Wireshark
From Forensics Wiki
| Wireshark | |
|---|---|
| Maintainer: | The Wireshark team |
| OS: | Linux,Windows |
| Genre: | Network forensics |
| License: | GPL |
| Website: | www.wireshark.org |
Wireshark is a popular network protocol analyzer.
Contents |
Overview
Wireshark has a rich feature set which includes the following:
- Deep inspection of hundreds of protocols;
- Live capture and offline analysis;
- Standard three-pane packet browser;
- Multi-platform: runs on Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and many others;
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility;
- Powerful display filters;
- Rich VoIP analysis;
- Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others;
- Capture files compressed with gzip can be decompressed on the fly;
- Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom);
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2;
- Coloring rules can be applied to the packet list for quick, intuitive analysis;
- Output can be exported to XML, PostScript®, CSV, or plain text.
Network Forensics
Wireshark can be used in the network forensics process. There are some limitations:
- Wireshark is packet-centric (not data-centric);
- Wireshark doesn't work well with large network capture files (you can turn all packet coloring rules off to increase performance);
Wireless Forensics
Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys.
