Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. GitHub won't let us disable pull requests. ☞ THEY WILL BE IGNORED HERE ☜ Please upload them at GitLab.

Overview

General Information

Wireshark is a network traffic analyzer, or "sniffer", for Linux, macOS, *BSD and other Unix and Unix-like operating systems and for Windows. It uses Qt, a graphical user interface library, and libpcap and npcap as packet capture and filtering libraries.

The Wireshark distribution also comes with TShark, which is a line-oriented sniffer (similar to Sun's snoop or tcpdump) that uses the same dissection, capture-file reading and writing, and packet filtering code as Wireshark, and with editcap, which is a program to read capture files and write the packets from that capture file, possibly in a different capture file format, and with some packets possibly removed from the capture.

The official home of Wireshark is https://www.wireshark.org.

The latest distribution can be found in the subdirectory https://www.wireshark.org/download

Installation

The Wireshark project builds and tests regularly on the following platforms:

  • Linux (Ubuntu)
  • Microsoft Windows
  • macOS / {Mac} OS X

Official installation packages are available for Microsoft Windows and macOS.

It is available as either a standard or add-on package for many popular operating systems and Linux distributions including Debian, Ubuntu, Fedora, CentOS, RHEL, Arch, Gentoo, openSUSE, FreeBSD, DragonFly BSD, NetBSD, and OpenBSD.

Additionally it is available through many third-party packaging systems such as pkgsrc, OpenCSW, Homebrew, and MacPorts.

It should run on other Unix-ish systems without too much trouble.

In some cases the current version of Wireshark might not support your operating system. This is the case for Windows XP, which is supported by Wireshark 1.10 and earlier. In other cases the standard package for Wireshark might simply be old. This is the case for Solaris and HP-UX.

Both Perl and Python 3 are needed, the former for building the man pages.

You must therefore install Perl, Python, GNU "make", and "flex" (vanilla "lex" won't work) on systems that lack them.

Full installation instructions can be found in the INSTALL file and in the Developer's Guide at https://www.wireshark.org/docs/wsdg_html_chunked/

See also the appropriate README.OS files for OS-specific installation instructions.

Usage

In order to capture packets from the network, you need to make the dumpcap program set-UID to root or you need to have access to the appropriate entry under /dev if your system is so inclined (BSD-derived systems, and systems such as Solaris and HP-UX that support DLPI, typically fall into this category). Although it might be tempting to make the Wireshark and TShark executables setuid root, or to run them as root please don't. The capture process has been isolated in dumpcap; this simple program is less likely to contain security holes and is thus safer to run as root.

Please consult the man page for a description of each command-line option and interface feature.

Multiple File Types

Wireshark can read packets from a number of different file types. See the Wireshark man page or the Wireshark User's Guide for a list of supported file formats.

Wireshark can transparently read gzipped versions of any of those files if zlib was available when Wireshark was compiled. CMake will automatically use zlib if it is found on your system. You can disable zlib support by running cmake -DENABLE_ZLIB=OFF.

Although Wireshark can read AIX iptrace files, the documentation on AIX's iptrace packet-trace command is sparse. The iptrace command starts a daemon which you must kill in order to stop the trace. Through experimentation it appears that sending a HUP signal to that iptrace daemon causes a graceful shutdown and a complete packet is written to the trace file. If a partial packet is saved at the end, Wireshark will complain when reading that file, but you will be able to read all other packets. If this occurs, please let the Wireshark developers know at [email protected]; be sure to send us a copy of that trace file if it's small and contains non-sensitive data.

Support for Lucent/Ascend products is limited to the debug trace output generated by the MAX and Pipline series of products. Wireshark can read the output of the wandsession, wandisplay, wannext, and wdd commands.

Wireshark can also read dump trace output from the Toshiba "Compact Router" line of ISDN routers (TR-600 and TR-650). You can telnet to the router and start a dump session with snoop dump.

CoSine L2 debug output can also be read by Wireshark. To get the L2 debug output first enter the diags mode and then use create-pkt-log-profile and apply-pkt-lozg-profile commands under layer-2 category. For more detail how to use these commands, you should examine the help command by layer-2 create ? or layer-2 apply ?.

To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must capture the trace output to a file on disk. The trace is happening inside the router and the router has no way of saving the trace to a file for you. An easy way of doing this under Unix is to run telnet <ascend> | tee <outfile>. Or, if your system has the "script" command installed, you can save a shell session, including telnet, to a file. For example to log to a file named tracefile.out:

$ script tracefile.out
Script started on <date/time>
$ telnet router
..... do your trace, then exit from the router's telnet session.
$ exit
Script done on <date/time>

Name Resolution

Wireshark will attempt to use reverse name resolution capabilities when decoding IPv4 and IPv6 packets.

If you want to turn off name resolution while using Wireshark, start Wireshark with the -n option to turn off all name resolution (including resolution of MAC addresses and TCP/UDP/SMTP port numbers to names) or with the -N mt option to turn off name resolution for all network-layer addresses (IPv4, IPv6, IPX).

You can make that the default setting by opening the Preferences dialog using the Preferences item in the Edit menu, selecting "Name resolution", turning off the appropriate name resolution options, and clicking "OK".

SNMP

Wireshark can do some basic decoding of SNMP packets; it can also use the libsmi library to do more sophisticated decoding by reading MIB files and using the information in those files to display OIDs and variable binding values in a friendlier fashion. CMake will automatically determine whether you have the libsmi library on your system. If you have the libsmi library but do not want Wireshark to use it, you can run cmake with the -DENABLE_SMI=OFF option.

How to Report a Bug

Wireshark is under constant development, so it is possible that you will encounter a bug while using it. Please report bugs at https://gitlab.com/wireshark/wireshark/-/issues. Be sure you enter into the bug:

  1. The complete build information from the "About Wireshark" item in the Help menu or the output of wireshark -v for Wireshark bugs and the output of tshark -v for TShark bugs;

  2. If the bug happened on Linux, the Linux distribution you were using, and the version of that distribution;

  3. The command you used to invoke Wireshark, if you ran Wireshark from the command line, or TShark, if you ran TShark, and the sequence of operations you performed that caused the bug to appear.

If the bug is produced by a particular trace file, please be sure to attach to the bug a trace file along with your bug description. If the trace file contains sensitive information (e.g., passwords), then please do not send it.

If Wireshark died on you with a 'segmentation violation', 'bus error', 'abort', or other error that produces a UNIX core dump file, you can help the developers a lot if you have a debugger installed. A stack trace can be obtained by using your debugger ('gdb' in this example), the wireshark binary, and the resulting core file. Here's an example of how to use the gdb command 'backtrace' to do so.

$ gdb wireshark core
(gdb) backtrace
..... prints the stack trace
(gdb) quit
$

The core dump file may be named "wireshark.core" rather than "core" on some platforms (e.g., BSD systems). If you got a core dump with TShark rather than Wireshark, use "tshark" as the first argument to the debugger; the core dump may be named "tshark.core".

Disclaimer

There is no warranty, expressed or implied, associated with this product. Use at your own risk.

Gerald Combs [email protected]

Gilbert Ramirez [email protected]

Guy Harris [email protected]

Issues
  • Update sshdump.c

    Update sshdump.c

    TCPDUMP Support for SSHDUMP

    opened by CanadianJeff 8
  • LTE message parsing

    LTE message parsing

    Adds LTE message support. This code is borrowed from a patch proposed by [email protected] in june 2015 and adapted to fit current wireshark code.

    opened by martin-heusse 6
  • Update packet-gtpv2.c

    Update packet-gtpv2.c

    First character from apn-name was stripping from all GTPv2 messages like CSReq, CSRes etc.

    opened by amahajan-source 5
  • Update packet-e212.c

    Update packet-e212.c

    added the mnc for the fourth mobile operator in Egypt, "telecom Egypt (WE)"

    opened by SigPloiter 4
  • Update my email address

    Update my email address

    opened by tparvais 4
  • Fixing typo in the minimum TTL field

    Fixing typo in the minimum TTL field

    The field minimum_ttl was missped as mininum_ttl. I would suggest also updating the documentation at: https://www.wireshark.org/docs/dfref/d/dns.html#

    opened by srikwit 3
  • MiWi- P2P and Star Dissector

    MiWi- P2P and Star Dissector

    Microchip's Proprietary IEEE802.15.4 based Wireless protocol MiWi- P2P and Star network Dissector Source

    opened by saravanakumar-sundaram 3
  • Fixing typo

    Fixing typo

    Changing the value of PTR from "domain name PoinTeR" to "domain name pointer". Reference: https://tools.ietf.org/html/rfc883#page-65

    opened by srikwit 3
  • Added missing Diameter AVP definitions for LTE location services

    Added missing Diameter AVP definitions for LTE location services

    This is a pull request for the addition of missing AVP definitions for Diameter-based EPC Location Protocol (ELP) according to 3GPP TS 29.172 for location services in LTE (SLg interface between GMLC and MME). AVPs included in this PR cover those with codes 2524 to 2565.

    opened by FerUy 3
  • Master 1.6

    Master 1.6

    opened by KYV8 3
Owner
Wireshark Foundation
The Wireshark Network Protocol Analyzer
Wireshark Foundation
Keep your application settings in sync (OS X/Linux)

Mackup Keep your application settings in sync. Table of content Quickstart Usage What does it do Bullsh*t, what does it really do to my files Supporte

Laurent Raufaste 11.4k Sep 23, 2021
To-do list time tracker for programmers and other digital workers with Jira, Github, and Gitlab integration

Please help us improve the app's usability! Organize your daily tasks in one place while making time tracking a lot less annoying. Super Productivity

Johannes Millan 4.1k Sep 18, 2021
A simple but highly customizable `UICollectionViewLayout` for `UICollectionView`.

CollectionViewPagingLayout Layout Designer SnapshotTransformView ScaleTransformView StackTransformView Custom implementations About This is a simple b

Amir Khorsandi 1.4k Sep 15, 2021
Mac Media Keys for the Masses

Common Issues It's asked that anyone with an issue check the Wiki Section before posting a new issue. Users Guide What? BeardedSpice allows you to con

null 2.7k Sep 19, 2021
The open source Tab Manager Extension for Safari.

Ultra TabSaver The open source Tab Manager for Safari. Table of Contents Features Branches How to use it How does it work Building and running To do l

Swift open source 196 Sep 14, 2021
my fork of MenuMeters by http://www.ragingmenace.com/software/menumeters/

MenuMeters My fork of MenuMeters for El Capitan, Sierra, High Sierra, Mojave, Catalina and Big Sur. Usage: If you just want to use it, please go to ht

null 2.7k Sep 21, 2021
Put the output from any script or program into your macOS Menu Bar (the BitBar reboot)

Welcome to xbar xbar (the BitBar reboot) lets you put the output from any script/program in your macOS menu bar. Complete rewrite from the ground up -

Mat Ryer 15.4k Sep 23, 2021
Easily disable or enable a monitor on your Mac.

DisableMonitor Adds the missing feature to disable a monitor on your Mac! Easily disable, enable or change the resolution of a monitor! Warning It has

Tobias Salzmann 1.3k Sep 14, 2021
🔓✨🔒 An innovative, convenient and secure encryption app

Crypter An innovative, convenient and secure crypto app. Encrypt unlimited bits. Remember only a bit. Crypter is a cross-platform crypto app that make

Habib Rehman 401 Sep 6, 2021
The missing Desktop application for Pushbullet.

PB for Desktop PB for Desktop is a lightweight open-source Desktop app for PushBullet. Receive native push notifications on macOS, Windows and Linux.

sidneys.github.io 466 Sep 11, 2021
Free cross-platform password manager compatible with KeePass

Free cross-platform password manager compatible with KeePass This webapp is a browser and desktop password manager compatible with KeePass databases.

KeeWeb 10.3k Sep 14, 2021
PowerShell for every system!

PowerShell Welcome to the PowerShell GitHub Community! PowerShell Core is a cross-platform (Windows, Linux, and macOS) automation and configuration to

PowerShell Team 29.6k Sep 18, 2021
:key: Cross-Platform Passwords Secrets Vault

Buttercup Desktop Buttercup for Desktop - Mac, Linux and Windows ² ⚠️ Buttercup v2 is in pre-release - It will reach its stable release channel soon A

Buttercup 3.6k Sep 10, 2021
SIP softphone for Mac

Telephone is a VoIP program which allows you to make phone calls over the internet. It can be used to call regular phones via any appropriate SIP prov

64 Characters 913 Sep 15, 2021
ˈyːbɐˌzɪçt

Übersicht Keep an eye on what's happening on your machine and in the world. For general info check out the Übersicht website. Writing Widgets In essen

Felix 3.4k Sep 15, 2021
Encrypted file transfer over ad hoc WiFi. No network infrastructure required, just two laptops in close range. Linux, Mac, and Windows.

Flying Carpet To download, visit the releases page! Wireless, encrypted file transfer over automatically configured ad hoc networking. No network infr

Theron Spiegl 834 Sep 18, 2021
The Blockstack Browser

Blockstack Browser The Blockstack Browser allows you to explore the Blockstack internet. ⚠️ IMPORTANT: This project has been deprecated in favor of th

Stacks 1.1k Sep 16, 2021
A macOS app for customizing which browser to start

Always open the right browser Finicky is a macOS application that allows you to set up rules that decide which browser is opened for every link or url

John Sterling 1.8k Sep 23, 2021
RSS reader for macOS and iOS.

NetNewsWire It’s a free and open source feed reader for macOS and iOS. It supports RSS, Atom, JSON Feed, and RSS-in-JSON formats. More info: https://n

Ranchero Software 4.9k Sep 24, 2021