Repository files navigation

Wireshark is a network traffic analyzer, or "sniffer", for Linux, macOS,*BSD and other Unix and Unix-like operating systems and for Windows.It uses Qt, a graphical user interface library, and libpcap and npcap aspacket capture and filtering libraries.

The Wireshark distribution also comes with TShark, which is aline-oriented sniffer (similar to Sun's snoop or tcpdump) that uses thesame dissection, capture-file reading and writing, and packet filteringcode as Wireshark, and with editcap, which is a program to read capturefiles and write the packets from that capture file, possibly in adifferent capture file format, and with some packets possibly removedfrom the capture.

The official home of Wireshark ishttps://www.wireshark.org.

The latest distribution can be found in the subdirectoryhttps://www.wireshark.org/download

The Wireshark project builds and tests regularly on the following platforms:

• Linux (Ubuntu)
• Microsoft Windows
• macOS / {Mac} OS X

Official installation packages are available for Microsoft Windows andmacOS.

It is available as either a standard or add-on package for many popularoperating systems and Linux distributions including Debian, Ubuntu, Fedora,CentOS, RHEL, Arch, Gentoo, openSUSE, FreeBSD, DragonFly BSD, NetBSD, andOpenBSD.

Additionally it is available through many third-party packaging systemssuch as pkgsrc, OpenCSW, Homebrew, and MacPorts.

It should run on other Unix-ish systems without too much trouble.

In some cases the current version of Wireshark might not support youroperating system. This is the case for Windows XP, which is supported byWireshark 1.10 and earlier. In other cases the standard package forWireshark might simply be old. This is the case for Solaris and HP-UX.

Python 3 is needed to build Wireshark. AsciiDoctor is required to buildthe documentation, including the man pages. Perl and flex are requiredto generate some of the source code.

You must therefore install Python 3, AsciiDoctor, and GNU "flex" (vanilla"lex" won't work) on systems that lack them. You might need to installPerl as well.

Full installation instructions can be found in the INSTALL file and in theDeveloper's Guide athttps://www.wireshark.org/docs/wsdg_html_chunked/

See also the appropriate README.OS files for OS-specific installationinstructions.

In order to capture packets from the network, you need to make thedumpcap program set-UID to root or you need to have access to theappropriate entry under/dev if your system is so inclined (BSD-derivedsystems, and systems such as Solaris and HP-UX that support DLPI,typically fall into this category). Although it might be tempting tomake the Wireshark and TShark executables setuid root, or to run them asroot please don't. The capture process has been isolated in dumpcap;this simple program is less likely to contain security holes and is thussafer to run as root.

Please consult the man page for a description of each command-lineoption and interface feature.

Wireshark can read packets from a number of different file types. Seethe Wireshark man page or the Wireshark User's Guide for a list ofsupported file formats.

Wireshark can transparently read compressed versions of any of those files ifthe required compression library was available when Wireshark was compiled.Currently supported compression formats are:

• GZIP
• LZ4
• ZSTD

GZIP and LZ4 (when using independent blocks, which is the default) supportfast random seeking, which offers much better GUI performance on large files.Any of these compression formats can be disabled at compile time by passingthe corresponding option to cmake, i.e.,cmake -DENABLE_ZLIB=OFF,cmake -DENABLE_LZ4=OFF, orcmake -DENABLE_ZSTD=OFF.

Although Wireshark can read AIX iptrace files, the documentation onAIX's iptrace packet-trace command is sparse. Theiptrace commandstarts a daemon which you must kill in order to stop the trace. Throughexperimentation it appears that sending a HUP signal to that iptracedaemon causes a graceful shutdown and a complete packet is writtento the trace file. If a partial packet is saved at the end, Wiresharkwill complain when reading that file, but you will be able to read allother packets. If this occurs, please let the Wireshark developers knowatwireshark-dev@wireshark.org; be sure to send us a copy of that tracefile if it's small and contains non-sensitive data.

Support for Lucent/Ascend products is limited to the debug trace outputgenerated by the MAX and Pipline series of products. Wireshark can readthe output of thewandsession,wandisplay,wannext, andwddcommands.

Wireshark can also read dump trace output from the Toshiba "Compact Router"line of ISDN routers (TR-600 and TR-650). You can telnet to the routerand start a dump session withsnoop dump.

CoSine L2 debug output can also be read by Wireshark. To get the L2debug output first enter the diags mode and then usecreate-pkt-log-profile andapply-pkt-lozg-profile commands underlayer-2 category. For more detail how to use these commands, youshould examine the help command bylayer-2 create ? orlayer-2 apply ?.

To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you mustcapture the trace output to a file on disk. The trace is happening insidethe router and the router has no way of saving the trace to a file for you.An easy way of doing this under Unix is to runtelnet <ascend> | tee <outfile>.Or, if your system has the "script" command installed, you can savea shell session, including telnet, to a file. For example to log to a filenamed tracefile.out:

$ script tracefile.outScript started on <date/time>$ telnet router..... do your trace, then exit from the router's telnet session.$ exitScript done on <date/time>

Wireshark will attempt to use reverse name resolution capabilitieswhen decoding IPv4 and IPv6 packets.

If you want to turn off name resolution while using Wireshark, startWireshark with the-n option to turn off all name resolution (includingresolution of MAC addresses and TCP/UDP/SMTP port numbers to names) orwith the-N mt option to turn off name resolution for allnetwork-layer addresses (IPv4, IPv6, IPX).

You can make that the default setting by opening the Preferences dialogusing the Preferences item in the Edit menu, selecting "Name resolution",turning off the appropriate name resolution options, and clicking "OK".

Wireshark can do some basic decoding of SNMP packets; it can also usethe libsmi library to do more sophisticated decoding by reading MIBfiles and using the information in those files to display OIDs andvariable binding values in a friendlier fashion. CMake will automaticallydetermine whether you have the libsmi library on your system. If youhave the libsmi library butdo not want Wireshark to use it, you can runcmake with the-DENABLE_SMI=OFF option.

Wireshark is under constant development, so it is possible that you willencounter a bug while using it. Please report bugs athttps://gitlab.com/wireshark/wireshark/-/issues.Be sure you enter into the bug:

1. The complete build information from the "About Wireshark"item in the Help menu or the output ofwireshark -v forWireshark bugs and the output oftshark -v for TShark bugs;

2. If the bug happened on Linux, the Linux distribution you wereusing, and the version of that distribution;

3. The command you used to invoke Wireshark, if you ranWireshark from the command line, or TShark, if you ranTShark, and the sequence of operations you performed thatcaused the bug to appear.

If the bug is produced by a particular trace file, please be sure toattach to the bug a trace file along with your bug description. If thetrace file contains sensitive information (e.g., passwords), then pleasedo not send it.

If Wireshark died on you with a 'segmentation violation', 'bus error','abort', or other error that produces a UNIX core dump file, you canhelp the developers a lot if you have a debugger installed. A stacktrace can be obtained by using your debugger ('gdb' in this example),the wireshark binary, and the resulting core file. Here's an example ofhow to use the gdb command 'backtrace' to do so.

$ gdb wireshark core(gdb) backtrace..... prints the stack trace(gdb) quit$

The core dump file may be named "wireshark.core" rather than "core" onsome platforms (e.g., BSD systems). If you got a core dump withTShark rather than Wireshark, use "tshark" as the first argument tothe debugger; the core dump may be named "tshark.core".

Wireshark is distributed under the GNU GPLv2. See the file COPYING forthe full text of the license. When in doubt the full text is the legallybinding part. These notes are just to make it easier for people that are notfamiliar with the GPLv2.

There are no restrictions on its use. There are restrictions on its distributionin source or binary form.

Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.

As a notable exception, some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves directly compatible with theGPLv2. This is OK, as only the tools themselves are licensed this way, theoutput of the tools is not considered a derived work, and so can be safelylicensed for Wireshark's use. An incomplete selection of these tools includes:

• the pidl utility (tools/pidl) is licensed under the GPLv3+.

Parts of Wireshark can be built and distributed as libraries. Theseparts are still covered by the GPL, and NOT by the Lesser General PublicLicense or any other license.

If you integrate all or part of Wireshark into your own application and youopt to publish or release it then the combined work must be released underthe terms of the GPLv2.

There is no warranty, expressed or implied, associated with this product.Use at your own risk.

Gerald Combsgerald@wireshark.org

Gilbert Ramirezgram@alumni.rice.edu

Guy Harrisgharris@sonic.net