# Wireshark — Network Protocol Analyzer and Packet Inspector > The foremost open-source network protocol analyzer for capturing, inspecting, and troubleshooting network traffic in real time. ## Install Save as a script file and run: # Wireshark ## Quick Use ```bash sudo apt install wireshark tshark # Capture on an interface (CLI): sudo tshark -i eth0 -w capture.pcap # Read and filter a capture: tshark -r capture.pcap -Y "http.request" # Launch GUI: wireshark ``` ## Introduction Wireshark is an open-source network protocol analyzer that lets you capture and interactively inspect network traffic. Originally named Ethereal, it has been the standard tool for network troubleshooting, protocol development, and security analysis since 1998. It supports hundreds of protocols and runs on all major operating systems. ## What Wireshark Does - Captures live network traffic from Ethernet, Wi-Fi, Bluetooth, USB, and other interface types - Decodes and displays packets for over 3,000 network protocols with detailed field breakdowns - Filters traffic with powerful display filters (e.g., `tcp.port == 443 && tls.handshake`) - Reassembles TCP streams and decrypts TLS sessions when keys are provided - Exports statistics, flow graphs, and conversation summaries for analysis ## Architecture Overview Wireshark is written in C and uses the pcap library (libpcap on Unix, Npcap on Windows) for packet capture. The dissector engine parses raw bytes into protocol trees using a plugin-based architecture. The GUI is built on Qt, while tshark provides identical analysis capabilities on the command line. Capture files use the pcapng format, supporting multiple interfaces, comments, and name resolution metadata in a single file. ## Self-Hosting & Configuration - Install via package managers or download from wireshark.org for all platforms - Add your user to the `wireshark` group to capture without root on Linux - Configure capture filters (BPF syntax) to limit what is recorded at the interface level - Set display filter macros and coloring rules for common analysis workflows - Use profiles to save and switch between different configuration sets ## Key Features - Over 3,000 protocol dissectors with community contributions for new protocols - Display filters with autocompletion and syntax validation for precise traffic isolation - TLS decryption using pre-master secret log files from browsers or applications - VoIP analysis with RTP stream playback and call flow visualization - Remote capture via SSH or rpcapd for analyzing traffic on headless servers ## Comparison with Similar Tools - **tcpdump** — CLI-only packet capture; Wireshark adds GUI, deep dissection, and stream reassembly - **tshark** — the CLI version of Wireshark with identical dissectors and filters - **Zeek (Bro)** — network security monitor that generates logs; Wireshark focuses on interactive packet inspection - **Fiddler** — HTTP/HTTPS debugging proxy; Wireshark captures all protocols at the network layer ## FAQ **Q: Can Wireshark capture HTTPS content?** A: Yes, if you provide the TLS pre-master secret log (set `SSLKEYLOGFILE` env var in your browser). Without keys, you see only encrypted bytes. **Q: Does capturing traffic require root?** A: On Linux, add your user to the `wireshark` group. On macOS, the installer sets permissions automatically. On Windows, Npcap handles driver access. **Q: How large can capture files get?** A: Wireshark supports multiple-gigabyte pcapng files. Use ring buffers (`-b filesize:100000`) for continuous capture without disk exhaustion. **Q: Can I write custom protocol dissectors?** A: Yes. Lua plugins let you add dissectors without recompiling. C plugins offer higher performance for complex protocols. ## Sources - https://github.com/wireshark/wireshark - https://www.wireshark.org/docs/ --- Source: https://tokrepo.com/en/workflows/b0af538c-43e8-11f1-9bc6-00163e2b0d79 Author: Script Depot