Wireshark

From Forensics Wiki
Jump to: navigation, search
Wireshark
Maintainer: The Wireshark team
OS: Linux,Windows
Genre: Network forensics
License: GPL
Website: www.wireshark.org

Wireshark is a popular network protocol analyzer.

Contents

Overview

Wireshark has a rich feature set which includes the following:

  • Deep inspection of hundreds of protocols;
  • Live capture and offline analysis;
  • Standard three-pane packet browser;
  • Multi-platform: runs on Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and many others;
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility;
  • Powerful display filters;
  • Rich VoIP analysis;
  • Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others;
  • Capture files compressed with gzip can be decompressed on the fly;
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom);
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2;
  • Coloring rules can be applied to the packet list for quick, intuitive analysis;
  • Output can be exported to XML, PostScript®, CSV, or plain text.

Network Forensics

Wireshark can be used in the network forensics process. There are some limitations:

  • Wireshark is packet-centric (not data-centric);
  • Wireshark doesn't work well with large network capture files (you can turn all packet coloring rules off to increase performance).

Wireless Forensics

Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys.

External Links

See Also