NETWORKING

  • 11/09/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Wireshark 2.0: First Impressions

Tony Fortunato shares his initial thoughts on the updated version of the popular open source network analysis tool.

I occasionally download and check out the current Wireshark development release, which has been in the works for nearly two years. The main attraction of the updated open source network protocol analyzer is that it will introduce everyone to the Qt interface, which promises to be more responsive and generally improve Wireshark performance.

I recently put Wireshark version 2.0.0rc2 through its paces throughout the day to see if I can use it for my day-to day work and training. Far from being a comprehensive review, this blog covers my thoughts and general impressions of the current development version.

Documentation: As I expected, it was very challenging to find documentation about the current new features regarding 2.0.0rc2. The user's guide still references 1.99 and the revision history shows the last data as November 2014. This is not a criticism, just a FYI for those that haven’t ventured into the development version before. Be prepared to figure things out on your own.  If you do have questions, post them in the Q&A section on the Wireshark site.

Packet Editor seems to be removed, or not added yet. This made me chuckle since I just wrote a blog about this relatively new feature, how much I liked it and hoped the Wireshark development community continues to develop it.  Fingers crossed that this feature is just low on the priority list and hasn't been eliminated.

Nice addition: I like the added keyboard shortcut/accelerator keys under "About Wireshark."

Figure 1:

Puzzling button: For those not familiar with trying out development versions of software, sometime you run into a button that doesn’t seem to do, like this checkbox under Preferences -> Appearance -> Layout

Figure 2:

Familiar settings have been moved:

  • Hide Interfaces is no longer in the Edit-> Preferences- Capture screen, but in the Capture Interfaces under the Manage Interface Button
  • And then there are things you take for granted until you can’t find them. For example, I could not figure out how to display the Wireshark version info in the title bar.

Figure 3:
  • No Apply button in the Preference screen.

Figure 4:
  • Statistics summary screen is now combined with the Capture file properties button in the bottom left corner.

Layout: I personally prefer the old Expert Info Tabs rather than this tree layout, which gets hard to navigate when there are many entries.

Figure 5:

Maybe that’s why they added the Limit to display Filter and Search Filter

Figure 6:

Packet list formatting:  The arrows are helpful to indicate where the command and responses are, but I haven’t figured out the vertical lines yet.

Figure 7:

RTP Player: The new VoIP/Player looks nice, but froze when I tried playing several VoIP trace files.

Figure 8:

Statistics IO graph: I love the new Statistics -> IO Graph, but hope they will put the copy feature back in.

Figure 9:

Merging files:  In the previous version of Wireshark, you could drag and drop multiple trace files, which resulted in a new file that was merged chronologically. In the new version, you just end up with opening one of the files you dragged and dropped.

Formatting issues: I found some minor formatting issues in the Follow the Stream screen that make it pretty well unusable.

Figure 10:

Generally speaking, the new interface and menus in Wireshark 2.0 are definitely quicker, more responsive and cleaner. This version is by far the most stable and usable version of Wireshark. I can’t wait to see the finished product, but  hope they put back some of my favorite features/options.


Comments

For more info

just saw this yesterday and couldn't get added to the artice in time but for more information, you can read Gerald Combs article about Wireshark 2.0

https://blog.wireshark.org/2015/11/let-me-tell-you-about-wireshark-2-0/

Re: For more info

Thanks for the link Tony, and for sharing your thoughts on the development release. Were there any improvements that you were hoping to see that are missing?

Re: For more info

other than the odd feature that I outlined in the article, nothing major, but i plan to write a more detailed followup article when the next version comes out.

Re: For more info

That's great, thanks Tony, looking forward to it.

Wireshark 2 Feature Update List

This article seems more like a bug list than an actual review. BTW - there will be an "Introduction to Wireshark 2" video of the November 12th webinar over at the Wireshark website just after the event.

There are loads of new/improved features in Wireshark 2. For example:

  • USBPcap
  • Androiddump
  • Qt application framework (better user experience, especially on Mac OS X and Windows)
  • Related packet feature (the horizontal bars indicate start/end of stream)
  • Intelligent scrollbar - very cool!
  • Conversation types filterable
  • Expert filterable
  • New Wireless Toolbar
  • New Wireless menu item
  • Export Objects > TFTP
  • Edit > Configuration Profiles includes link to directory (VERY nice) - other hyperlink additions too
  • Faster display of columns using right-click
  • More options in conversation filters
  • Better starting TCP preference settings (calculate conversation timestamps, for example)
  • SSL dissector improved
  • Language support - done in Chinese, English, French, German, Polish, Italian, and Japanese done so far)
  • GREAT improvements to the TCP Stream Graphs
  • GREAT improvements to the IO Graph (including adding more graph items)
  • New HTTP2 Statistics
  • Improvement to UDP Multicast Streams statistics
  • Graphs can be kept open even after trace file closed (great for comparing trace file info)
  • Can use list of ports in display filters (for example "Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25})
  • Background dissection - smoother Wireshark operations when opening a trace file

Hopefully folks will learn about these features in the webinar Gerald Combs (creator of Wireshark) and I will be doing this week. Anyone can visit the Wireshark website and get access to the video once it is posted.


Laura Chappell
Wireshark University

Re: Wireshark 2 Feature Update List

HI Laura,

Hope all is well.  Sorry if it came across that way, that wasn't my intent.

All i did was install version 2, used it for some of my most common tasks and reported my inital findings.

Thanks for the added info and look forward to watching your webcast with Gerald tomorrow.

 

Cheers

Re: Wireshark 2 Feature Update List

Thank You @Laura for impressive list on board. Two of the attractive features i see is Androiddump and Better starting TCP preference settings (calculate conversation timestamps, for example). So does this mean we can edit and test anroid dump packets.

 

Wireshark

Ethan Banks posted a blog with questions about Wireshark training and his answers. He had some interesting thoughts on Wireshark and packet-level network analysis.

Re: Wireshark

thanks for sharing helpful info, 

Re: Wireshark

Thank You for sharing insight on new release, one of the impressive part of Wireshark is its coloring scheme, do you see any change in coloring rules or new process to apply on the packet list for quick, intuitive analysis.

Re: Wireshark

I didnl't dig into that too deeply, but from what i did see, it looks pretty well the same.

Introduction to Wireshark 2.0 w/ Gerald Combs and Laura Chapp...

here's the link to yesterdays broadcast

https://www.youtube.com/watch?v=rLfYuO6pdVA