkansas).
It's spelled with a capital W, followed by a lower-case ireshark. It is not a CamelCase word, i.e., WireShark is incorrect.

Q 1.6: How much does Wireshark cost?

A: Wireshark is "free software"; you can download it without paying any license fee. The version of Wireshark you download isn't a "demo" version, with limitations not present in a "full" version; it is the full version.
The license under which Wireshark is issued is the GNU General Public License. See the GNU GPL FAQ for some more information.

Q 1.7: But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off?

A: That depends. Did they provide any sort of value-added product or service, such as installation support, installation media, training, trace file analysis, or funky-colored shark-themed socks? Probably not.
Wireshark is available for anyone to download, absolutely free, at any time. Paying for a copy implies that you should get something for your money.

Q 1.8: Can I use Wireshark commercially?

A: Yes, if, for example, you mean "I work for a commercial organization; can I use Wireshark to capture and analyze network traffic in our company's networks or in our customer's networks?"
If you mean "Can I use Wireshark as part of my commercial product?", see the next entry in the FAQ.

Q 1.9: Can I use Wireshark as part of my commercial product?

A: As noted, Wireshark is licensed under the GNU General Public License. The GPL imposes conditions on your use of GPL'ed code in your own products; you cannot, for example, make a "derived work" from Wireshark, by making modifications to it, and then sell the resulting derived work and not allow recipients to give away the resulting work. You must also make the changes you've made to the Wireshark source available to all recipients of your modified version; those changes must also be licensed under the terms of the GPL. See the GPL FAQ for more details; in particular, note the answer to the question about modifying a GPLed program and selling it commercially, and the question about linking GPLed code with other code to make a proprietary program.
You can combine a GPLed program such as Wireshark and a commercial program as long as they communicate "at arm's length", as per this item in the GPL FAQ.
We recommend keeping Wireshark and your product completely separate, communicating over sockets or pipes. If you're loading any part of Wireshark as a DLL, you're probably doing it wrong.

Q 1.10: What protocols are currently supported?

A: There are currently hundreds of supported protocols and media. Details can be found in the wireshark(1) man page.

Q 1.11: Are there any plans to support {your favorite protocol}?

A: Support for particular protocols is added to Wireshark as a result of people contributing that support; no formal plans for adding support for particular protocols in particular future releases exist.

Q 1.12: Can Wireshark read capture files from {your favorite network analyzer}?

A: Support for particular protocols is added to Wireshark as a result of people contributing that support; no formal plans for adding support for particular protocols in particular future releases exist.
If a network analyzer writes out files in a format already supported by Wireshark (e.g., in libpcap format), Wireshark may already be able to read them, unless the analyzer has added its own proprietary extensions to that format.
If a network analyzer writes out files in its own format, or has added proprietary extensions to another format, in order to make Wireshark read captures from that network analyzer, we would either have to have a specification for the file format, or the extensions, sufficient to give us enough information to read the parts of the file relevant to Wireshark, or would need at least one capture file in that format AND a detailed textual analysis of the packets in that capture file (showing packet time stamps, packet lengths, and the top-level packet header) in order to reverse-engineer the file format.
Note that there is no guarantee that we will be able to reverse-engineer a capture file format.

Q 1.13: What devices can Wireshark use to capture packets?

A: Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP and SLIP) (if the OS on which it's running allows Wireshark to do so), 802.11 wireless LAN (if the OS on which it's running allows Wireshark to do so), ATM connections (if the OS on which it's running allows Wireshark to do so), and the "any" device supported on Linux by recent versions of libpcap.
See the list of supported capture media on various OSes for details (several items in there say "Unknown", which doesn't mean "Wireshark can't capture on them", it means "we don't know whether it can capture on them"; we expect that it will be able to capture on many of them, but we haven't tried it ourselves - if you try one of those types and it works, please update the wiki page accordingly.
It can also read a variety of capture file formats, including:

• AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet Grabber captures
• AIX's iptrace captures
• Accellent's 5Views LAN agent output
• Cinco Networks NetXRay captures
• Cisco Secure Intrusion Detection System IPLog output
• CoSine L2 debug output
• DBS Etherwatch VMS text output
• Endace Measurement Systems' ERF format captures
• EyeSDN USB S0 traces
• HP-UX nettl captures
• ISDN4BSD project i4btrace captures
• Linux Bluez Bluetooth stack hcidump -w traces
• Lucent/Ascend router debug output
• Microsoft Network Monitor captures
• Network Associates Windows-based Sniffer captures
• Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
• Network Instruments Observer version 9 captures
• Novell LANalyzer captures
• RADCOM's WAN/LAN analyzer captures
• Shomiti/Finisar Surveyor captures
• Toshiba's ISDN routers dump output
• VMS TCPIPtrace/TCPtrace/UCX$TRACE output
• Visual Networks' Visual UpTime traffic capture
• libpcap, tcpdump and various other tools using tcpdump's capture format
• snoop and atmsnoop output

so that it can read traces from various network types, as captured by other applications or equipment, even if it cannot itself capture on those network types.

 

Q 1.14: Does Wireshark work on Windows Vista or Windows Server 2008?

A: Yes, but if you want to capture packets as a normal user, you must make sure npf.sys is loaded. Wireshark's installer enables this by default. This is not a concern if you run Wireshark as Administrator, but this is discouraged. See the CapturePrivileges page on the wiki for more details.