Wireshark reigns among the sea of network sniffers

Organizations seeking a reliable ally to help defend the network should seriously consider enlisting Wireshark, a free, open source network protocol analyzer that has been around since 1998. Created by Gerald Combs and worked on by hundreds of contributing developers, this tool has been the go-to soldier in the trenches for tens of millions of network troubleshooters and the envy of almost every other open source program.

The only truth you have about a network is what the network sniffer sees. Everything else is opinion or conjecture. Firing up a good network sniffer is an excellent way to see what your network really looks like. I’ve turned to Wireshark to track hacker behavior, ferret out malicious traffic, or to explain the “unsolvable” problems.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

When using a sniffer such as Wireshark, I’m constantly surprised by all the network packets that are sent for even the simplest tasks. Usually I’ll see far more packets than expected because the theoretical protocol explanations are oversimplified and don’t take into account what happens on a real network. Firing up a sniffer is also an excellent way to see problems you didn’t know existed; conversely, only a sniffer can show you all the normal (and expected) failures that are part of any operating network.

I’ve used many packet sniffers in my 20-plus-year career, including other open source projects (such as TCPDump, Ettercap, and Dsniff) and commercial products (Novell’s LANAnalyzer, Microsoft’s Network Monitor, WildPacket’s OmniPeek, and Network Instruments Observer). Those other open source products are good and particularly adept at very specific tasks, such as Dsniff’s capability of picking out plain text log-on credentials and printing them to the screen. Commercial products often have sophisticated enterprise features that Wireshark does not. But for a free product, Wireshark is awesome.

The active development community keeps Wireshark feature rich, easy to use, and up to date. Wireshark doesn’t suffer from a lack of continuing enthusiasm to which so many other promising open source products succumb.

My favorite features number in the dozens, but certainly the Follow TCP Stream feature is my top pick. Right-click on any single packet within a single TCP session and you can instantly see the entire stream highlighted with visible plain-text data immediately displayed. In the olden days, the same process could easily take 5 minutes or more as you filtered packets and tried to manually reconstruct the session.

Wireshark automatically colorizes and highlights different communication sessions so that you can easily see the different threads from within the plethora of collected data. On the same lines, Wireshark can automatically tell you what packets mark the beginning and end of a file transfer, along with the name of the file and its origination pathway. Again, this single feature — another of my favorites — easily saves me 5 to 10 minutes.

This is not to say I don’t have problems with Wireshark. After more than a decade of use, I’m still frustrated that its network capturing parsing language is different from the display parsing language. I understand why — it’s due to its underlying original reliance on libpcap packet-capture drivers and libraries — but it doesn’t make it any less frustrating to have to remember two different syntaxes for what is often the same filtering operation.

From a security perspective, Wireshark has had plenty of vulnerabilities, most notably in the form of parser buffer overflows. I’m not sure how many it’s suffered over the years, but it numbers in the dozens. If a system using Wireshark has one of the vulnerable parsers loaded, it’s possible for a remote attacker to maliciously construct network packets in such a way as to be able to take over the system that Wireshark is running on (Wireshark usually runs in a system security context in order to be able to capture packets, especially when in promiscuous mode).

Luckily, most attackers don’t know if their intended victim is running Wireshark or if it is running all the time to make it a juicy target. I’ve never heard of a public attack that involved Wireshark, but it reminds you that even your network tools can become targets of opportunity.

Wireshark’s home page has downloads for many platforms and tons of documentation. Several companies, including CACE Technologies, offer services and enhanced product offerings around Wireshark. Network protocol analyzer expert Laura Chappell is also an advocate of the tool, which speaks volumes to its value. She’s been doing network protocol analysis for more than 20 years, and absolutely no one is better. If you ever get a chance to see one of her seminars or bring her to your company, do it! I haven’t talked to or seen her in person in at least 10 years, but I constantly hear adulation from current customers and students. 

I’m a big fan of network protocol sniffing. How big? Rightly or wrongly, in the security world, we tend to summarize the intelligence and capabilities of people we’ve just met. You have 15 seconds to make a lasting impression. When I find someone who can talk sniffers or network packets, I immediately elevate them to a higher echelon of security professionals. Inexperienced practitioners just don’t possess the same understanding as someone who has sniffed a network or two and pored over the results.

Understanding what you are seeing the first few tries isn’t easy. It takes time, effort, and research, but the newly gained intelligence is like entering doctoral school. Again, I have to thank Wireshark for much of that education.

This story, “Wireshark reigns among the sea of network sniffers,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com.