Whether you are a student learning about computer networks and protocols for the first time or a big tech company trying to find the source of a bug within the internal network, a method of capturing packets can prove indispensable. There are various means of accomplishing this task, such as tcpdump, WinDump, and others, but Wireshark stands out with its simple and stylish graphical user interface (GUI), easy to understand filters, and wide range of functionalities. Wireshark can handle both simple and complex filters with its built-in filter language1, and even offers the option of following the entire conversation through its “Follow TCP Stream” filter2, offering its users the right tools for the problem they are facing.
Key domain concepts
Wireshark is a single application that is suited for running on multiple different devices, platforms, and operating systems such as Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and others 3. The application is installed directly onto the device of the user. The user interacts with the application using a GUI that allows the user to control the features of the application. The user can activate the network capture engine from the GUI. The capture engine can capture network data from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, and others 3. Captured data can be browsed using the GUI or the TShark utility and exported to different file formats such as XML, PostScript, CSV, or plain text 3.
Main use cases
Wireshark’s use cases are, in general, common for both private and corporate users. The only differences might arise when the user is using Wireshark as a study tool and not for actual debugging. There is also the possibility of a user trying to spy on their neighbors if they share the same internet connection. Regardless of the use case, the general flow of operations is as follows:
- Run the application
- Look at the list of provided available networks and select the one to capture the packets from
- Let the application run for a while
- Inspect the packets
At this point, different users might look for different things within the packets. People trying to debug the company network might search for certain machines’ IP addresses to see if the machine can be reached, using the Endpoints4 page, and the student might look through TCP and UDP packets to see the differences, while the person spying on their neighbors might input the “http” filter to find packets which are likely not encrypted and then use the “Follow TCP Stream” button to find more packets that are part of the same conversation.
Wireshark’s functionality extends beyond this, providing statistics5 about the captured packets which can help troubleshoot the network to, for example, detect virus specific-behaviour such as flooding6. This use case might arise in both individual and commercial settings.
It is often the case that people try to connect wireless headsets or mobile phones to computers, and in these situations, bugs can arise easily. For example, it is a somewhat known fact that microwave ovens can interfere with Bluetooth, as they operate on the same wavelength7. Since it supports Bluetooth packets, Wireshark can prove a very useful tool to help debug the device.
Another relevant use case involves importing/exporting packet data. In addition to being able to save the packets collected so they can be inspected offline, Wireshark can import packets saved in a variety of formats and allow the user to interact with them as if they had just been recorded, providing its full functionality. Aside from this, it is also possible to export into a great range of supported capture file formats, but also human-readable formats such as CSV and plain text3.
Context
Wireshark consists, as of February 2022, of 1549 dissectors. In combination with the user-friendly interface Wireshark has to offer, Wireshark is usable by both advanced network experts and newcomers to the networking scene. Therefore, Wireshark is used in many contexts 8.
First of all, in the educational environment. Many users make use of Wireshark to study certain networking and protocol concepts.
Another context where Wireshark is used is debugging during the development of networking applications. Developers make use of Wireshark to get an insight into what their application is sending through the network and if it meets the requirements of the network protocol.
Not only do developers use it to debug, but also quality assurance engineers use it to verify network applications. They aim to improve the development of the software process by detecting errors in a networking application, to prevent a poorly implemented networking application from being released.
The Wireshark project also has beneficial functions for hackers. Although Wireshark is not developed to be a hacking tool, both ethical and illegal hackers take advantage of the variety of options Wireshark has to offer to gather information. Hackers aim to find vulnerabilities inside a network using the gained information.
Wireshark users install the Wireshark project on their device. To analyze network traffic, Wireshark users have to be connected to the same network. Analyzing can be done on local host communication, via Local Area Network (LAN) or with communication over the internet (see figure below).
Stakeholders
As Wireshark is an open-source software application, the main stakeholders include the users, Wireshark developers, Wireshark organization and Wireshark sponsors. Since Wireshark is used to access network data, other network users, network providers, governments or other public agencies are also important Wireshark stakeholders.
The most significant group of stakeholders of Wireshark are the Wireshark developers. The developers provide the most significant contributions to the application. They are responsible for adding new features, testing new features, and fixing issues in current or previous releases. GitLab is used as an online forum for the developers to review, discuss, and collaborate on each other’s work. It is not uncommon for open-source developers to generate income. The incomes of the developers are likely managed by the Wireshark organization.
The second most significant stakeholder of Wireshark is the Wireshark organization, consisting of founders, sponsors and main developers. The organization defines the roadmap and makes important decisions that concern the development of the application. They likely also carry out other managerial tasks such as the compensations paid to developers, sponsorship deals and organizing Wireshark events.
The sponsors of Wireshark are another important stakeholder that fulfills a critical role for Wireshark. They contribute funds in exchange for exposure amongst Wireshark users, developers and enthusiasts.
The users of Wireshark are another significant stakeholder, consisting both of private users and larger organizations such as companies, governments, and educational institutions. The users are the client of the Wireshark application 9. The aim of the Wireshark company is the most widespread adoption of its software by its users. The main application requirements for Wireshark are set by the users and include safety, security, and the overall usability of the application. Users can affect the development of the application by writing reviews and sending bug reports to Wireshark.
Also affected by Wireshark are other network users, network providers, and governments or other public agencies whose networks data is accessed through Wireshark. Most significant to these stakeholders is that their data is secure. As Wireshark aims to capture all types of data on a network, this creates a conflict. These stakeholders are generally negatively impacted by Wireshark and can form an obstacle to its usage.
Key quality attributes
For users to start working with Wireshark, but also for users who want to know how certain specific features work, Wireshark offers a User Manual 10. With the User Manual, it is easy to work with Wireshark, making all features valuable.
To preserve the quality of the Wireshark project code, the Wireshark community wrote a detailed development manual 11. The developers manual contains an explanation of how a developer can contribute to the Wireshark project and documents the coding style.
With the offer of many dissectors, users have a high chance of finding the protocol implementation of their protocol of interest. Dissectors not currently available in Wireshark can be easily added by developers following the dissector documentation 12.
Product roadmap
According to Wireshark’s Roadmap website13, at the time of writing, Wireshark had scheduled releases 3.6.3 and 3.4.13 to be deployed on March 23 2022, consisting of maintenance work, bug fixes, testing, and backporting the new changes to all other branches. Additionally, we will possibly see in these new iterations some of the features requested by the community, which generally focus on overall enhancements that contribute to an improved user experience. While currently there are no new major features planned to be released very shortly, Wireshark welcomes suggestions for improvement. Hence, new feature requests and bug reports can be created by opening new issues on Wireshark’s GitLab14.
Ethical considerations
Since Wireshark is an open-source tool, it can be used freely by companies and their network administrators, as well as individuals, to debug, analyze, and test their networks, strengthening their security. This aspect is especially important for smaller companies that run on a tighter budget, hence, they can view network traffic to test their security with no additional cost. Furthermore, as an open source project, it provides transparency and anyone can review the source code, identify bugs, fix issues, and suggest improvements to aid the development team and enhance Wireshark.
One important detail to consider is the fact that Wireshark can also be used by hackers to spoof traffic and perform cyber attacks. One example could be an ARP poisoning attack that would then enable a man-in-the-middle attack in which the hacker masquerades and gains insight into ongoing conversations over the network. Using a packet analyzer with this intent, or even using it just to monitor traffic without explicit consent, is illegal and entails serious consequences. The legal side of this situation is captured in this question posted on Wireshark’s forum 15, however, considering its significance, a section on ethical implications would be a valuable addition to the user guide.
With regard to the construction and development process, Wireshark employs a code of conduct to ensure a considerate, respectful, collaborative, pragmatic, and supportive community16. In addition, each year, Wireshark organizes SharkFest, a conference that aims to “support ongoing Wireshark development, to educate and inspire current and future generations of computer science and IT professionals responsible for managing, troubleshooting, diagnosing and securing legacy and modern networks, and to encourage widespread use of the free analysis tool. Per Gerald Combs, Wireshark project Founder: “Wireshark is a tool and a community. My job is to support both”.17.
Therefore, by making available a free network analysis tool useful for testing and securing networks, as well as educating students and IT professionals in the field of networks and security through conferences, Wireshark greatly contributes to building and maintaining a more secure cyberspace.
References
-
Wireshark. Building Display Filter Expressions. Retrieved February 27, 2022, from https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html ↩︎
-
Wireshark. Following Protocol Streams. Retrieved February 27, 2022, from https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowStreamSection.html ↩︎
-
Wireshark. Homepage. Retrieved February 27, 2022, from https://www.wireshark.org/ ↩︎
-
Wireshark. Endpoints. Retrieved February 27, 2022, from https://www.wireshark.org/docs/wsug_html_chunked/ChStatEndpoints.html ↩︎
-
Wireshark. Statistics. Retrieved February 27, 2022, from https://wiki.wireshark.org/Statistics ↩︎
-
Wireshark. Network Troubleshooting: An Overview. Retrieved February 27, 2022, from https://wiki.wireshark.org/NetworkTroubleshooting/Overview ↩︎
-
Rondeau, Thomas & D’Souza, Mark & Sweeney, Dennis. (2004). Residential microwave oven interference on Bluetooth data performance. Consumer Electronics, IEEE Transactions on. 50. 856 - 863. 10.1109/TCE.2004.1341691. ↩︎
-
Wireshark. Some intended purposes. Retrieved February 25, 2022, from https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroPurposes ↩︎
-
Enlyft. Companies using Wireshark. Retrieved February 26, 2022, from https://enlyft.com/tech/products/wireshark ↩︎
-
Wireshark. Wireshark User’s Guide. Retrieved February 27, 2022, from https://www.wireshark.org/docs/wsug_html_chunked/ ↩︎
-
Wireshark. Wireshark Developer’s Guide. Retrieved February 27, 2022, from https://www.wireshark.org/docs/wsdg_html_chunked/ ↩︎
-
Wireshark. Adding a basic dissector. Retrieved February 27, 2022, from https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html ↩︎
-
Wireshark. Roadmap. Retrieved February 26, 2022, from https://wiki.wireshark.org/Development/Roadmap ↩︎
-
Wireshark. Wireshark Wishlist. Retrieved February 26, 2022, from https://wiki.wireshark.org/WishList ↩︎
-
Wireshark. (2017). Is it illegal to use tshark?.Retrieved February 26, 2022, from https://osqa-ask.wireshark.org/questions/61388/is-it-illegal-to-use-tshark/ ↩︎
-
Wireshark. The Wireshark Code of Conduct. Retrieved February 26, 2022, from https://www.wireshark.org/code-of-conduct.html ↩︎
-
Wireshark. SharkFest. Retrieved February 26, 2022, from https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html ↩︎