Wireshark is the worlds foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions.
- Deep inspection of hundreds of protocols, with more being added all the time
- Live capture and offline analysis
- Standard three-pane packet browser
- Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
- The most powerful display filters in the industry
- Rich VoIP analysis
- Read/write many different capture file formats
- Capture files compressed with gzip can be decompressed on the fly
- Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Coloring rules can be applied to the packet list for quick, intuitive analysis
- Output can be exported to XML, PostScript®, CSV, or plain text
# Bug Fixes
- Wireshark is unresponsive when capturing from named pipes on Windows.
- Ring buffers are no longer turned on by default when using multiple capture files.
# New and Updated Features
- Wireshark can import text dumps, similar to text2pcap.
- You can now view Wiresharks dissector tables (for example the TCP port to dissector mappings) from the main window.
- TShark can show a specific occurrence of a field when using "-T fields".
- Custom columns can show a specific occurrence of a field.
- You can hide columns in the packet list.
- Wireshark can now export SMB objects.
- dftest and randpkt now have manual pages.
- TShark can now display iSCSI, ICMP and ICMPv6 service response times.
- Dumpcap can now save files with a user-specified group id.
- Syntax checking is done for capture filters.
- You can display the compiled BPF code for capture filters in the Capture Options dialog.
- You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
- Packet length is (finally) a default column.
- TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
- 802.1q VLAN tags are now shown by the Ethernet II dissector.
- Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
- The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
- The RTP player now shows why media interruptions occur.
- Graphs now save as PNG images by default.
- TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via
* [-z hosts]
* The tshark -z option now uses the
* syntax instead of
- for all protocols that support service response time statistics. This syntax now matches Wiresharks syntax for this option.
# New Protocol Support
- ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Broadcast/Multicast Control, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB),Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol(SDP),JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet,MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol,MUX27010, Network Monitor 802.11 radio header, OPC UAExtensionObjects, GPPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing,RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP, SGSAP,Tektronix Teklink, USB/AT Commands, uTorrent Transport Protocol,WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
# Updated Protocol Support
* New and Updated Capture File Support
- Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol),Lucent/Ascend debug, Microsoft Network Monitor, NetworkInstruments, TamoSoft CommView