WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Nmap was not the only popular open source network security tool to receive a recent upgrade. Wireshark 2.0.0 , an open source tool used for network sniffing and packet analysis, also got a major update in November.
The new release of Wireshark (formerly known as Ethereal) is important because if you want to keep your network secure you need a way to see and analyze the traffic that passes through it at the individual packet level.
To do that, you need a packet sniffer and analyzer. The open source Wireshark is the de-facto industry standard tool for this. Once up and running on a machine attached to your network, it presents a live window on much of the traffic flowing over it.
Since 2010 the Wireshark project has been sponsored by Riverbed Technology, a California-based WAN optimization hardware vendor.
Proprietary alternatives to Wireshark exist, such as Microsoft's Message Analyzer, TamoSoft's CommView, Codenomicon's Clarified Analyzer and Savvius's OmniPeek . Some of these tools are available with specialized hardware for high speed capture, and in general they may be more suitable than Wireshark for large scale "capture everything" projects or for decoding some proprietary protocols.
Reasons to Use Wireshark
But most of these run on Windows only or on a limited range of platforms, while open source Wireshark runs on many platforms including Windows, OS X, Linux and Solaris. Wireshark is also free, and many networking and security professionals have experience working with it.
Perhaps the best reason to use Wireshark is that it is the tool that a hacker will almost certainly be using. Thus, using Wireshark puts you on an equal footing.
The improvements to Wireshark in its new release are more subtle than the new features of Nmap, another popular open source network security tool that got a refresh in November, but all are designed to make packet analysis more efficient.
Wireshark's Top 5 Improvements
Improved packet capture options. Setting packet options lies at the heart of using Wireshark, and in previous versions they were spread out across many windows. These have been simplified and are now easier to access from one of just two places (Capture Options or Manage Interfaces).
Information about related packets. Information about related packets (such as a DNS request and reply packets, or SYN and ACK packets) is now shown in the main window. For example, an ACKed TCP SYN packet will have a small check mark symbol displayed alongside it in the packet list. This should make it considerably easier to follow protocol "conversations."
Better, more consistent interface. The Wireshark 2.0.0 user interface looks very similar to the old one, but behind the scenes things have changed. The UI has been rewritten using the Qt application framework, and streamlined so that it will work faster in every platform.
Multi-language support. The new interface supports multiple languages. Wireshark ships with Chinese, French, German, Japanese, Polish and Italian as well as English, and more languages will be supported soon.
Improved statistics dialogues. In the Statistics and Telephony menus, the backend code has been consolidated so that most of Wireshark's statistics now share common internal logic. This should allow workflow improvements and a much more consistent interface, according to the developers.
For more information about Wireshark and how to use it, see the Wireshark User's Guide.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.