IT Get in touch

Wireshark 1.0: the reference open source network analyser

Wireshark 1.0 (31 March 2008): protocol analyser evolution of Ethereal (1998, Gerald Combs), over 1000 protocols supported, GPLv2 licence. The dominant tool for network troubleshooting, security analysis and teaching.

Cyber SecurityOpen Source
Cyber SecurityOpen Source WiresharkEtherealGerald CombsNetwork AnalysisCyber SecurityOpen Source
Cyber Security

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Ten years of Ethereal

Wireshark was born in 1998 as Ethereal, developed by Gerald Combs at Missouri Research and Education Network. From June 2006 the project changed name to Wireshark — Combs left his previous job keeping the trademark but not the Ethereal naming held by the previous employer. On 31 March 2008 version 1.0 is released, a symbolic milestone ten years after birth.

GPL v2 licence. Infrastructure: Wireshark Foundation (from 2023) supported by Sysdig and community.

What Wireshark does

Protocol analyser — captures network packets (libpcap on Linux/macOS, WinPcap/Npcap on Windows) and dissects them per protocol specifications, presenting a hierarchical view to the user: Ethernet → IP → TCP/UDP → application protocol.

As of 2008 it supports about 1000 protocols, growing to over 3000 in subsequent releases. The list includes everything realistically seen on networks: IP/IPv6, TCP/UDP, DNS, DHCP, HTTP/HTTPS (+TLS decrypt with keys), SMB/CIFS, SMTP/POP/IMAP, FTP, Telnet, SSH, SSL/TLS, VoIP protocols (SIP, RTP), industrial (Modbus, DNP3, S7), wireless (802.11, Bluetooth).

Components

  • wireshark — GTK+ GUI (later Qt from 2013)
  • tshark — CLI equivalent for scripting and automation
  • dumpcap — privileged capture daemon (lets UI run without root)
  • editcap, mergecap, rawshark — accessory tools
  • capinfos — PCAP file statistics
  • text2pcap, pcap2xml — conversions

Practical use

Typical scenarios:

  • Network troubleshooting — sysadmins debug connectivity, latency, packet loss
  • Security analysis — SOC analysts review suspicious traffic, malware C2 communications
  • Incident response — DFIR teams examine network dumps
  • Protocol development — developers verify custom implementation conformance
  • Teaching — universities use Wireshark in networking courses

Evolution

In post-2008 releases:

  • 1.8 (2012) — improved portability, new VoIP features
  • 2.0 (2015)GUI rewrite in Qt replacing GTK+
  • 3.0 (2019) — Npcap (no longer WinPcap), HTTP/2 support
  • 4.0 (2022) — conformance improvements

Ethics and legitimate use

Wireshark is a dual-use tool: passive capture can reveal credentials if traffic is unencrypted. Legitimate use requires:

  • Formal authorisation over the analysed network
  • GDPR compliance if personal data is captured
  • PCAP anonymisation before sharing

Wireshark making network traffic observable is a historical reason for universal HTTPS adoption — cleartext POP3/IMAP/SMTP credentials visible to everyone on the same network is a typical Wireshark demo.

In the Italian context

Wireshark is a daily work tool in Italy:

  • ISPs — troubleshooting routing, peering
  • Companies — network ops, security
  • Universities — networking and security teaching
  • CERTs and law enforcement — forensic analysis

References: Wireshark 1.0 (31 March 2008). Gerald Combs. Ethereal (1998). Rename 2006. GPL v2 licence. Libpcap/Npcap. Wireshark Foundation (2023, Sysdig backing).

Need support? Under attack? Service Status
Need support? Under attack? Service Status