Senior Manager of Data Center at a integrator with 51-200 employees
Wireshark is the most reputed network protocol analyzer globally
What is most valuable?
Pros of Wireshark are
1) Open Source
2) Support on Windows, Linux, MAC, Solaris
3) Presence of both command shell and graphical user interface
4) Port Mirroring
5) Inbuilt support for WinPcap, libPcap
6) Filter creation for better packet capture techniques
What needs improvement?
Few cons of Wireshark are
1) Running Wireshark through an admin account for multiple exploits, is unsecured
2) Cannot manipulate things on the network
3) Cannot be used for MIDM attacks
4) Lack of intrusion detection module
5) Lack of modules for ARP poisoning and caching
What other advice do I have?
Wireshark is the world's most powerful network protocol analyzer tool. It can be used for various purposes such as, analysis of protocols like TCP, HTTP, UDP, and complete analysis of networks and troubleshooting. It has the option to use the wireless adapter directly in promiscuous mode for interception of wireless packets. It is much more effective than other tools such as tcpdump and dumpcap with a good user interface and hex detection.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Network Engineer at a tech services company with 501-1,000 employees
Drill-down for packet analysis is great, gives insight into what is going on at packet level
Pros and Cons
- "The drill-down available for packet analysis is great. It gives a network security engineer insight into what is going on at the packet level and enables better troubleshooting."
- "The Wireshark search function shows green for a correct search and red for an incorrect search. If there were a way to provide a description about what a search - and the similar ones which are available - can do, while a person is typing it, it would make the product easier to use and simultaneously decrease the learning curve."
How has it helped my organization?
The people to whom I have introduced this product have found it a great tool to analyze packets. Instead of troubleshooting by trial and error, they have a way to investigate, verify, and then apply a solution. Of course, to derive value from the product, you must know its features.
What is most valuable?
The drill-down available for packet analysis is great. It gives a network security engineer insight into what is going on at the packet level and enables better troubleshooting.
What needs improvement?
The Wireshark search function shows green for a correct search and red for an incorrect search. If there were a way to provide a description about what a search - and the similar ones which are available - can do, while a person is typing it, it would make the product easier to use and simultaneously decrease the learning curve.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
No stability issues.
What do I think about the scalability of the solution?
No scalability issues.
How are customer service and technical support?
I have not used technical support.
Which solution did I use previously and why did I switch?
I used Microsoft's Network Monitor, but with due respect to Microsoft, I prefer Wireshark.
How was the initial setup?
Straightforward.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Wireshark
October 2024
Learn what your peers think about Wireshark. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
ArcSight Engineer at a tech vendor with 51-200 employees
Parses large packet capture files without opening them, returns relevant information
Pros and Cons
- "Packet-capture files can be hard to use due to their size. Wireshark has a tool called tshark that can parse the files with out opening them so that you can take large captures, say 2-10GB, and return only relevant information."
- "The product is great but I wish there were more of an emphasis on the command line tools."
What is our primary use case?
It is utilized for forensic work, with full packet capture.
What is most valuable?
Packet analysis and filtering. Packet-capture files can be hard to use due to their size. Wireshark has a tool called tshark that can parse the files without opening them so that you can take large captures, say 2-10GB, and return only relevant information.
What needs improvement?
The UI redesign threw me for a loop but I have learned to overcome it. The product is great but I wish there were more of an emphasis on the command line tools.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
No stability issues.
What do I think about the scalability of the solution?
No scalability issues.
How was the initial setup?
Just install the software and the WinPcap software.
What's my experience with pricing, setup cost, and licensing?
It's a standalone tool. If there is a commercial license for it I am unaware of it.
What other advice do I have?
Make sure you are comfortable installing the WinPcap driver for packet collection. This tool could be used maliciously to capture data on your network.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Engineer at a tech services company with 51-200 employees
My Favorite Wireshark Filters
Wireshark is hands down one of the best analysis tools on the planet. It is intuitive, simple to use, and gives the depth needed to find problems in today's network and application environments. Sometimes it can be tough to remember some of the filtering commands though, so here is a list of some of my favorites:
1. !(ip.addr==10.0.0.1) [displays everything except IP traffic to or from 10.0.0.1]
2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]
3. http or dns [sets a filter to display all http and dns]
4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
5. tcp.flags.reset==1 [displays all TCP resets]
6. http.request [displays all HTTP GET requests]
7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]
8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]
9. udp contains 2069999999 [sets a filter for the number string, great when trying to locate a specific caller ID in a VoIP capture]
10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Engineer with 51-200 employees
Troubleshooting FTP Errors With Wireshark
The most daunting problem to troubleshoot is when the application spits out a generic error that could mean anything. Here’s the analogy; how helpful is the ‘Check Engine’ light on your car dashboard.
The worst part is when the customer tries to take the cryptic, generic application error message and tries to make sense of it in an attempt to assist the analyst. Don’t get me wrong, any information is helpful while troubleshooting, but you have to be selective in what you pursue.
In this example FTP works one moment and fails the next. Of course the customer immediately called the help desk, who pings the ftp server and comments that is up and no outages have been recorded by the network management system. Then the ticket goes to the server dept who ftp’s without an issue, unfortunately by now so can the customer. The server department says the connection error must be a ‘network thing’.
I captured some packets and have recreated what I found and how the application, Chrome in this example, failed to pass on the FTP server connection limit error. The only way I was able to get real meaningful data is from the wire.
This isn’t a Chrome ‘bash’ session since I have seen many applications not report what was on the wire or reinterpret what was reported by the server.
In summary, the ftp server ran out of connections or had a limit on the number of connections an IP address could have. The administrator was told about this and the FTP server configuration was adjusted to allow more connections.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Engineer with 51-200 employees
Troubleshooting WiFi Issues with Wireshark
A customer called me and wanted some help troubleshooting some wireless problems. Their users have been reporting intermittent wireless performance issues and getting ‘dropped’. To top it all off, their WLAN controller has also been reporting ‘containment’ error messages that weren’t to descriptive or helpful.
I showed up on site and did all the basic RF checks with my AirMagnet Spectrum XT to make sure there wasn’t an RF issue like an interferer or channel planning issues. Like I always say, “Start at Layer 1”.
Then I moved up a layer using my Fluke Networks AirCheck and AirMagnet WiFi Analyzer. Everything looked pretty quiet and nothing jumped up at me, so I saved some trace files to review later.
Then I thought I would take the trace file and open it with Wireshark since I have more experience with packet analysis than I do using the AirMagnet/AirCheck tools.
In this video I show you some of the filters I used, what they mean and what I found.
I always enjoy getting to the packet level since packets don’t lie, but would also like to spend more time with the other tools now that I know what issues are to see how, or what, they report.
In closing there are a few points I want to make sure aren’t lost throughout the video;
1. Just because I used Wireshark to find some clues does not mean that the other tools were less effective, I just have more experience with protocol analysis/Wireshark.
2. If you deploy any kind of wireless intrusion system, make sure you don’t just turn it on without proper network due diligence.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Competence Center Manager at a tech services company with 201-500 employees
Has the ability to choose a destination of flow that has not been working as expected
Pros and Cons
- "The most valuable feature of Wireshark is the ability to choose a destination of flow that has not been working as expected."
- "I would like to see Wireshark improve the ease of application of the command. The command is very powerful, but not easy to apply."
What is our primary use case?
We use Wireshark as a tool for network troubleshooting when we need to verify something directly. It is not used every day.
As an example, FortiGate, Wireshark can also export, we can pick up a file, process it, and apply it. Some tools allow us to take, capture, define and export to Wireshark, so we are able to analyze in great detail.
What is most valuable?
The most valuable feature of Wireshark is the ability to choose a destination of flow that has not been working as expected, it looks for a label, and we put the label within.
What needs improvement?
I would like to see Wireshark improve the ease of application of the command. The command is very powerful, but not easy to apply.
For the next release, I would like to see the motion of the measurement of the terminal loss packet. The round-trip delay. Also, it would benefit from improving the capability to evolve in real-time.
For how long have I used the solution?
I have been using Wireshark for ten years.
What do I think about the stability of the solution?
Wireshark has been stable when I have had to use it.
How was the initial setup?
The initial setup of Wireshark is not straightforward.
What's my experience with pricing, setup cost, and licensing?
The version of Wireshark we use is free.
What other advice do I have?
Wireshark is a very useful tool. I would rate the solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Infrastructure Connectivity Engineer at Reputable Service Company
Regardless of network size, it provides intelligence about any type of data packets, especially during a security attack, although buffer size of captured data should be unlimited and archived.
Valuable Features:
Some valuable features of Wireshark are deep packet inspections based on the capturing process with it's sniffing capabilities.
Improvements to My Organization:
In order to be more intelligent about all the bits/frames/packets/data traversing your network regardless of how small or large the network is, Wireshark is a network analytic tool which provides such an intelligent information in a network.
Wireshark is that intelligent, not only for production environment alone but also aids study about the packet fields that may exist in any type of packet header of data flowing in your network.To view how all the classes of QoS marking in a packet are and can be used to also sniff packets during reconnaissance phase of a network security attack.
Wireshark provides better understanding on how the bits are set for different fields in a packet header.
It is indeed a very good tool which all network administrators need to be familiar with.
Room for Improvement:
Maximum buffer size of captured data should be unlimited and should allow ability to archive all old captures (not save option) in real time, it should support a destination location where old captures can be directed for long term storage.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Wireshark Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Network TroubleshootingPopular Comparisons
Dynatrace
Zabbix
SolarWinds NPM
PRTG Network Monitor
Nagios XI
Auvik Network Management (ANM)
AirMagnet Survey
IBM SevOne Network Performance Management (NPM)
DX Spectrum
Rapid7 Metasploit
ManageEngine OpManager
SolarWinds NetFlow Traffic Analyzer
NetAlly EtherScope nXG
Alluvio AppResponse
AirCheck G3
Buyer's Guide
Download our free Wireshark Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Would you recommend implementing Wireshark for network troubleshooting?
- Cisco Catalyst Switch 3560 is not working - looking for advice
- When evaluating Network Troubleshooting, what aspect do you think is the most important to look for?
- How has the Facebook outage (October 2021) happened? Could it have been prevented?
- Why is Network Troubleshooting important for companies?
In order to be more intelligent about all the bits/frames/packets/data traversing your network regardless of how small or large the network is, Wireshark is a network analytic tool which provides such an intelligent information in a network.
Wireshark is that intelligent, not only for production environment alone but also aids study about the packet fields that may exist in any type of packet header of data flowing in your network. to view how all the classes of QoS marking in a packet are and can be used to also sniff packets during reconnaissance phase of a network security attack.
Wireshark provides better understanding on how the bits are set for different fields in a packet header.
It is indeed a very good tool which all network administrators need to be familiar with.