1// WSUG Chapter Introduction 2 3[[ChapterIntroduction]] 4 5== Introduction 6 7[[ChIntroWhatIs]] 8 9=== What is Wireshark? 10 11Wireshark is a network packet analyzer. A network packet analyzer 12presents captured packet data in as much detail as possible. 13 14You could think of a network packet analyzer as a measuring device for 15examining what’s happening inside a network cable, just like an electrician uses 16a voltmeter for examining what’s happening inside an electric cable (but at a 17higher level, of course). 18 19In the past, such tools were either very expensive, proprietary, or both. 20However, with the advent of Wireshark, that has changed. Wireshark is 21available for free, is open source, and is one of the best packet 22analyzers available today. 23 24[[ChIntroPurposes]] 25 26==== Some intended purposes 27 28Here are some reasons people use Wireshark: 29 30* Network administrators use it to _troubleshoot network problems_ 31 32* Network security engineers use it to _examine security problems_ 33 34* QA engineers use it to _verify network applications_ 35 36* Developers use it to _debug protocol implementations_ 37 38* People use it to _learn network protocol_ internals 39 40Wireshark can also be helpful in many other situations. 41 42[[ChIntroFeatures]] 43 44==== Features 45 46The following are some of the many features Wireshark provides: 47 48* Available for _UNIX_ and _Windows_. 49 50* _Capture_ live packet data from a network interface. 51 52* _Open_ files containing packet data captured with tcpdump/WinDump, 53Wireshark, and many other packet capture programs. 54 55* _Import_ packets from text files containing hex dumps of packet data. 56 57* Display packets with _very detailed protocol information_. 58 59* _Save_ packet data captured. 60 61* _Export_ some or all packets in a number of capture file formats. 62 63* _Filter packets_ on many criteria. 64 65* _Search_ for packets on many criteria. 66 67* _Colorize_ packet display based on filters. 68 69* Create various _statistics_. 70 71* ...and _a lot more!_ 72 73However, to really appreciate its power you have to start using it. 74 75<<ChIntroFig1>> shows Wireshark having captured some packets and waiting for you 76to examine them. 77 78[[ChIntroFig1]] 79.Wireshark captures packets and lets you examine their contents. 80image::wsug_graphics/ws-main.png[{screenshot-attrs}] 81 82==== Live capture from many different network media 83 84Wireshark can capture traffic from many different network media types, 85including Ethernet, Wireless LAN, Bluetooth, USB, and more. The specific media 86types supported may be limited by several factors, including your hardware 87and operating system. An overview of the supported media types can be found at 88link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. 89 90==== Import files from many other capture programs 91 92Wireshark can open packet captures from a large number of capture 93programs. For a list of input formats see <<ChIOInputFormatsSection>>. 94 95==== Export files for many other capture programs 96 97Wireshark can save captured packets in many formats, including those used by other 98capture programs. For a list of output formats see <<ChIOOutputFormatsSection>>. 99 100==== Many protocol dissectors 101 102There are protocol dissectors (or decoders, as they are known in other products) 103for a great many protocols: see <<AppProtocols>>. 104 105==== Open Source Software 106 107Wireshark is an open source software project, and is released under the 108{gplv2-url}[GNU General Public License] (GPL). You can freely use 109Wireshark on any number of computers you like, without worrying about license 110keys or fees or such. In addition, all source code is freely available under the 111GPL. Because of that, it is very easy for people to add new protocols to 112Wireshark, either as plugins, or built into the source, and they often do! 113 114[[ChIntroNoFeatures]] 115 116==== What Wireshark is not 117 118Here are some things Wireshark does not provide: 119 120* Wireshark isn’t an intrusion detection system. It will not warn you when 121 someone does strange things on your network that he/she isn’t allowed to do. 122 However, if strange things happen, Wireshark might help you figure out what is 123 really going on. 124 125* Wireshark will not manipulate things on the network, it will only “measure” 126 things from it. Wireshark doesn’t send packets on the network or do other 127 active things (except domain name resolution, but that can be disabled). 128 129[[ChIntroPlatforms]] 130 131=== System Requirements 132 133The amount of resources Wireshark needs depends on your environment and on the 134size of the capture file you are analyzing. The values below should be fine for 135small to medium-sized capture files no more than a few hundred MB. Larger 136capture files will require more memory and disk space. 137 138[NOTE] 139.Busy networks mean large captures 140==== 141A busy network can produce huge capture files. Capturing on 142even a 100 megabit network can produce hundreds of megabytes of 143capture data in a short time. A computer with a fast processor, and lots of 144memory and disk space is always a good idea. 145==== 146 147If Wireshark runs out of memory it will crash. See 148{wireshark-wiki-url}KnownBugs/OutOfMemory for details and workarounds. 149 150Although Wireshark uses a separate process to capture packets, the packet 151analysis is single-threaded and won’t benefit much from multi-core systems. 152 153==== Microsoft Windows 154 155Wireshark should support any version of Windows that is still within its 156https://windows.microsoft.com/en-us/windows/lifecycle[extended support 157lifetime]. At the time of writing this includes Windows 10, 8.1, 158Server 2019, 159Server 2016, 160Server 2012 R2, 161and Server 2012. 162It also requires the following: 163 164* The Universal C Runtime. This is included with Windows 10 and Windows 165 Server 2019 and is installed automatically on earlier versions if 166 Microsoft Windows Update is enabled. Otherwise you must install 167 https://support.microsoft.com/kb/2999226[KB2999226] or 168 https://support.microsoft.com/kb/3118401[KB3118401]. 169 170* Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor. 171 172* 500 MB available RAM. Larger capture files require more RAM. 173 174* 500 MB available disk space. Capture files require additional disk space. 175 176* Any modern display. 1280 {multiplication} 1024 or higher resolution is 177 recommended. Wireshark will make use of HiDPI or Retina resolutions if 178 available. Power users will find multiple monitors useful. 179 180* A supported network card for capturing 181 182 - Ethernet. Any card supported by Windows should work. See the wiki pages on 183 link:{wireshark-wiki-url}CaptureSetup/Ethernet[Ethernet capture] and 184 link:{wireshark-wiki-url}CaptureSetup/Offloading[offloading] for issues that 185 may affect your environment. 186 187 - 802.11. See the {wireshark-wiki-url}CaptureSetup/WLAN#Windows[Wireshark 188 wiki page]. Capturing raw 802.11 information may be difficult without 189 special equipment. 190 191 - Other media. See link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. 192 193Older versions of Windows which are outside Microsoft’s extended lifecycle 194support window are no longer supported. It is often difficult or impossible to 195support these systems due to circumstances beyond our control, such as third 196party libraries on which we depend or due to necessary features that are only 197present in newer versions of Windows such as hardened security or memory 198management. 199 200* Wireshark 3.2 was the last release branch to officially support Windows 7 and Windows Server 2008 R2. 201* Wireshark 2.2 was the last release branch to support Windows Vista and Windows Server 2008 sans R2 202* Wireshark 1.12 was the last release branch to support Windows Server 2003. 203* Wireshark 1.10 was the last release branch to officially support Windows XP. 204 205See the link:{wireshark-wiki-url}Development/LifeCycle[Wireshark 206release lifecycle] page for more details. 207 208==== macOS 209 210Wireshark supports macOS 10.12 and later. 211Similar to Windows, supported macOS versions depend on third party libraries and on Apple’s requirements. 212 213// Wireshark 3.2 and 3.0 ship with Qt 5.12, which supports macOS 10.12 and later. 214// Wireshark 2.6 ships with Qt 5.3, which was the last release to support 10.6: https://wiki.qt.io/New_Features_in_Qt_5.3 215// "Mac OS 10.6 support is deprecated and scheduled for removal in Qt 5.4" 216 217* Wireshark 2.6 was the last release branch to support Mac OS X 10.6 and 10.7 and OS X 10.8 to 10.11. 218* Wireshark 2.0 was the last release branch to support OS X on 32-bit Intel. 219* Wireshark 1.8 was the last release branch to support Mac OS X on PowerPC. 220 221The system requirements should be comparable to the specifications listed above for Windows. 222 223==== UNIX, Linux, and BSD 224 225Wireshark runs on most UNIX and UNIX-like platforms including Linux and most BSD variants. 226The system requirements should be comparable to the specifications listed above for Windows. 227 228Binary packages are available for most Unices and Linux distributions 229including the following platforms: 230 231* Alpine Linux 232 233* Arch Linux 234 235* Canonical Ubuntu 236 237* Debian GNU/Linux 238 239* FreeBSD 240 241* Gentoo Linux 242 243* HP-UX 244 245* NetBSD 246 247* OpenPKG 248 249* Oracle Solaris 250 251* Red Hat Enterprise Linux / CentOS / Fedora 252 253If a binary package is not available for your platform you can download 254the source and try to build it. Please report your experiences to 255mailto:{wireshark-dev-list-email}[]. 256 257[[ChIntroDownload]] 258 259=== Where To Get Wireshark 260 261You can get the latest copy of the program from the Wireshark website at {wireshark-download-url}. 262The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror. 263Official Windows and macOS installers are signed by the *Wireshark Foundation*. 264macOS installers are also notarized. 265 266A new Wireshark version typically becomes available every six weeks. 267 268If you want to be notified about new Wireshark releases you should subscribe to the wireshark-announce mailing list. 269You will find more details in <<ChIntroMailingLists>>. 270 271Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-_x_._y_._z_.txt. 272Announcement messages are archived at https://www.wireshark.org/lists/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/. 273Both are GPG-signed and include verification instructions for Windows, Linux, and macOS. 274As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems. 275 276[[ChIntroHistory]] 277 278=== A Brief History Of Wireshark 279 280In late 1997 Gerald Combs needed a tool for tracking down network problems 281and wanted to learn more about networking so he started writing Ethereal (the 282original name of the Wireshark project) as a way to solve both problems. 283 284Ethereal was initially released after several pauses in development in July 2851998 as version 0.2.0. Within days patches, bug reports, and words of 286encouragement started arriving and Ethereal was on its way to success. 287 288Not long after that Gilbert Ramirez saw its potential and contributed a 289low-level dissector to it. 290 291In October, 1998 Guy Harris was looking for something better than tcpview so he 292started applying patches and contributing dissectors to Ethereal. 293 294In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential 295on such courses and started looking at it to see if it supported the protocols 296he needed. While it didn’t at that point new protocols could be easily added. 297So he started contributing dissectors and contributing patches. 298 299The list of people who have contributed to the project has become very long 300since then, and almost all of them started with a protocol that they needed that 301Wireshark or did not already handle. So they copied an existing dissector and 302contributed the code back to the team. 303 304In 2006 the project moved house and re-emerged under a new name: Wireshark. 305 306In 2008, after ten years of development, Wireshark finally arrived at version 3071.0. This release was the first deemed complete, with the minimum features 308implemented. Its release coincided with the first Wireshark Developer and User 309Conference, called Sharkfest. 310 311In 2015 Wireshark 2.0 was released, which featured a new user interface. 312 313[[ChIntroMaintenance]] 314 315=== Development And Maintenance Of Wireshark 316 317Wireshark was initially developed by Gerald Combs. Ongoing development and 318maintenance of Wireshark is handled by the Wireshark team, a loose group of 319individuals who fix bugs and provide new functionality. 320 321There have also been a large number of people who have contributed 322protocol dissectors to Wireshark, and it is expected that this will 323continue. You can find a list of the people who have contributed code to 324Wireshark by checking the about dialog box of Wireshark, or at the 325link:{wireshark-authors-url}[authors] page on the Wireshark web site. 326 327Wireshark is an open source software project, and is released under the 328{gplv2-url}[GNU General Public License] (GPL) version 2. All source code is 329freely available under the GPL. You are welcome to modify Wireshark to suit your 330own needs, and it would be appreciated if you contribute your improvements back 331to the Wireshark team. 332 333You gain three benefits by contributing your improvements back to the community: 334 335. Other people who find your contributions useful will appreciate them, and you 336 will know that you have helped people in the same way that the developers of 337 Wireshark have helped you. 338 339. The developers of Wireshark can further improve your changes or implement 340 additional features on top of your code, which may also benefit you. 341 342. The maintainers and developers of Wireshark will maintain your code, 343 fixing it when API changes or other changes are made, and generally keeping it 344 in tune with what is happening with Wireshark. So when Wireshark is updated 345 (which is often), you can get a new Wireshark version from the website 346 and your changes will already be included without any additional effort from you. 347 348The Wireshark source code and binary kits for some platforms are all 349available on the download page of the Wireshark website: 350{wireshark-download-url}. 351 352[[ChIntroHelp]] 353 354=== Reporting Problems And Getting Help 355 356If you have problems or need help with Wireshark there are several places that 357may be of interest (besides this guide, of course). 358 359[[ChIntroHomepage]] 360 361==== Website 362 363You will find lots of useful information on the Wireshark homepage at 364{wireshark-main-url}. 365 366[[ChIntroWiki]] 367 368==== Wiki 369 370The Wireshark Wiki at {wireshark-wiki-url} provides a 371wide range of information related to Wireshark and packet capture in general. 372You will find a lot of information not part of this user’s guide. For example, 373it contains an explanation how to capture on a switched network, an ongoing effort 374to build a protocol reference, protocol-specific information, and much more. 375 376And best of all, if you would like to contribute your knowledge on a specific 377topic (maybe a network protocol you know well), you can edit the wiki pages 378with your web browser. 379 380[[ChIntroQA]] 381 382==== Q&A Site 383 384The Wireshark Q&A site at {wireshark-qa-url} offers a resource where 385questions and answers come together. You can search for 386questions asked before and see what answers were given by people who 387knew about the issue. Answers are ranked, so you can easily pick out the best 388ones. If your question hasn’t been discussed before you can post 389one yourself. 390 391[[ChIntroFAQ]] 392 393==== FAQ 394 395The Frequently Asked Questions lists often asked questions and their 396corresponding answers. 397 398[NOTE] 399.Read the FAQ 400==== 401Before sending any mail to the mailing lists below, be sure to read the FAQ. It 402will often answer any questions you might have. This will save yourself and 403others a lot of time. Keep in mind that a lot of people are subscribed to the 404mailing lists. 405==== 406 407You will find the FAQ inside Wireshark by clicking the menu item Help/Contents 408and selecting the FAQ page in the dialog shown. 409 410An online version is available at the Wireshark website at 411{wireshark-faq-url}. You might prefer this online version, as it’s 412typically more up to date and the HTML format is easier to use. 413 414[[ChIntroMailingLists]] 415 416==== Mailing Lists 417 418There are several mailing lists of specific Wireshark topics available: 419 420link:{wireshark-mailing-lists-url}wireshark-announce[wireshark-announce]:: 421 Information about new program releases, which usually appear about every six weeks. 422 423link:{wireshark-mailing-lists-url}wireshark-users[wireshark-users]:: 424 Topics of interest to users of Wireshark. 425 People typically post questions about using Wireshark and others (hopefully) provide answers. 426 427link:{wireshark-mailing-lists-url}wireshark-dev[wireshark-dev]:: 428 Topics of interest to developers of Wireshark. 429 If you want to develop a protocol dissector or update the user interface, join this list. 430 431You can subscribe to each of these lists from the Wireshark web site: 432{wireshark-mailing-lists-url}. From there, you can choose which mailing 433list you want to subscribe to by clicking on the 434Subscribe/Unsubscribe/Options button under the title of the relevant 435list. The links to the archives are included on that page as well. 436 437[TIP] 438.The lists are archived 439==== 440You can search in the list archives to see if someone asked the same question 441some time before and maybe already got an answer. That way you don’t have to 442wait until someone answers your question. 443==== 444 445==== Reporting Problems 446 447[NOTE] 448==== 449Before reporting any problems, please make sure you have installed the latest 450version of Wireshark. 451==== 452 453 454When reporting problems with Wireshark please supply the following information: 455 456. The version number of Wireshark and the dependent libraries linked with it, 457 such as Qt or GLib. You can obtain this from Wireshark’s about box or the 458 command _wireshark -v_. 459 460. Information about the platform you run Wireshark on 461(Windows, Linux, etc. and 32-bit, 64-bit, etc.). 462 463. A detailed description of your problem. 464 465. If you get an error/warning message, copy the text of that message (and also a 466 few lines before and after it, if there are some) so others may find the 467 place where things go wrong. Please don’t give something like: “I get a 468 warning while doing x” as this won’t give a good idea where to look. 469 470[WARNING] 471.Don’t send confidential information! 472==== 473If you send capture files to the mailing lists be sure they don’t contain any 474sensitive or confidential information like passwords or personally identifiable 475information (PII). 476 477In many cases you can use a tool like link:https://www.tracewrangler.com/[TraceWrangler] to sanitize a capture file before sharing it. 478==== 479 480[NOTE] 481.Don’t send large files 482==== 483Do not send large files (> 1 MB) to the mailing lists. Instead, provide a 484download link. For bugs and feature requests, you can create an issue on 485link:{wireshark-bugs-url}[Gitlab Issues] and upload the file there. 486==== 487 488==== Reporting Crashes on UNIX/Linux platforms 489 490When reporting crashes with Wireshark it is helpful if you supply the traceback 491information along with the information mentioned in “Reporting Problems”. 492 493You can obtain this traceback information with the following commands on UNIX or 494Linux (note the backticks): 495 496---- 497$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt 498backtrace 499^D 500---- 501 502If you do not have _gdb_ available, you will have to check out your operating system’s debugger. 503 504Email _backtrace.txt_ to mailto:{wireshark-dev-list-email}[]. 505 506==== Reporting Crashes on Windows platforms 507 508The Windows distributions don’t contain the symbol files (.pdb) because they are 509very large. You can download them separately at 510{wireshark-main-url}download/win32/all-versions/ and 511{wireshark-main-url}download/win64/all-versions/ . 512 513// End of WSUG Chapter 1 514