Wireshark 1.0 Released

katterjohn writes "After almost 10 years of work, Wireshark 1.0 has been released. Wireshark is the award-winning protocol analyzer, formerly known as Ethereal. The release features several security fixes and an experimental package for Max OS X Intel."

Say ...

[ScrewMaster]

would this still be illegal in Germany?

Re:Say ...

Since there aren't any court decisions based on that relatively new law, nobody knows. (The point of the law actually is that you can interpret it in basically any way you want.) The state attorney dismissed a case against the Bundesamt für Sicherheit in der Informationstechnik (Federal Bureau for Security in Information Technology) because they are distibuting software of the kind via the Web, though.

Re:Say ...

[sumdumass]

Start a religion around it. The German constitution says something along the lines of unrestricted religious expression.

Re:Say ...

[sethawoolley]

Start a religion around it. The German constitution says something along the lines of unrestricted religious expression. That appears to contradict Scientology's greeting by the German government.

Re:Say ...

[whmac33]

German law doesn't have the concept of precedent. Each case would be decided on its own based on the law as written and not previous cases.

IANAL and IANAGL

Re:Say ...

[sumdumass]

Yes it does. Perhaps my source is incorrect. Check out article 4. My understanding is that this is current constitution after the reunification of East Germany but as you pointed out, I might be wrong.

Re:Say ...

He said religion

Re:Say ...

[Kadin2048]

I think they just decided that Scientology wasn't a religion, but a business cum Ponzi scheme in clerical collars.

Also I think what they prohibited wasn't the practice of Scientology per se, but the Church of Scientology as an organization. That the CoS believes you can't practice the 'religion' without them is kind of a separate issue. But if you want to sit in your house and think Scientology thoughts in Germany, I think you'd be protected. They just take a dim view of the whole converting-others-and-fleecing-them bit. Historically, even religiously tolerant societies have had different reactions to aggressive proselyting.

It is a bit arbitrary, since I could think of a few other religions that aren't a ton better, but you have to admit the CoS is particularly bald-faced.

Re:Say ...

One might also add that the CoS actually *does* operate in Germany. The feds (think FBI) are keeping an eye on them, but the organisation is certainly present and active.

Re:Say ...

[sinthoras]

Well, i listened to a talk on the Chemnitzer Linux Tage 2007, it was right before that new law, and the referent said,
that it is not clearly defined if such a tool would be illegal or not, because you can actually use it to gain passwords etc.,
but since this is not the intention of the program it is not clear as I already said.
After all if you just use it for your own network I think there should be no problem :)
If you want to use it at work, I would recommend asking at the appropriate institution (law department or so)
I myself live in Germany and use this tool for network issues in my private LAN.

Re:Say ...

How exactly is this related to "Wireshark 1.0 Released"?

More useful than you would think

[CRCulver]

Wireshark is far from being an egghead tool that only professionals might use. It's also useful for running aircrack-ng. I'm happy they've finally reached 1.0.

Re:More useful than you would think

And aircrack-ng is far from an egghead tool. It's useful for... wait a minute....

Re:More useful than you would think

[Nocturnal+Deviant]

too bad this great tool...er website got slashdotted maybe too many poeple were using wireshark 1.0 while they were browsing the page...just kidding anyways time to google for mirrors Mirror: http://linux.softpedia.com/get/Internet/HTTP-WWW-/Ethereal-1961.shtml

Re:More useful than you would think

[glavenoid]

Hehe. No kidding (about the egghead professional thing)! A few years ago I was piggybacking off of the neighbor's wireless, as I just moved in to a new place. Since they didn't change the default router/WAP settings, I did, using a similar scheme as the (*BUSINESS*) down the street. Since they no longer had access to their own router I decided to play kind: I had an identical model router/WAP (Netgear) that I set up in the following way: their internet-> their router-> my wireless card-> my computer-> Ethereal-> my NETGEAR-> (can you see where this is going?)...

Needless to say, don't use plaintext to transmit your email passwords. Thanks to (then) Ethereal, I was able to obtain way too much information about these people than I should have. And gimme a break, this is/was the only "black hat" thing I've ever done...

Now that I think about it, I was allowing them to share *their own* internet connection *from me*. I feel like such a dick.

Re:More useful than you would think

Sometimes, we need to randomly changing the bits that a certain program/binary/application is transmitting. In this case WireShark will be useless for us.

For example, if you play Power Soccer [powerchallenge.com], it is crucial that you can modify the data stream to randomly send out goal signals or just invalidate the score to protect your winning record.

Re:More useful than you would think

Wouldn't it just be easier to use, say, Cain to perform an ARP attack once connected to their wireless network? It substitutes SSL certificates, so even encrypted passwords are sniffed (as long as the user doesn't mind dodgy certificates). Not that I do such things personally, of course.

Re:More useful than you would think

[COMON$]

ummmmm, dumbass thing to do, unless I know who controls the router with default settings I keep away from it. You ever heard the term honeypot? while you were re-routing a honeypot they were logging your mac and setting root kits on your '1337' hacking box.

Needless to say, don't dick around with other peoples APs some are wide open just to bait script kiddies like yourself.

Award-winning?

Whenever some product claims to be "award-winning", I always wonder what that award is. It's like the word "professional", that also lost its meaning. So, anybody have any pointers to any kind of "award"?

Re:Award-winning?

Whenever some product claims to be "award-winning", I always wonder what that award is.

How could you wonder? It's "world famous"!

Re:Award-winning?

[stevey]

Maybe an award for the number of security issues the code has historically had?

Re:Award-winning?

[Nykon]

I don't think that's it. Microsoft always seems to clean up at THAT award ceremony. ;-)

Re:Award-winning?

[JSG]

Why do you hang around /. if you don't have the occasional use for Ether^H^H^H^H^Wireshark. It does run on Windows nicely.

Award, hmmm, award ...

It really doesn't matter what awards WS has won.

It is a classic example of FOSS at its best. In the dim and distant past you paid serious money for packet capture software. Now you get the absolute dog's nadgers on a plate for nowt. It shows me everything from what a NetWare cluster is up to to a well, what more do you want? Also you can follow streams etc etc etc etc

I personally put it up there with Apache and Samba (oh and that Linux kernel thing) as important software. OK there are quite a few others but I trust you get my point.

Whenever someone says something like "Whenever some product claims to be "award-winning", I always wonder what that award is." I trust they know what they are on about.
 
... and PHP, Python, PERL, MySQL, PostgreSQL, *BSD, Firefox, KDE, Gnome, E{n} ...

By gum it's a good world when it comes to software.

AWARD - PAH - use the bloody thing and give out your own awards!

Re:Award-winning?

[New_Age_Reform_Act]

Well unless we are talking about the following awards:

http://successfulsoftware.net/2007/08/16/the-software-awards-scam/

Re:Award-winning?

[Kadin2048]

> Now you get the absolute dog's nadgers on a plate for nowt.

Wait, Wireshark will give you real-time quotes of the dog-testicles-to-newts exchange ratio? I've been waiting for that feature for years!

Re:Award-winning?

-5 Unfunny

Re:Award-winning?

[gosand]

I don't see your point, "award-winning" and "professional" are both perfectly cromulent words.

Re:Award-winning?

[geminidomino]

Eweek: Most important OpenSource Apps of All time

Infoworld 2007 BOSSIE award

Re:Award-winning?

[jZnat]

Not even sendmail or BIND could beat Microsoft? Simply amazing.

Yes, Yes, and it does... (Buried Lede?)

[curmudgeon99]

Now come on! What sort of a lede is that? Just a tease and no candy? What does Wireshark 1.0 DO for pete's sake?

Re:Yes, Yes, and it does... (Buried Lede?)

It causes network admins to say "we're gonna need a bigger baud"

Re:Yes, Yes, and it does... (Buried Lede?)

[Midnight+Thunder]

Now come on! What sort of a lede is that? Just a tease and no candy? What does Wireshark 1.0 DO for pete's sake?
A quick read: "Network protocol analyzer for Windows and Unix that allows examination of data from a live network, or from a capture file on disk." Basically it is tcpdump with a GUI.

Re:Yes, Yes, and it does... (Buried Lede?)

[calebt3]

But what was added to make it 1.0? What is new?

Re:Yes, Yes, and it does... (Buried Lede?)

[kasparov]

Now come on! What sort of a lede is that? Just a tease and no candy? What does Wireshark 1.0 DO for pete's sake? A quick read: "Network protocol analyzer for Windows and Unix that allows examination of data from a live network, or from a capture file on disk." Basically it is tcpdump with a GUI. That is kind of like saying a bulldozer is like a shovel, but yellow.

Re:Yes, Yes, and it does... (Buried Lede?)

[Jurily]

Sorry, it's a secret. Wireshark.org is slashdotted.

Re:Yes, Yes, and it does... (Buried Lede?)

[CastrTroy]

Couldn't have put it better myself. Wireshark gives you a ton of tools for filtering through all the ongoing connections, and really looking at what's going on with your network.

Re:Yes, Yes, and it does... (Buried Lede?)

[kylehase]

The previous version was 0.99.8 so 0.00.2 was added to make it 1.0.0

Re:Yes, Yes, and it does... (Buried Lede?)

[lazy_nihilist]

That is kind of like saying a bulldozer is like a shovel, but yellow. Not a car analogy but close enough. I'll take it. :-)

Re:Yes, Yes, and it does... (Buried Lede?)

[todorb]

you're wrong, this would have made it 0.99.10. 1.-99.0 must have been added.

Re:Yes, Yes, and it does... (Buried Lede?)

[Midnight+Thunder]

But what was added to make it 1.0? What is new?

Ah I thought you wanted a general outline. To see what changed check out the release notes:

http://www.wireshark.org/docs/relnotes/wireshark-1.0.0.html

Thanks!

[mudshark]

I'll be off to update mine today. It's the best improvement on tcpdump I've ever used.

Re:Thanks!

[dubl-u]

I'll be off to update mine today. It's the best improvement on tcpdump I've ever used.

Amen to that. "Assemble TCP Stream" alone is a glorious thing, and there's so much more.

Still, I'm a little sad that it's now v1.0. It seemed much more advanced when it was 0.9.99.9921 or whatever the last prerelease version was.

Re:Thanks!

[UncleTogie]

Amen to that. "Assemble TCP Stream" alone is a glorious thing, and there's so much more.

Ditto. It was the first thing I noticed, and seemed to work well with the {admittedly few} tests that I threw at it... Anyone else notice any discrepancies?

Re:Thanks!

[Chris+Pimlott]

How does "Assemble TCP stream" differ from the "Follow TCP stream" function that's been there for ages?

Re:Thanks!

[Hes+Nikke]

well, assemble implies that you already have all the pieces (you do), sort of like ASSEMBLING a puzzle. or a desk.

follow implies that it'll show you anything new that comes in (i can't recall ottomh if it does this but i'd be surprised if it doesn't). think of following a trail. or a conversation.

english is such a magical^Wgay^Winfuriating language! (said by a native speaker)

Re:Thanks!

Anyone want to explain where this option is and what it does before we go into its discrepancies. There's been "Follow TCP Stream" for ages, what is this new Assemble option you guys are referring to?

Congratulations

[slashnik]

Well done to the whole team on reaching this milestone.
This excellent and valuable tool has been a vital part of my toolkit for many years.

Downloads

[Skuldo]

The site is slow at the moment, if you want to download the thing, skip the chase and go straight to http://sourceforge.net/projects/wireshark/

Re:Downloads

[gardyloo]

Or just apt-get install wireshark :)

Re:Downloads

[gardyloo]

One might want to use the "-mit Lasern" flag, of course.

Re:Downloads

[mpaulsen]

I don't see the 1.0 release on sourceforge yet.
Latest File Releases:
wireshark wireshark-0.99.8 February 27, 2008 Release notes

Re:Downloads

[EkriirkE]

Strange, their homepage links to this: http://sourceforge.net/project/downloading.php?groupname=wireshark&filename=wireshark-setup-1.0.0.exe&use_mirror=superb-west but the SF page doesn't??

Re:Downloads

[AGampher]

http://sourceforge.net/project/downloading.php?groupname=wireshark&filename=wireshark-setup-1.0.0.exe&use_mirror=superb-west Takes you right to the DL. The project page has the older file (from what I can see).

and yet...

[digitalsushi]

I wish I could sniff on multiple interfaces.

Or exclude specific interfaces from the pseudo-device available in some versions (like my linux copy)

Or filter out duplicate packets (not retransmissions, but the literal same packet: I bridged two interfaces, and the pseudo-device captures both the bridge and the bridge member)

Or just add localhost to a bridge.. why I can't do this is outside my understanding (until someone gives a crafty answer)

Or even just route all traffic destined for localhost through a physical interface first (I just want to capture all my packets, including localhost and a bridge with several ethernet members, but only once!)

Ah, it's on the wishlist. For another day, perhaps...

Re:and yet...

those features will be available in Wireshark 2.0, forecast for release in 2018 at their current pace

Re:and yet...

You can capture multiple interfaces with tcpdump or what have you, and merge them with wireshark. There is also the "any" interface in wireshark.

Re:and yet...

[Facegarden]

It's a 1.0 Man! ;) -Taylor

Re:and yet...

[Creepy+Crawler]

:Or just add localhost to a bridge.. why I can't do this is outside my understanding (until someone gives a crafty answer)

It's a simple reason. Bridging is a layer 2 technology, as IP is layer 3. As I expected, a "localhost" on Linux does not have a MAC address (required for layer 2).

Re:and yet...

[gnalre]

My no 1 request on the wish list is to be able to easily write custom packet filters to extend coverage over protocols Wireshark does not understand. The microsoft version (netmon) does allow it, although its not as clear as it should be. I do note wireshark has a rudimentary lua in interface, so maybe this will be added later.

Still it is one of the most useful tools around and free to boot!

Re:and yet...

[asegu]

Workaround solution: make multiple captures and merge them - see http://www.ethereal.com/docs/man-pages/mergecap.1.html

oof - have mercy on poor wireshark.org please...

[spacefiddle]

looks like we've obliterated the poor thing already :(.

Finally.

[Dopamine,+Redacted]

Finally, a software package where I can feel good about not saying "Now all we have to do is wait for version 2.0 and it'll be stable."

The difference between F/OSS and commercial

This project took 10 years of continuous development and public testing to reach a 1.0 release. This timeframe is not atypical; F/OSS 1.0 releases are usually stable, reliable, and heavily featured. Some projects never make a 2.0 release, instead making point releases on top of 1.0 indefinately.

The 1.0 release of most commercial software comes after extremely limited public testing, and the developers scramble to make a 2.0 release within a year. Commercial 1.0 releases are frequently buggy and have obvious gaps in functionality, which are often not completely addressed in 2.0.

Re:The difference between F/OSS and commercial

[Trojan35]

Yes, but the commercial version would have been out 8 years ago and released 2.0 7 years ago. YMMV.

Re:The difference between F/OSS and commercial

[jbn-o]

I think you mean proprietary (or perhaps non-free) instead of commercial software. Perhaps you are right although your claim would be more convincing if it came with evidence.

FOSS can be distributed or developed for a fee, as part of a business. Hence FOSS can be commercial software too. If you're only referring to the price someone pays to get a copy of the program, no significant distinction is made—proprietary and FOSS are available at every price, including free. The critical distinction between FOSS and non-free software has to do with what recipients of the software are allowed to do with the program when they get a copy.

Re:The difference between F/OSS and commercial

[Zantetsuken]

his point is that the quality of these sorts of F/OSS releases is often on par with a commercial product that would now be release 8.12 - not just 8.0 feature-wise, but .12 because of the stability. when you go to show your phb why your company should use wireshark, tell them its only 1.0 and yet already has tons of features and stability not found in commercial products at 8.12 releases

Re:The difference between F/OSS and commercial

[rastoboy29]

It's a trip to me that you bring this up.  I just decided this evening that the FINAL release of any game by my game company will be verison 1.0.

You never know for sure when it will be stable, but you do know when you are really done with a thing.  I always think of Doom's verison 1.666.  If they can plan on 666, I can plan on 1.0.

Re:The difference between F/OSS and commercial

so it would have caught up with the commercial version, eventually.

that's a ringing endorsement right there. you may want to look into pursuing better point, or flowering them up a little so they say something more pertinent.

Re:The difference between F/OSS and commercial

[grcumb]

This project took 10 years of continuous development and public testing to reach a 1.0 release. This timeframe is not atypical; F/OSS 1.0 releases are usually stable, reliable, and heavily featured. Some projects never make a 2.0 release, instead making point releases on top of 1.0 indefinately.

That's because with FOSS, versioning actually means something.

1.0 means that the first version of an application is both feature-complete and stable. It's possible, of course, to have software that is not feature-complete but still stable. Wireshark is a good example of that. I've been using it for years with nary an issue.

FOSS applications, if they're maintained by people who care about the meaning behind numeric versioning, don't roll to 2.0 (e.g. the major version number) unless the application has gone through a top-to-bottom rewrite. This has only happened once to the linux kernel, in spite of hundreds and hundreds of releases before and after the re-write.

So, don't listen to the marketing types who tell you that bigger numbers are better. Versioning is only relevant in the context of the individual application. Something poorly re-written 6 times is not guaranteed to be better than something lovingly crafted and still not at 1.0. Compare Wireshark to a number of other traffic analysers and you'll see what I mean.

Re:The difference between F/OSS and commercial

I just decided this evening that the FINAL release of any game by my game company will be verison 1.0.

Good luck getting people to pony up dough for version 0.23. Who do you think you are, Microsoft?

Re:The difference between F/OSS and commercial

And yet, ethereal/wireshark still can't manage to find its way into OpenBSD's ports and packages system.

1.0 Intel OS X download link?

Anyone know where I can find this mysterious 1.0 experimental mac build?

The latest here ( http://www.finkconsulting.com/page7.php ) is 0.99.7

Latest on SF is 0.99.8

Many of the mirrors have 1.0, but seemingly only as windows executables ( http://wireshark.askapache.com/download/win32/ )

Any ideas? Should I just wait?

Re:1.0 Intel OS X download link?

[VValdo]

I would wait. Macports is still 99.x also.

W

Download link

[greenreaper]

wireshark-setup-1.0.0.exe

They should've seen it coming..

[Kolie]

The iminent slashdotting that is?

Useful in Biztalk

[jasonmanley]

I do a lot of Biztalk dev and I often need to send data to remote HTTP locations. Usually the outgoing message is transformed inside an outgoing pipeline and it is not always easy to see exactly what is being sent to the client. This is where WireShark has come in handy. I just monitor my ethernet interface for a few seconds. The results are usually colour coded and easy to read. Very useful tool.

Re:Useful in Biztalk

[mcpkaaos]

A dev after my own heart! I use it to capture ASP.NET web service requests as it's far easier to deal with than WSE3 tracing or serializing objects before passing them to the web proxy (which usually leaves you without namespaces anyway).

Over the years, I've found protocol analyzers to be indispensable for developing and debugging modern MS-based network apps. They hide so damned much from the developers these days, often times it's the only way to see what's really going on.

Re:Useful in Biztalk

[Sorthum]

Urm... how is the parent a troll?

Re:Downloads MOD PARENT WAY UP!

it ees teh funzorz!111

Someone sometimes probably said the Super Cow Powers were way too ridiculous to be included too! ;)

Great Stuff

I use the previous release at work all the time. I wrote a handful of communications drivers for various protocols and wireshark was a Godsend.

It really helps to be able to see what all the protocols are doing, what data your sending and the device is sending back. Sometimes I even get to point at the embedded engineer and say "Your fault!"

Thanks to everyone who made wireshark possible!

No hope now

[vinn]

Well, there's no hope of beating Wine now as the longest actively developed project without a 1.0 release.

Re:No hope now

[glavenoid]

You seem to be forgetting Enlightenment. If only they could wrap up the 0.17.* to a release

Re:No hope now

[vinn]

True - they might end up overtaking Wine at some point. Wine started in 1993. I think E started in 1996 or 1997. Wine is slated to hit 1.0 in June of this year (really! we have a release schedule now!) E just has to continue plodding along for another 3 or 4 years to overtake us.

Hm

[mattmcm]

Why do I get the feeling this is a cruel April Fool's gag? I can't see 1.0 on the Sourceforge page, and the site was Slashdotted so I can't check that. Gah.

Re:Hm

It's not. I downloaded and installed it today.
Check out the Mr Uptime Firefox extension. It will help you load sites like this.

Re:Hm

[CBravo]

I think the moderator didn't check the link... Because I see them just fine.

Obligatory

Does Duke Nukem Forever come bundled with this?

Helped me at work

[British]

Long story short: I had a SQL client app that tried to connect to the SQL server with a hard-coded password. I needed to know the password to set on the server. Fired up wireshark, found the password, set said password on the server, and it was a go.

Re:Helped me at work

[ceoyoyo]

Makes you wonder why it has a password at all.

Re:Helped me at work

[77Punker]

Another story:
I was picking up my wireless from my neighbor and my roommate was using my computer for internet access via crossover cable.

I needed to know the contents of his AIM messages so I fired up Wireshark.

Re:Helped me at work

[Ezza]

I did a similar thing with a commercial FTP program I had, where I'd saved the passwords but couldn't get them back in plain text.

So I ran wireshark, connected to each of the FTP sites I wanted and recorded the passwords.

It was a much safer option than running some dodgy cracking tool that would probably malware my machine just to get back the passwords already on it.

Re:Helped me at work

[SpiritOfGrandeur]

Or you could just buy the software :p

Re:Helped me at work

[British]

This was purchased software(given to us for free by the vendor). He didn't know the password since it was a few years old, so I did the only thing I knew how. This problem would have been avoided had the security info(ie passwords) was moved over to the new SQL server.

Re:Helped me at work

[Ilgaz]

It serves great to teach non technical home users about picking right ISP, using SSL all places.

You can lecture them for hours and they will still use horribly insecure things. You fire up Wireshark with default settings and tell their ISP or that Coffee house (with wireless) admin "can run it". It is like shock theraphy. When they figure the amount of data their ISP can trace about them, they may find a better and trusted one too.

other version 1.0 software

I'm sure OpenSSL (0.9.8g) will release 1.0 next week.

Max OS X Intel?

[TibbonZero]

Funny, I thought it was OS X (intel) by Apple. Mac isn't a company. Mac is in reference to the computers themselves.

Re:Max OS X Intel?

See Apple's product page for "Mac OS X".

Can Duke Nukem Forever be far behind?

[fabu10u$]

Seriously, Wireshark has saved my bacon numerous times. We recently put in an LDAP integration between our vertical-market ERP and Active Directory, with atrocious documentation on both sides, and password management is involved so AD insists on using LDAPS. Load your private key using SSL options, and voila!

And an OSX Link

[dvanduzer]

http://wireshark.zing.org/download/osx/Wireshark%201.0.0%20Intel.dmg

obligatory Mel Brooks

[sammy+baby]

He's world famous in Poland!

This is interesting?

[slyborg]

Man, people have mod points burning holes in their keyboards tonight.

I fail to see anything at all "interesting in this". Taking advantage of other people because you are more knowledgeable than them, breaking the law, and then boasting about it on Slashdot is -5 Lame, especially when the level of expertise involved is what is usually ascribed to "script kiddies".

And no, you don't get a pass because it was the "only black hat thing I've ever done", like we believe that, and it sure sounds like the entire objective of your weak excuse for "black hat" action was to sniff their traffic, since changing their router setup was hardly necessary if you just wanted to steal access.

Maybe I'm just having an old man moment, but I kept expecting some kind of punch line in there, and it ended up just being "my neighbor left his garage door open, and I stole a six-pack out of his fridge". WTF is that about?

Re:This is interesting?

[Lord+Kano]

Maybe I'm just having an old man moment, but I kept expecting some kind of punch line in there, and it ended up just being "my neighbor left his garage door open, and I stole a six-pack out of his fridge"

What I took away was more like "My neighbors left their curtains open, so I video taped them fucking".

My neighbor knows what the hell he's doing, if not I'd be jacking his internet right now.

LK

Re:This is interesting?

[Pikoro]

You're glavenoid's neighbor aren't you?

Re:This is interesting?

[ArhcAngel]

"my neighbor left his garage door open, and I stole a six-pack out of his fridge"

I KNEW it was YOU!

What does the /. effect look like

[chinton]

in Wireshark 1.0?

Re:What does the /. effect look like

[Slashcrap]

It's easy to simulate. Just login to a remote system via VNC/RDP and then run Wireshark on it. Remove any filters that Wireshark might automatically add to save you from yourself. You can also recreate this with SSH and tcpdump.

I would make sure that it's not a very important remote system though.

Why wireshark

IMHO ethereal was a much cooler name than wireshark. I wish they would change it back :)

Re:Why wireshark

[Kadin2048]

The name had to be changed due to a trademark issue.

My understanding is that the lead developer started working on Ethereal while working at one company (as an F/OSS project), and then left for a competitor but continued working on it. Although the codebase was undisturbed, since it was GPL, the first company retained the rights to the 'Ethereal' name.

There was a Slashdot FPP on it not that long ago.

Re:Why wireshark

[Guy+Harris]

My understanding is that the lead developer started working on Ethereal while working at one company (as an F/OSS project), and then left

Yes.

for a competitor

No - Network Integration Services is a company providing various networking services, while CACE Technologies provides various products and services for network traffic capture and analysis. They're not competitors.

but continued working on it. Although the codebase was undisturbed, since it was GPL, the first company retained the rights to the 'Ethereal' name.

Yes.

Is Wireshark the right tool for me?

[baeksu]

I have a 'black box' on my home network. It's a voip phone, provided by our local telecom, and I'd really like to see what traffic it's sending to and receiving from the outside.

I've scanned it with nmap and not found any open ports from the outside. It's sitting behind a nat router, and the company won't tell me which ports it would need to forwarded (though somehow it's still able to receive calls and messages from the outside).

Actually, the company says I should forward ports 20000-60000 (seriously), but I think I won't do that.

I'm really curious to see the traffic it sends and receives, and also whether it's using any encryption. Is it possible to use Wireshark to sniff the traffic from another box that is within the same LAN, and where might one find a good tutorial for such a project?

Re:Is Wireshark the right tool for me?

Yep, that's pretty much Wireshark's purpose. It can also read packet captures in a number of formats, particular the libpcap format used by tcpdump.

How does your black box access the internet? You'll need something which can capture traffic in between it and the internet, for example a Linux router. Alternatively if you have a managed switch you might be able to get it to mirror traffic from the black box's port to your computer's port sort so you can listen in. Or if you've got two NICs in your PC you can set it up as a bridge. A final and fun option is to use a hub if you've got one lying around, as they essentially mirror all traffic on all ports to every other port.

Once you've got some kind of appliance to sit between your black box and the internet, you can either run Wireshark on it directly or use something else to save a packet capture. A simple libpcap filter (for Wireshark and tcpdump) is "ip host 1.2.3.4" to limit the capture to a particular IP address.

Re:Is Wireshark the right tool for me?

[mvdwege]

I am a bit confused by your reference to the NAT router in combination with 'same LAN'. If it is really beyond a router from the point of view of your LAN, it's no longer on the LAN. Unless it is sitting on the same LAN as your PC(s) and that router.

If the box is on a an actual shared segment of Ethernet, go into a computer store and buy a hub (a real hub, mind you, not a cheap switch). Now hang your sniffer box and the phone on the hub instead of the switch. Since Ethernet is a broadcast protocol, wireshark will capture all packets on the local segment, and since there is now no switch, but an actual shared bus thanks to the hub, you get all packets being sent and received by your phone.

Mart

If other companies made Wireshark

[Junior+J.+Junior+III]

Adobe: v1.0 is released; a week later 1.0.1 is released. A few months after that, 1.0.2. Then three years go by, and suddenly it's at 2.0, which is broken from the install.

Microsoft: v1.0 is released; no one buys it. v2.0 is released; it's still not really usable. v3.0 comes out, and people suddenly line up for it around the block. v3.0SP1 is released and fixes most of the really bad bugs while introducing a few others, some random security vulnerabilities, invalidating half the licenses of all previous versions, and causes DrDOS to crash.

Apple: v1.0 is released, but it has a bug so Apple pulls it from the download server for a few hours, after which a patched version replaces it, with the same exact version number, and no mention of any bugfix in the release notes. Any mention of any alleged switcheroo or the problem that existed in the first 1.0 release is ruthlessly and systematically quashed in the support forums on Apple's website; unfortunately, their lawyers can't censor the entire net.

Most Germans know a racket when they see one.

Scientology got banned in Germany after the CoS got caught stealing government documents all over the world. Really, look it up. Or see here: http://home.snafu.de/tilman/faq-you/germany.txt

None of the murder or assassination charges against the CoS have been proved, but the circumstantial evidence that they kill people is pretty strong.

How is wireshark better than tcpdump?

[rayvd]

One of the most useful features of wireshark is its breakdown of (known) protocols. It makes it a lot easier to follow a DHCP address acquisition or a DNS request and to dig into the individual flags of said DNS request (was it an update? did it have any prerequisites?)

However, probably the best use I've found for Wireshark was troubleshooting VoIP with SIP and RTP. Wireshark has great plugins for visually laying out each step of the SIP conversation, including showing you where the RTP stream initidated at. If you've ever tried to troubleshoot SIP via a NAT setup with various proxies like SER throughout, it's an invaluable tool. It'll even graph jitter for you. Just tcpdump to an output file and load it up in Wireshark.