Functionality
Wireshark is very similar to tcpdump, but has a graphical front-end and integrated sorting and filtering options.
Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface, including unicast traffic not sent to that network interface controller’s MAC address. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are highly resistant to tampering.
On Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put wireless network interface controllers into monitor mode.
Suppose a remote machine captures packets and sends the captured packets to a device running Wireshark using the TZSP protocol or the protocol used by OmniPeek. In that case, Wireshark dissects those packets, so it can analyze packets captured on a remote device when they are captured.
History
In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri–Kansas City, worked for a small Internet service provider. The commercial protocol analysis products were priced at around $1500 and did not run on the company’s primary platforms (Solaris and Linux). Gerald began writing Ethereal and released the first version around 1998. Network Integration Services own the Ethereal trademark.
In May 2006, Combs accepted a job with CACE Technologies. Combs still held the copyright on most of Ethereal’s source code (and the rest was re-distributable under the GNU GPL), so he used the contents of the Ethereal Subversion repository as the basis for the Wireshark repository. However, he did not own the Ethereal trademark, so he changed the name to Wireshark. In 2010 Riverbed Technology purchased CACE and took over as the primary sponsor of Wireshark. Ethereal development has ceased, and an Ethereal security advisory recommended switching to Wireshark.
Wireshark has won several industry awards, including eWeek, InfoWorld, and PC Magazine. It is also the top-rated packet sniffer in the Insecure.Org network security tools survey and was the SourceForge Project of the Month in August 2010.
Combs continues to maintain the overall code of Wireshark and issue releases of new software versions. The product website lists almost 2000 additional contributing authors.