Difference between revisions of "Wireshark"
From Forensics Wiki
| Line 1: | Line 1: | ||
| − | + | {{Infobox_Software | | |
| − | + | name = Wireshark | | |
| − | + | maintainer = The Wireshark team | | |
| − | + | os = {{Linux}}, {{Windows}} | | |
| − | + | genre = Network forensics | | |
| + | license = {{GPL}} | | ||
| + | website = [http://www.wireshark.org/ www.wireshark.org] | | ||
| + | }} | ||
| + | |||
| + | '''Wireshark''' is a popular [[Sniffer|network protocol analyzer]]. | ||
| + | |||
| + | == Overview == | ||
| + | |||
| + | Wireshark has a rich feature set which includes the following: | ||
| + | |||
| + | * Deep inspection of hundreds of protocols; | ||
| + | * Live capture and offline analysis; | ||
| + | * Standard three-pane packet browser; | ||
| + | * Multi-platform: runs on [[Windows]], [[Linux]], [[Mac OS X]], [[Solaris]], [[FreeBSD]], [[NetBSD]], and many others; | ||
| + | * Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility; | ||
| + | * Powerful display filters; | ||
| + | * Rich [[VoIP]] analysis; | ||
| + | * Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, [[Microsoft Network Monitor]], Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others; | ||
| + | * Capture files compressed with gzip can be decompressed on the fly; | ||
| + | * Live data can be read from [[Ethernet]], [[Wireless forensics|IEEE 802.11]], PPP/HDLC, ATM, [[Bluetooth]], [[USB]], Token Ring, Frame Relay, FDDI, and others (depending on your platfrom); | ||
| + | * Decryption support for many protocols, including [[IPsec]], ISAKMP, Kerberos, SNMPv3, [[SSL forensics|SSL/TLS]], [[Wireless forensics|WEP, and WPA/WPA2]]; | ||
| + | * Coloring rules can be applied to the packet list for quick, intuitive analysis; | ||
| + | * Output can be exported to [[XML]], PostScript®, [[CSV]], or plain text. | ||
| + | |||
| + | == Network Forensics == | ||
| + | |||
| + | Wireshark can be used in the [[network forensics]] process. There are some limitations: | ||
| + | |||
| + | * Wireshark is packet-centric (not data-centric); | ||
| + | * Wireshark doesn't work well with large network capture files (you can turn all packet coloring rules off to increase performance). | ||
| + | |||
| + | === Wireless Forensics === | ||
| + | |||
| + | Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys. | ||
| + | |||
| + | == External Links == | ||
| + | |||
| + | * [http://wiki.wireshark.org/ Wireshark Wiki] | ||
| + | |||
| + | == See Also == | ||
| + | |||
| + | * [[tcpdump]] | ||
| + | |||
| + | [[Category:Network Forensics]] | ||
Latest revision as of 20:44, 18 August 2011
| Wireshark | |
|---|---|
| Maintainer: | The Wireshark team |
| OS: | Linux,Windows |
| Genre: | Network forensics |
| License: | GPL |
| Website: | www.wireshark.org |
Wireshark is a popular network protocol analyzer.
Contents |
[edit] Overview
Wireshark has a rich feature set which includes the following:
- Deep inspection of hundreds of protocols;
- Live capture and offline analysis;
- Standard three-pane packet browser;
- Multi-platform: runs on Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and many others;
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility;
- Powerful display filters;
- Rich VoIP analysis;
- Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others;
- Capture files compressed with gzip can be decompressed on the fly;
- Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom);
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2;
- Coloring rules can be applied to the packet list for quick, intuitive analysis;
- Output can be exported to XML, PostScript®, CSV, or plain text.
[edit] Network Forensics
Wireshark can be used in the network forensics process. There are some limitations:
- Wireshark is packet-centric (not data-centric);
- Wireshark doesn't work well with large network capture files (you can turn all packet coloring rules off to increase performance).
[edit] Wireless Forensics
Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys.
