Wireshark Network Analyzer 3.2.1
Loading...57.3 MB( Safe & Secure )
Wireshark For Windows is the best open-source software to monitor your network activity. This network protocol analyzer provides a facility to see what’s happening on your network at a microscopic level that has become a standard across many commercial and non-profit enterprises, government agencies, and educational institutions. It was written by networking experts around the world and this project started by Gerald Combs in 1998.
Wireshark is used by network professionals around the world for analysis, troubleshooting, software and protocol development and education.
It is a network packet analyzer presents captured packet data in as much detail as possible. You could think of a network monitor as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).
Wireshark For Windows is available for free, is open source, and is one of the best packet analyzers available today.
Feature of Wireshark For Windows
The following are some of the many features Wireshark provides:
- Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
- Deep inspection of hundreds of protocols, with more being added all the time
- Live Data capture and offline analysis from a network interface.
- Standard three-pane packet browser
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
- The most powerful display filters in the industry
- Rich VoIP analysis
- Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
- Import packets from text files containing hex dumps of packet data.
- Display packets with very detailed protocol information.
- Save packet data captured.
- Export some or all packets in a number of capture file formats.
- Filter packets on many criteria.
- Search for packets on many criteria.
- Capture files compressed with gzip can be decompressed on the fly
- Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Coloring rules can be applied to the packet list for quick, intuitive analysis
- Output can be exported to XML, PostScript®, CSV, or plain text
- Create various statistics
Some intended purposes
Here are some reasons people use Wireshark For Windows:
- Network administrators use it to troubleshoot network problems
- Network security engineers use it to examine security problems
- QA engineers use it to verify network applications
- Developers use it to debug protocol implementations
- People use it to learn network protocol internals
How does Wireshark work?
Wireshark For Windows is a packet sniffer and analysis tool. It captures network traffic on the local network and stores that data for offline analysis. Wireshark captures network traffic from Ethernet, Bluetooth, Wireless (IEEE.802.11), Token Ring, Frame Relay connections, and more.
LAN traffic is in broadcast mode, meaning a single computer with Wireshark can see traffic between two other computers. If you want to see traffic to an external site, you need to capture the packets on the local computer.
A “packet” is a single message from any network protocol (i.e., TCP, DNS, etc.)
Similar to a real-life package, each packet includes a source and destination as well as the content (or data) being transferred. When the packets reach their destination, they are reassembled into a single file or other contiguous blocks of data.
It allows you to filter the log either before the capture starts or during analysis, so you can narrow down and zero in to what you are looking for in the network trace. For example, you can set a filter to see TCP traffic between two IP addresses. You can set it only to show you the packets sent from one computer. The filters in Wireshark are one of the primary reasons it became the standard tool for packet analysis.
How to Use Wireshark For Windows?
The Main window
Let’s look at Wireshark’s user interface. Figure 3.1, “The Main window” shows Wireshark as you would usually see it after some packets are captured or loaded (how to do this will be described later).
The Menu
The main menu is located either at the top of the main window (Windows, Linux)
This menu contains items to open and merge capture files, save, print, or export capture files in whole or in part, and to quit the application.
This menu contains items to find a packet, time reference or mark one or more packets, handle configuration profiles, and set your preferences; (cut, copy, and paste are not presently implemented).
This menu controls the display of the captured data, including colorization of packets, zooming the font, showing a packet in a separate window, expanding and collapsing trees in packet details.
This menu contains items to go to a specific packet.
This menu allows you to start and stop captures and to edit capture filters.
This menu contains items to manipulate display filters, enable or disable the dissection of protocols, configure user-specified decodes and follow a TCP stream.
This menu contains items to display various statistic windows, including a summary of the packets that have been captured, display protocol hierarchy statistics and much more.
This menu contains items to display various telephony related statistic windows, including a media analysis, flow diagrams, display protocol hierarchy statistics and much more.
This menu contains items to display Bluetooth and IEEE 802.11 wireless statistics.This menu contains various tools available in Wireshark, such as creating Firewall ACL Rules.
This menu contains items to help the user, e.g. access to some basic help, manual pages of the various command-line tools, online access to some of the webpages, and the usual about dialog.
Start Capturing
You can double-click on an interface on the welcome screen.
The “Capture” Section Of The Welcome Screen
When you open Wireshark without starting a capture or opening a capture file it will display the “Welcome Screen,” which lists any recently opened capture files and available capture interfaces. Network activity for each interface will be shown in a sparkline next to the interface name. It is possible to select more than one interface and capture from them simultaneously.
Hovering over an interface will show any associated IPv4 and IPv6 addresses and its capture filter.
You can select one or more of the network interfaces using “shift left-click.” Once you have the network interface selected, you can start the capture, and there are several ways to do that.
Click the first button on the toolbar, titled “Start Capturing Packets.”
You can select the menu item Capture -> Start.
Or you could use the keystroke Control – E.
During the capture, Wireshark will show you the packets that it captures in real-time.
Analyzing Data Packets on Wireshark
Wireshark shows you three different panes for inspecting packet data. The Packet List, the top pane, is a list of all the packets in the capture. When you click on a packet, the other two panes change to show you the details about the selected packet. You can also tell if the packet is part of a conversation. Here are some details about each column in the top pane:
- No: This is the number order of the packet that got captured. The bracket indicates that this packet is part of a conversation.
- Time: This column shows you how long after you started the capture that this packet got captured. You can change this value in the Settings menu if you need something different displayed.
- Source: This is the address of the system that sent the packet.
- Destination: This is the address of the destination of that packet.
- Protocol: This is the type of packet, for example, TCP, DNS, DHCPv6, or ARP.
- Length: This column shows you the length of the packet in bytes.
- Info: This column shows you more information about the packet contents, and will vary depending on what kind of packet it is.
Packet Details, the middle pane, shows you as much readable information about the packet as possible, depending on what kind of packet it is. You can right-click and create filters based on the highlighted text in this field.
The bottom pane, Packet Bytes, displays the packet exactly as it got captured in hexadecimal.
When you are looking at a packet that is part of a conversation, you can right-click the packet and select Follow to see only the packets that are part of that conversation.
Wireshark Colorization Options
You can setup Wireshark so it colors your packets in the Packet List according to the display filter, which allows you to emphasize the packets you want to highlight.
Wireshark Promiscuous Mode
By default, Wireshark only captures packets going to and from the computer where it runs. By checking the box to run Wireshark in Promiscuous Mode in the Capture Settings, you can capture most of the traffic on the LAN.
Wireshark Command Line
Wireshark does provide a Command Line Interface (CLI) if you operate a system without a GUI. Best practice would be to use the CLI to capture and save a log so you can review the log with the GUI.
Wireshark Commands
- Wireshark : run Wireshark in GUI mode
- Wireshark –h: show available command line parameters for Wireshark
- Wireshark –a duration:300 –i eth1 –w wireshark.: capture traffic on the Ethernet interface 1 for 5 minutes. –a means automatically stop the capture, -i specifics which interface to capture
Metrics and Statistics
Under the Statistics menu item, you will find a plethora of options to show details about your capture.
Capture File Properties:
Wireshark I/O Graph:
Wireshark Filters
One of the best features of Wireshark is the Wireshark Capture Filters and Wireshark Display Filters. Filters allow you to view the capture the way you need to see it so you can troubleshoot the issues at hand. Here are several filters to get you started.
Wireshark Capture Filters
Capture filters limit the captured packets by the filter. Meaning if the packets don’t match the filter, Wireshark won’t save them. Here are some examples of capture filters:
- host IP-address: this filter limits the capture to traffic to and from the IP address
- net 192.168.0.0/24: this filter captures all traffic on the subnet.
- dst host IP-address: capture packets sent to the specified host.
- port 53: capture traffic on port 53 only.
- port, not 53 and not arp: capture all traffic except DNS and ARP traffic
Wireshark Display Filters
Wireshark Display Filters change the view of the capture during analysis. After you have stopped the packet capture, you use display filters to narrow down the packets in the Packet List so you can troubleshoot your issue.
The most useful (in my experience) display filter is:
ip.src==IP-address and ip.dst==IP-address
This filter shows you packets from one computer (ip.src) to another (ip.dst). You can also use ip.addr to show you packets to and from that IP. Here are some others:
tcp.port eq 25: This filter will show you all traffic on port 25, which is usually SMTP traffic.
icmp: This filter will show you only ICMP traffic in the capture, most likely they are pings.
ip.addr != IP_address: This filter shows you all traffic except the traffic to or from the specified computer.
Analysts even build filters to detect specific attacks, like this filter to detect the Sasser worm:
ls_ads.opnum==0x09
Pros and Cons Of Wireshark For Windows
| Pros | Cons |
| Analyses hundreds of protocols | Not suitable for amateur network analysis |
| Works across platforms | Requires protocol analysis knowledge |
| Packets can be viewed in an easy to use GUI |
System Requirements
| Operating System | Windows 7/8/10 |
| Processor | Any modern 64-bit AMD64/x86-64 or 32-bit x86 |
| Storage Space | 500 MB available disk space. |
| RAM | 500 MB available RAM |
| Display | 1280 × 1024 or higher resolution is recommended |
Technical Specification
| Title | Wireshark Software V 3.2.1 |
| File Size | 57.3 MB |
| License | Free |
| Language | English |
| Available Language | English, Spanish, German, French, Italian, Japanese, Polish, Chinese |
| Author | Wireshark Foundation |
Wireshark For Windows best network protocol analyzer download for Windows to manage and control your network performance and monitor for problems in your network traffic or to detect connection problems. It is used by network professionals around the world for analysis, troubleshooting, software and protocol development and education.
