This free software lets you analyse network traffic in real time, and is often the best tool for troubleshooting issues on your network.
Common problems that Wireshark can help troubleshoot include dropped packets, latency issues, and malicious activity on your network. It lets you put your network traffic under a microscope, and provides tools to filter and drill down into that traffic, zooming in on the root cause of the problem. Administrators use it to identify faulty network appliances that are dropping packets, latency issues caused by machines routing traffic halfway around the world, and data exfiltration or even hacking attempts against your organisation.
Wireshark is a powerful tool that requires sound knowledge of networking basics. For most modern enterprises, that means understanding the TCP/IP stack, how to read and interpret packet headers, and how routing, port forwarding, and DHCP work, for example.
Also see: What are White hat hackers?
What does Wireshark do exactly?
Wireshark intercepts traffic and converts that binary traffic into human-readable format. This makes it easy to identify what traffic is crossing your network, how much of it, how frequently, how much latency there is between certain hops, and so forth.
While Wireshark supports more than two thousand network protocols, many of them esoteric, uncommon, or old, the modern security professional will find analysing IP packets to be of most immediate usefulness. The majority of the packets on your network are likely to be TCP, UDP, and ICMP.
Given the large volume of traffic that crosses a typical business network, Wireshark's tools to help you filter that traffic are what make it especially useful. Capture filters will collect only the types of traffic you're interested in, and display filters will help you zoom in on the traffic you want to inspect. The network protocol analyser provides search tools, including regular expressions and coloured highlighting, to make it easy to find what you're looking for.
Sometimes the best way to find anomalous traffic is to capture everything and establish a baseline.
Also see: What is ethical hacking exactly?
How to use Wireshark
You need to know what is normal to find what is abnormal, and Wireshark includes tools to create baseline statistics. While Wireshark is a network protocol analyzer, and not an intrusion detection system (IDS), it can nevertheless prove extremely useful to zeroing in on malicious traffic once a red flag has been raised.
Wireshark can also be used to intercept and analyse encrypted TLS traffic. Symmetric session keys are stored in the browser, and with the appropriate browser setting (and permission and knowledge of the user) an administrator can load those session keys into Wireshark and examine unencrypted web traffic.
Wireshark comes with graphical tools to visualise the statistics. This makes it easy to spot general trends, and to present findings to less-technical management.
Wireshark can be a learning tool
There are so many hands-on uses for Wireshark that it's easy to overlook what an effective learning tool it can be. Lifting up the hood of a car is the best way to understand how an internal combustion engine works, and likewise lifting the lid on network traffic and watching packets fly by — even drilling down to the byte level, and examining TCP headers — is a powerful way to learn, and teach others how the internet works.
Demystifying the motor that runs our information economy can only lead to better-informed business decisions and better government policy, not to mention a better-qualified workforce. Wireshark is already a staple of classroom curricula in many training settings, but the docs are complete enough at this point that an eager learner can easily download the network protocol analyser, sniff their local wifi access point, and start examining traffic.
Free Wireshark tutorial
There are lots of great free resources on how to learn Wireshark, plus tips and tricks to get the most out of the software. Here are a the ones we consider to be the best:
- I've Just Downloaded Wireshark… Now What? (PDF)
- Wireshark User's Guide
- How to Use Wireshark: A Complete Tutorial (Lifewire)
- How to Use Wireshark to Capture, Filter and Inspect Packets (How-To Geek)
Download Wireshark for free
Download at wireshark.org and start sniffing packets right away.
This article contain Amazon UK affiliate links, which means we may earn a small commission (at no extra cost to you) if a reader clicks through and makes a purchase. The prices may vary after publication, please follow links for current prices and offers.