Wireshark

WiresharkAs an excellent network protocol analysis tool, it has good compatibility and supports operating systems such as Unix and Windows. It can help users easily view current network data and detect captured network data files. It has rich and powerful functions and is completely free and open source. It is built with a graphical interface, allowing users to browse data more intuitively. Friends who like Wireshark, come to Huajun Software Park to download and experience it!

WiresharkSoftware features

1. Packet capture mechanism

Underlying dependencies:

Windows: Capture packets based on WinPcap/Npcap (NDIS middle layer driver).

Linux/macOS: Use libpcap (directly calls the kernel's PF_PACKET or BPF interface).

Promiscuous Mode:

By default, the network card only receives data packets sent to the local machine. After promiscuous mode is turned on, all traffic in the same LAN can be captured (administrator rights are required).

2. Protocol parsing engine

Hierarchical analysis:

Wireshark analyzes data packets layer by layer according to the OSI model, from the link layer (Ethernet Frame) to the application layer (HTTP Payload).

Each protocol module is implemented independently and supports dynamic loading (such as parsing the QUIC protocol only when needed).

Field association:

Automatically correlate related data packets (for example, click on the HTTP request to highlight the corresponding TCP ACK and response packets).

3. Performance optimization technology

Ring Buffer:

Automatically fragment storage when capturing packets to avoid performance degradation caused by a single file being too large.

Multi-threading:

Parsing and display are separated, the main thread is responsible for UI interaction, and the background thread handles packet analysis.

Hardware acceleration:

Supports DPDK (Data Plane Development Kit) to implement zero-copy packet capture on supported network cards to improve throughput.

Wireshark software features

1. Multi-protocol support and in-depth analysis

Agreement covers:

Supports more than 3,000 network protocols, covering full-stack protocols from the physical layer (such as Ethernet, Wi-Fi) to the application layer (such as HTTP, DNS, SMTP, MQTT).

Includes proprietary protocols (such as Cisco EIGRP, Microsoft SMB) and encryption protocols (such as TLS/SSL, IPsec, with key decryption).

Analysis depth:

Disassemble the data packet layer by layer to display field values and protocol interaction processes (such as TCP three-way handshake, HTTP request/response).

Supports custom protocol parsing (via Lua script extension) to meet special analysis needs (such as industrial control protocol Modbus).

2. Real-time packet capture and offline analysis

Live capture:

Capture data packets from wired network cards (Ethernet), wireless network cards (Wi-Fi, listening mode required), and virtual network cards (such as VMware, VPN).

Supports multiple network cards to capture packets at the same time, making it easy to compare data flows on different links.

Offline analysis:

Saved packet capture files (.pcap, .pcapng format) can be imported and cross-platform analysis is supported (Windows/Linux/macOS).

There is no theoretical limit on the file size, and it can handle large packet capture files of several GB (performance is optimized through sharded loading).

3. Powerful filtering and search functions

Display Filter:

Filter packets in real time based on protocol fields, numerical ranges, and logical operators (such as &&, ||).

Example:

http.request.method == "POST": Show only HTTP POST requests.

tcp.port == 443 && ip.addr == 192.168.1.1: Filter TLS traffic for a specific IP and port.

Capture Filter:

Set before packet capture to reduce irrelevant data capture (based on BPF syntax, such as host 192.168.1.100 and port 80).

Advanced search:

Supports regular expression search for packet content (such as finding sensitive information credit_card=d{16}).

4. Data visualization and statistics

Chart tools:

IO Graph: Draw network traffic trends in real time (such as grouping by protocol, IP, port).

TCP Stream Graph: Analyze TCP retransmissions, out-of-order, and window size changes.

Protocol layer statistics: display the proportion of each protocol (for example, HTTP accounts for 60%, DNS accounts for 10%).

Geolocation:

Combined with the MaxMind GeoIP database, the physical location of the IP address is marked on the map (the database needs to be configured manually).

5. Export and collaboration functions

Data export:

Supports export to CSV, XML, and JSON formats for easy integration and analysis with other tools (such as Excel, Python scripts).

Specific protocol fields can be exported (such as extracting all HTTP URLs or DNS query records).

Collaborative analysis:

Teams can share packet capture data through Wireshark's remote capture capabilities, such as SSH tunneling or RPCAP.

Wireshark software FAQ

What should I do if I don’t understand enough network protocols?

Strengthen the learning and understanding of network protocols, master the basic knowledge of the TCP/IP protocol stack and the working principles of common network protocols. This facilitates better use of Wireshark for network analysis and troubleshooting.

Wireshark software update log

We do not provide official 32-bit Windows packages for Wireshark 4.0 and above. If you need to use this platform For Wireshark, we recommend using the latest version 3.6. Issue 17779

The Windows installer is now shipped with Qt 5.12.2. They were previously released with Qt 6.2.3.

​​Bug fix

The following bugs have been fixed:

Comparing a boolean field to 1 always succeeds on big-endian machines. Issue 12236.

Qt: MaxMind GeoIP column not added to Endpoints table. Issue 18320.

Fuzz job crash output: fuzz-2022-10-04-7131.pcap. Issue 18402.

RTP players may not play audio on Windows. Issue 18413.

Wireshark 4.0 uses the > symbol to break display filter expressions. Issue 18418.

The capture filter does not work when using SSH capture and dumpcap. Issue 18420.

The packet map field value is not terminated. Issue 18428.

If you scroll, the packet bytes are not fully displayed. Issue 18438.

Fuzz job crash output: fuzz-2022-10-13-7166.pcap. Issue 18467.

Decoding error H.245 user input signal. Issue 18468.

The CFDP parser does more than just "target filename". Issue 18495.

The home capture button does not pop up the capture options dialog box. Issue 18506.

​​​​H.248 Missing dot in protocol name. Issue 18513.

The protocol H.264 in the protocol column is missing dots. Issue 18524.

Fuzz job crash output: fuzz-2022-10-23-7240.pcap. Issue 18534.

New and updated features

Removal of features and support

Introduced in Wireshark 4.0.0, the use of angle brackets <…> The experimental display filter syntax has been removed. For byte arrays, a colon prefix can be used. See the user guide for details.

New protocol support

There are no new protocols in this version.

​ ​ ​Updated protocol support

ASN.1 PER, CFDP, Diameter, DirectPlay, F5 Ethernet trailer, GTP, H.223, H.248, H.264, H.265, IEEE 802.11, IPv4, MBIM, O-RAN FH CUS, PFCP, RTCP, SCTP, SMB, TCP and TRANSUM

New and updated capture file support

        BLF

New file format decoding support

                                                      There are no new or updated file formats supported in this release.