RealTime IT News

Where's Ethereal? It's Now Sniffing the Wire Like a Shark

If you're wondering what has happened to Ethereal, one of the most popular packet sniffing tools on the planet, it's probably because you're visiting Ethereal.com.

Though development on Ethereal may be dead, development on its forked successor Wireshark is alive, well and perhaps more focused than ever before.

Wireshark, like Ethereal, is a GPL licensed application and is a critical tool for helping its users capture and analyze network traffic of various protocols.

In June, Ethereal's lead developer Gerald Combs changed jobs and was unable to come to terms with his former employer on the use of the name Ethereal, which is a trademarked term. So Combs forked the project (which is entirely permissible under the GPL) and renamed it Wireshark.

"Not everyone seems to know about the change though," Wireshark contributor Mike Duigou told internetnews.com.

"I am a lead developer on the JXTA p2p project, and I am frequently pointing to users who are still using Ethereal and encountering bugs in how it handles JXTA traffic to Wireshark.

You can't blame those who are still visiting Ethereal.com that don't know that the core developers have all moved, since the Ethereal.com site contains no indication or notification about Wireshark.

"We were speculating that the lack of notification on the Ethereal site has something to do with how the transition was made, i.e. an unwillingness by the owners of the Ethereal trademark," Duigou said.

Wireshark 0.99.3 is the latest version of the project formerly known as Ethereal and includes a number of improvements over its predecessors. It also includes a few serious bug fixes that could have potentially represented security vulnerabilities.

New in the Windows version of Wireshark is support for Kerberos and SSL decryption. Both of those features have been in the Unix NS, BSD, Solaris and Linux versions of Ethereal/Wireshark for some time.

Duigou noted that an incomplete implementation for the "gnutls" library under Windows was the cause for the delay.

"The gnutls group hadn't made much effort to package their library and there were some problems outside of the scope of Wireshark," Duigou said.

"One of the Wireshark folks stepped up and finished the packaging job though and once that was done it integrated fairly easily, almost no changes to Wireshark itself from what I saw in the commit logs.

"Wireshark depends upon quite a few external libraries, not all of which are equally supported on all platforms that Wireshark runs on," Duigou added.

"This means at times that the Wireshark feature set is uneven across platforms for reasons unrelated to Wireshark itself."

Wireshark 0.99.3 also includes updated protocol support for a long list of protocols, including: 802.11, AIM SST, AJP13, ANSI 637,AVS WLAN, BACapp, BFD, CDP, Cisco WIDS, DCERPC (DCERPC, CONV, DFS,EPM, FLDB, NETLOGON, NT, PN-IO, RS_PGO, DCOM, DHCP, DIAMETER, DTLS, EAPOL, ESP, H.225, H.245.

It also supports H.450, HTTP, IPv6, ISAKMP, Juniper, Kerberos, L2TP, LDAP, MSRP, NTLMSSP, PN-CBA, PN-RT, Prism, RSVP, RTCP, RUDP, SCSI, SCTP, SDP, SIP, SIPFRAG, Skinny, SMB, SSL, TCP, text/media, Time and XML.

Duigou noted that, since the name change, there seems to be a bit more focus and a willingness to tackle big jobs that weren't there before.

"In the lead up to the name change, when we didn't know it was going to change, and since the name change, there seems to be more focus on making Wireshark a professional quality tool," Duigou said.

"The results have been noticeable. Wireshark is now much more stable and robust. The last four months have brought considerable improvement."