Gerald Combs first started developing the open source packet sniffer Wireshark (initially called Ethereal) back in 1997, and released it in the summer of 1998. “I was working at a small ISP in the Midwest, and we were very limited on the tools that they would buy us for troubleshooting—so I decided to write a network protocol analyzer,” he recalls.
And Combs says he was soon struck by the enthusiastic response Ethereal received. “Immediately after I did the first public release, I started getting contributions from some really, really bright and talented people, and those contributions haven’t stopped,” he says. “And that’s what’s really driven the growth of the project.”
In 2006, Combs took a new job at CACE Technologies, and due to trademark issues with his former employer, he was forced to change the name of the project to Wireshark. Aside from that, he says, the most interesting thing about the project has been how much of it has stayed constant, particularly the ongoing involvement of a wide range of talented developers.
The contributions those people continue to make, Combs says, have been key to the project’s success. “If you’re working on a product that handles a particular protocol in a specific portion of the industry, it’s a no-brainer for your company to say, ‘Okay, you can spend some time writing a detector for Wireshark’ because it benefits them and it benefits everybody,” he says.
One of Wireshark’s greatest strengths, Combs says, is that it runs on just about any platform. “You can run it on Windows, Mac OS, Linux, Solaris…it runs everywhere,” he says. “And you have a GUI and a command line version—and you can get about 90 percent of the same information from each. The GUI has a few more things, but the actual packet detail and information is the same.”
The amount of detail available, Combs says, is another key asset. “The ability to follow a TCP stream was added several years ago, and we were about the only one at the time that supported that,” he says. “You can just right-click on a TCP packet, and it shows you all the information going back and forth between the client and the server.”
In 2008, CACE Technologies held the first SHARKFEST conference for the Wireshark developer and user community. “It worked out really well, so we’re going to continue that,” Combs says. SHARKFEST 09 took place last month at Stanford University in Palo Alto, CA.
At SHARKFEST 08, Version 1.0 of Wireshark was released; at this year’s event, version 1.2.0 was released. New features include:
For a complete list of changes, read the 1.2.0 release notes.
CACE also released a complementary product called Pilot last year. “Whereas Wireshark focuses on showing you the very last bit and byte in a packet, Pilot gives you a great overview of the traffic on your network,” Combs says. “Pilot is very good at summarizing gigabytes and gigabytes of data, letting you spot anomalies, narrow those down, and pass that directly to Wireshark.”
Training and support
For new users, CACE works with trainer Laura Chappell, who runs Wireshark University, offering training videos, as well as periodic conferences. “She’s the best trainer I’ve seen, bar none, and if you’re not familiar with Wireshark or with protocol analysis, she’s the one to turn to,” Combs says.
Users can get support either through the free Wireshark mailing lists or through CACE’s SharkNet support service. Ironically, Combs says, most SharkNet customers tend to be experts, enterprise users who have a policy requiring that paid support be purchased for any product deployed on the corporate network.
Still, Combs says the best thing about Wireshark is the fact that it’s accessible to anyone. “Anybody can go pull down Wireshark and start analyzing traffic. There is a bit of a learning curve, but it’s like any other tool like this: you have to know what you’re looking at in order to properly act on that information,” he says.
Combs says the next key focus for the project on an ongoing basis is VoIP. “We’ve been pretty strong for a long time in the VoIP world, but we keep getting new VoIP functionality added: support for different protocols,” he says. “The good news there is that we’re pretty strong—and we’re going to continue to get stronger.”
Article adapted from ISP-Planet.