Try our new research platform with insights from 80,000+ expert users
PeerSpot user
Sr. Security Engineer at SugarCRM
Real User
Helps me solve network transaction and security issues
Pros and Cons
  • "I can save the traffic and analysis when I want to. Also, it's especially helpful to follow the stream (TCP, UDP, etc.)."
  • "Setup is very easy. It's also possible to change source code and compile if you want to change something in the code, because it's free."
  • "It needs the ability to follow multiple interfaces for specific traffic from different network zones/virtual networks. It would help to understand how any packet is going through the network."
  • "Sometimes I need to use tcpdump when I need to check the packets on CLI."

How has it helped my organization?

It has help me to 

  • solve network and transaction issues
  • understand protocols and application communication
  • check quality
  • solve security issues. 

What is most valuable?

I can save the traffic and analysis when I want to. Also, it's especially helpful to follow the stream (TCP, UDP, etc.).

What needs improvement?

It needs the ability to follow multiple interfaces for specific traffic from different network zones/virtual networks. It would help to understand how any packet is going through the network.

For how long have I used the solution?

More than five years.
Buyer's Guide
Wireshark
October 2024
Learn what your peers think about Wireshark. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.

What do I think about the stability of the solution?

Sometimes, in the previous version, it lost the scroll when I needed to scroll back and forth.

What do I think about the scalability of the solution?

No issues with scalability.

Which solution did I use previously and why did I switch?

Sometimes I need to use tcpdump when I need to check the packets on CLI.

How was the initial setup?

Very easy. It's also possible to change source code and compile if you want to change something in the code, because it's free.

What's my experience with pricing, setup cost, and licensing?

It's free.

What other advice do I have?

I believe everyone should use this tool if they need to analyze packets.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user4896 - PeerSpot reviewer
VP of Network/Comms/Infra at a consultancy with 10,001+ employees
Real User
When you need to get down into the weeds to solve thorny network issues everyone has access to it.

Valuable Features:

It is free, easy to use, getting better with every release.

Room for Improvement:

Can be difficult for non "packet heads" to understand

Other Advice:

Put in a just a bit of time with Laura Chappell's great resource - Wireshark 101 and one will be well on their way to becoming a packet head geek. The payback for the time spent is many times the cost of the book.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user1068 - PeerSpot reviewer
it_user1068Tech Support Staff at a tech company with 51-200 employees
Vendor

I suppose when he says non 'packet heads', he means people with no networking skills who do not understand what packets are and how they traverse networks from one end machine to another host on a different network.

Wireshark can help network administrators monitor their networks for performance and even find the root of any network issues impeding communication between hosts within the network. It also simplifies the process of troubleshooting networks.

See all 2 comments
Buyer's Guide
Wireshark
October 2024
Learn what your peers think about Wireshark. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
reviewer1430742 - PeerSpot reviewer
Software Engineer at a computer software company with 10,001+ employees
Real User
Top 20
A stable product that provides excellent filtering features and enables users to analyze packet captures
Pros and Cons
  • "The session-level filtering features are valuable."
  • "The decryption of encrypted packets could be better."

What is our primary use case?

I use the solution to analyze packet captures that I receive from customers. It can also be used for troubleshooting networking issues.

What is most valuable?

The session-level filtering features are valuable. Life would be tough without Wireshark.

What needs improvement?

The decryption of encrypted packets could be better.

For how long have I used the solution?

I have been using the solution for about eight years.

What do I think about the stability of the solution?

I rate the tool’s stability a nine out of ten.

What do I think about the scalability of the solution?

I rate the tool’s scalability a nine out of ten. Around 10 to 15 people in my team use the solution.

Which solution did I use previously and why did I switch?

I have explored Microsoft Message Analyzer.

How was the initial setup?

The initial setup is simple.

What other advice do I have?

I work for Cisco. We use a custom version of Wireshark, which is built within Cisco. I might be using functions that don’t exist in the community version. I haven't contacted the support team. When I had an issue a few years ago, I contacted the person who developed it. I recommend the solution to others. Overall, I rate the product a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1561449 - PeerSpot reviewer
Founder and CEO at a tech services company with 1-10 employees
Real User
Free, stable, good community support, and useful for investigation and network visibility
Pros and Cons
  • "Being able to dissect email data and figure out what is inside email messages was the most valuable feature. Such a feature is pretty helpful for an ongoing forensic investigation or when there is a potential insider threat that you are trying to investigate. It allows you to see the network activity of the users you are investigating. It also gives you more visibility into your network. It was very easy to set up. There is a lot of information out there on Google and YouTube about how to use it. There is also community support. If you have any trouble, it is pretty easy to find an answer online. You will have to do some digging only if you have a very specific use case."
  • "Its user interface was a little less friendly. They can make its user interface a little bit more friendly. It is for technical people, and most of the technical people would be able to figure it out, but it would be good to improve its user interface. They can maybe build artificial intelligence into it. Currently, it takes a lot of manpower to analyze and dissect all the data."

What is our primary use case?

I used it for a couple of school projects last semester. We basically had to emulate how to capture packets in transit in a network. After capturing those packets, we analyzed them. We also had to break down email messages and dig out pictures inside email messages.

It was deployed through a cloud. They had set up a subscription for a class VM.

What is most valuable?

Being able to dissect email data and figure out what is inside email messages was the most valuable feature. Such a feature is pretty helpful for an ongoing forensic investigation or when there is a potential insider threat that you are trying to investigate. It allows you to see the network activity of the users you are investigating. It also gives you more visibility into your network.

It was very easy to set up. There is a lot of information out there on Google and YouTube about how to use it. There is also community support. If you have any trouble, it is pretty easy to find an answer online. You will have to do some digging only if you have a very specific use case.

What needs improvement?

Its user interface was a little less friendly. They can make its user interface a little bit more friendly. It is for technical people, and most of the technical people would be able to figure it out, but it would be good to improve its user interface.

They can maybe build artificial intelligence into it. Currently, it takes a lot of manpower to analyze and dissect all the data.

For how long have I used the solution?

I started using it last November. It has been six months.

What do I think about the stability of the solution?

It was pretty stable. It never crashed.

What do I think about the scalability of the solution?

Scalability could be a challenge because you can analyze so much data with Wireshark, which can be hard if you don't have a very specific case or plan for it. 

If there is no automated solution, scalability could be a little bit difficult. It gives you more visibility into your network, and you can see the packets that are coming in and going out of the network. The only challenge is that if it is a big organization, there would be a lot to process. Having an automated solution on the side would probably help.

How are customer service and technical support?

I didn't have to contact them.

How was the initial setup?

It was pretty straightforward. It took less than 20 minutes.

What about the implementation team?

I deployed it myself. It does not require any maintenance.

What's my experience with pricing, setup cost, and licensing?

It is free.

What other advice do I have?

I would advise others to have a game plan for it because there is a lot of data that goes into it. You can analyze a lot of data. Having a very strategic game plan would be ideal.

I would rate Wireshark a ten out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user3420 - PeerSpot reviewer
Owner with 51-200 employees
Vendor
The best thing about Wireshark is the community/ecosystem....

Valuable Features:

The best thing about Wireshark is the community/ecosystem. Answers are easy to find in either the documentation or on the wiki. Packet analysis is not for the weak at heart, but Wireshark makes it as painless as possible with profiles, extensive decodes (dissectors), expert system and filtering capability. I use it everyday.Best features to get started with: Network Monitoring with Statistics>Endpoints - Who is talking? Network Monitoring with Statistics>Conversations - Who is talking to who? Application Monitoring with Statistics>Service Response Time - How fast did they get an Application layer response? Visualization with Statistics>IO Graph - Can I see it all in a pretty picture?

Room for Improvement:

It is easy to get overwhelmed with the amount of data you are looking at. But that is true with any analysis tool. The best approach is to focus on a single process that interests you, follow its stream and walk through the packets until you understand what is happening. Then move on to learn the next thing. How do you eat an elephant? One "byte" at a time.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user113184 - PeerSpot reviewer
it_user113184Security Expert at a tech services company
Consultant

What about using a solution that would allow you to find trouble fast and apply effective vision and clarity to resolve the issue? thx.

PeerSpot user
Network Engineer with 51-200 employees
Vendor
Troubleshooting IIS Connection Issues

I really get excited when I am able to reproduce problems in the lab.

With this specific case, the customer was experiencing errors within their web browsers that looked like either a network or server issue. The specific symptom was that certain images would not display. If you waited a while, and ‘refreshed’ the page, more of it loaded or the entire page loaded properly.

I’m sure you can imagine the chaos this type of intermittent problem causes. The sequence of events unfolds in the following manner; the client reports the webpage issue to the help desk and the help desk tests the webpage with mixed results. In either event, the problem goes to the server group who tests and finds nothing wrong, and then the problem goes to the network group which, in most cases, does not see the problem. Then the political fist fights, finger pointing and witch hunt commence…..

In this case, they even managed to capture some packets during the problem and saw a HTTP “Service Unavailable” message and were having issues interpreting exactly what that would mean. I was there doing some other work when they dumped, uh, I mean asked me if I could help.

They explained that when the problem was occurring, the network management system was not reporting that the server or application was down. I asked how they knew that and they said that they pinged the server, tested for tcp port 80 and lastly retrieved the html page. Wow, I was impressed. I don’t see too many people monitoring from the IP layer up to the Application layer.

I then told them that even though this was an excellent way of monitoring, I wasn’t too surprised that no outages were recorded. If it was an application issue, the pings will still work as well the TCP port check. If all you did was retrieve a single html file, it would not use the same number of connections as actually loading a page and rendering images, etc…

That’s when the lab work came in. I went to my lab and configured IIS to only accept 1 connection, created a simple html file which had a few images on it. After the first try I saw the exact same issue the client experienced as well as the same HTTP message in the analyzer. AWESOME!!!

In the video below you will see how I did it and the results.

Enjoy
http://www.youtube.com/watch?v=-xVqKe53t5s

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Network Engineer with 51-200 employees
Vendor
Hunting For Devices With ARP's And Wireshark

It always gives me sense of satisfaction when I have a challenge and can leverage some knowledge to figure out.

Today I was in the lab and was powering on two Cisco switches when I noticed that they weren’t labeled with their IP addresses. I’m not sure why I did not label them, but now I have to pay for it.

For those of you who have not been in this situation before I will explain. My switches have a DB9 serial connection and of course good luck finding a computer with a serial port. So now I have to rummage through the box of wires to find the serial to USB adapter. I have had to buy a second one in 2 years since my original does not have a Windows 7 driver, but I digress. After I find the cable, I have to find the installation disk because last week I migrated to a new laptop…. I’m sure you get the picture.

On to plan B. I know the switches have IP addresses since I hard code IP addresses on all of my switches.

Now here’s where a bit of knowledge comes in. I know that when a device powers up and either obtains an IP addresses via DHCP/BOOTP or statically has an IP assigned it will send out a specific ARP called a gratuitous ARP.

Perfect, now all I have to do is make sure the switch port is connected to my subnet, start any protocol analyzer (I chose Wireshark) and power up the switches.

In this video I show you how to find the Gratuitous ARP quickly, create a display filter and lastly, locate the 2 switches’ IP addresses.

Enjoy
http://www.youtube.com/watch?v=EUmHdVeBBNc

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Network Engineer with 51-200 employees
Vendor
Multitrace Analysis - Start at layer 1 and work yourself up

NAT Packet Analysis Using Wireshark

One of the most popular questions I get when people get the hang of protocol analysis is the daunting exercise of multitrace analysis. As with anything else the best advice is to start with the basics before tackling anything complicated.

Multitrace analysis is only effective if you truly understand your vendors products, networking and how it relates to the OSI model or packet analysis. I always suggest that you start at layer 1 and work yourself up. The key is to know what fields in the frame or packet changes, or remains the same. Ideally when you figure this out you can use a better capture or display filter

A multitrace capture of a hub, switched, or bridged network is most straight forward since a hub or switch is transparent at layer 1 or 2 and doesn’t change anything in the packet.

When you move up to layer 3 or routing, several things change in the packet such as MAC address, IP TTL and TOS. Of course your mileage will vary, and any device could be configured to muck with more bits in the packet, but I figure I would give you a point of reference.

At layer 4 we get into application gateways, proxy, firewalls and NAT type devices where the following packet fields gets modified; MAC address, IP address, IP TOS, TCP/UDP port numbers, TCP ACK/SEQ values, etc.

Lastly at layer 7, we are dealing with multi-tiered applications and basically everything changes in the packet.

In this video example I do a multitrace analysis of a simple netgear router/NAT/firewall device where I take a trace from the WAN and LAN side to compare. Not to sound like a broken record, but please remember that your devices might behave totally differently and these notes and techniques should only be used as a reference in your environment.

http://www.youtube.com/watch?v=J9FzaFryQIw

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user