Wireshark – Review

excellent
key review info
application features
  • Deep inspection of hundreds of protocols
  • (10 more, see all...)

At the first signs of trouble, a network administrator grabs an analysis tool and starts inspecting how the packets travel across the network and the obstacles they encounter on their way; they always point to the problem.

Wireshark is the network packet analyzer whose usability spans across many areas, network forensics and performance being just a couple of them. It can also be used for debugging protocol implementations or by aficionados that want to learn more about how network protocols work.

The application is available for multiple platforms (Windows, Mac and Linux), it also comes as a portable download and, most importantly, it is free of charge.

On Windows, the packet sniffer relies on WinPcap, a port of the libpcap link-layer interface. It is a standard tool capable of extending the operating system to provide low-level network access and to access its layers.

Installing Wireshark on the system is a simple task that gets all the tools necessary for grabbing network packets, filtering and analyzing them.

The portable release requires installing WinPcap each time it is launched and when exiting Wireshark, the driver is automatically uninstalled.

Since the application is intended for professionals, understanding its activity, reading and interpreting the frames is not suitable for the average Joe. A good deal of knowledge is required to be able to use Wireshark the right way and understand how it operates.

Review image
Review image
Review image
Review image

The interface is not as mind-boggling as one would think and it is neatly organized into three sections that allow starting a packet capture process complete with customization options, opening up a previously saved file or accessing documentation for the product.

Unlike some network analyzers, Wireshark comes with support for wireless and Ethernet adapters, but the possibilities can be wider and depending on the operating system, it can be used to capture other from VLANs, USB attached network interfaces or Bluetooth.

As soon as the interface has been selected, Wireshark can start capturing the packets. Traffic is displayed as it happens, organized into frames, each of them accompanied by details such as time, source and destination, as well as protocol used and size.

The information about the selected packet is detailed even more in the lower panes, offering the possibility to trace the entire route of the packet.

With a huge stream of traffic coming in, filters are essential for getting to specific entries and Wireshark offers a large set of options that permit configuring it to focus on certain information by creating profiles; the effect is reeling in a reduced stream of data that fits the purpose of the analysis.

Review image
Review image
Review image
Review image

The use of the filter bar and expressions can also be used to avoid wading manually through the list of frames and drill to the desired entries. Expressions can be combined to obtain more relevant results as they also permit comparing values in packets.

Another way is to define color codes for the packets you are regularly interested in. This way, they are highlighted in the packet stream.

There is no denial that Wireshark features an impressive amount of features, all of them aimed at power users. Apart from making available traffic information, it can also present statistics, which can include anything from general information about the captured file to the number of HTTP requests and responses.

From the special menu for statistics, you can view a hierarchical tree of protocol statistics, traffic between two endpoints or IP destinations, addresses and protocol types. For some of them, filters can be applied to reduce the amount of information to what is more relevant.

Wireshark may not show statistics in a manner easily legible at a first glance, but it does have the means to organize the details and extract the necessary data.

Another important section in the application is Expert Info, an area where Wireshark logs anomalies detected in the capture file. These are not always indicative of trouble, but could lead to detecting uncommon behavior on the network.

Overall, Wireshark is an impressive tool that can make the difference as far as the time span for solving network-related problems. It is highly reliable and there is a huge community behind it, with plenty of experts actively improving its functionality and security.

Review image
Review image

The Good

It is free of charge, works on multiple platforms and it comes with almost everything that a network administrator could ask for. The amount of information presented can be overwhelming, but there are filters to reach the relevant details.

It supports a great deal of protocols, works with both wired and wireless adapters and supports the creation of profiles that can be used for quick configuration of the session.

The Bad

The learning curve is quite steep and the average user can barely go near it. The information cannot be manipulated into a friendlier view such as creating graphical statistics (charts).

The Truth

Wireshark is the favorite tool for IT professionals not just because it is free of charge and it is available for multiple platforms, but mainly because it is a complex and very capable analyzer, comparable and, in some cases, better than paid solutions.

There is an impressive support for protocol decoders (dissectors) that can help capture and view the exact traffic of interest. The steep learning curve does not recommend it to the average user, but plenty of documentation is available for enthusiasts.

user interface 4
features 5
ease of use 5
pricing / value 5


final rating 5
Editor's review
excellent
 
NEXT REVIEW: FoldersPopup