diff options
Diffstat (limited to 'docbook/wsug_src/wsug_introduction.adoc')
-rw-r--r-- | docbook/wsug_src/wsug_introduction.adoc | 521 |
1 files changed, 521 insertions, 0 deletions
diff --git a/docbook/wsug_src/wsug_introduction.adoc b/docbook/wsug_src/wsug_introduction.adoc new file mode 100644 index 00000000..78f32f57 --- /dev/null +++ b/docbook/wsug_src/wsug_introduction.adoc @@ -0,0 +1,521 @@ +// WSUG Chapter Introduction + +[#ChapterIntroduction] + +== Introduction + +[#ChIntroWhatIs] + +=== What is Wireshark? + +Wireshark is a network packet analyzer. A network packet analyzer +presents captured packet data in as much detail as possible. + +You could think of a network packet analyzer as a measuring device for +examining what’s happening inside a network cable, just like an electrician uses +a voltmeter for examining what’s happening inside an electric cable (but at a +higher level, of course). + +In the past, such tools were either very expensive, proprietary, or both. +However, with the advent of Wireshark, that has changed. Wireshark is +available for free, is open source, and is one of the best packet +analyzers available today. + +[#ChIntroPurposes] + +==== Some intended purposes + +Here are some reasons people use Wireshark: + +* Network administrators use it to _troubleshoot network problems_ + +* Network security engineers use it to _examine security problems_ + +* QA engineers use it to _verify network applications_ + +* Developers use it to _debug protocol implementations_ + +* People use it to _learn network protocol_ internals + +Wireshark can also be helpful in many other situations. + +[#ChIntroFeatures] + +==== Features + +The following are some of the many features Wireshark provides: + +* Available for _UNIX_ and _Windows_. + +* _Capture_ live packet data from a network interface. + +* _Open_ files containing packet data captured with tcpdump/WinDump, +Wireshark, and many other packet capture programs. + +* _Import_ packets from text files containing hex dumps of packet data. + +* Display packets with _very detailed protocol information_. + +* _Save_ packet data captured. + +* _Export_ some or all packets in a number of capture file formats. + +* _Filter packets_ on many criteria. + +* _Search_ for packets on many criteria. + +* _Colorize_ packet display based on filters. + +* Create various _statistics_. + +* ...and _a lot more!_ + +However, to really appreciate its power you have to start using it. + +<<ChIntroFig1>> shows Wireshark having captured some packets and waiting for you +to examine them. + +[#ChIntroFig1] +.Wireshark captures packets and lets you examine their contents. +image::images/ws-main.png[{screenshot-attrs}] + +==== Live capture from many different network media + +Wireshark can capture traffic from many different network media types, +including Ethernet, Wireless LAN, Bluetooth, USB, and more. The specific media +types supported may be limited by several factors, including your hardware +and operating system. An overview of the supported media types can be found at +link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. + +==== Import files from many other capture programs + +Wireshark can open packet captures from a large number of capture +programs. For a list of input formats see <<ChIOInputFormatsSection>>. + +==== Export files for many other capture programs + +Wireshark can save captured packets in many formats, including those used by other +capture programs. For a list of output formats see <<ChIOOutputFormatsSection>>. + +==== Many protocol dissectors + +There are protocol dissectors (or decoders, as they are known in other products) +for a great many protocols: see <<AppProtocols>>. + +==== Open Source Software + +Wireshark is an open source software project, and is released under the +{gplv2-url}[GNU General Public License] (GPL). You can freely use +Wireshark on any number of computers you like, without worrying about license +keys or fees or such. In addition, all source code is freely available under the +GPL. Because of that, it is very easy for people to add new protocols to +Wireshark, either as plugins, or built into the source, and they often do! + +[#ChIntroNoFeatures] + +==== What Wireshark is not + +Here are some things Wireshark does not provide: + +* Wireshark isn’t an intrusion detection system. It will not warn you when + someone does strange things on your network that he/she isn’t allowed to do. + However, if strange things happen, Wireshark might help you figure out what is + really going on. + +* Wireshark will not manipulate things on the network, it will only “measure” + things from it. Wireshark doesn’t send packets on the network or do other + active things (except domain name resolution, but that can be disabled). + +[#ChIntroPlatforms] + +=== System Requirements + +The amount of resources Wireshark needs depends on your environment and on the +size of the capture file you are analyzing. The values below should be fine for +small to medium-sized capture files no more than a few hundred MB. Larger +capture files will require more memory and disk space. + +[NOTE] +.Busy networks mean large captures +==== +A busy network can produce huge capture files. Capturing on +even a 100 megabit network can produce hundreds of megabytes of +capture data in a short time. A computer with a fast processor, and lots of +memory and disk space is always a good idea. +==== + +If Wireshark runs out of memory it will crash. See +{wireshark-wiki-url}KnownBugs/OutOfMemory for details and workarounds. + +Although Wireshark uses a separate process to capture packets, the packet +analysis is single-threaded and won’t benefit much from multi-core systems. + +==== Microsoft Windows + +Wireshark should support any version of Windows that is still within its +https://windows.microsoft.com/en-us/windows/lifecycle[extended support +lifetime]. At the time of writing this includes Windows 11, 10, +Server 2022, +Server 2019, +and Server 2016. +It also requires the following: + +* The Universal C Runtime. This is included with Windows 10 and Windows + Server 2019 and is installed automatically on earlier versions if + Microsoft Windows Update is enabled. Otherwise you must install + https://support.microsoft.com/kb/2999226[KB2999226] or + https://support.microsoft.com/kb/3118401[KB3118401]. + +* Any modern 64-bit Intel or Arm processor. + +* 500 MB available RAM. Larger capture files require more RAM. + +* 500 MB available disk space. Capture files require additional disk space. + +* Any modern display. 1280 {multiplication} 1024 or higher resolution is + recommended. Wireshark will make use of HiDPI or Retina resolutions if + available. Power users will find multiple monitors useful. + +* A supported network card for capturing + + - Ethernet. Any card supported by Windows should work. See the wiki pages on + link:{wireshark-wiki-url}CaptureSetup/Ethernet[Ethernet capture] and + link:{wireshark-wiki-url}CaptureSetup/Offloading[offloading] for issues that + may affect your environment. + + - 802.11. See the {wireshark-wiki-url}CaptureSetup/WLAN#Windows[Wireshark + wiki page]. Capturing raw 802.11 information may be difficult without + special equipment. + + - Other media. See link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. + +Older versions of Windows which are outside Microsoft’s extended lifecycle +support window are no longer supported. It is often difficult or impossible to +support these systems due to circumstances beyond our control, such as third +party libraries on which we depend or due to necessary features that are only +present in newer versions of Windows such as hardened security or memory +management. + +* Wireshark 4.0 was the last release branch to officially support Windows 8.1 and Windows Server 2012. +* Wireshark 3.6 was the last release branch to officially support 32-bit Windows. +* Wireshark 3.2 was the last release branch to officially support Windows 7 and Windows Server 2008 R2. +* Wireshark 2.2 was the last release branch to support Windows Vista and Windows Server 2008 sans R2 +* Wireshark 1.12 was the last release branch to support Windows Server 2003. +* Wireshark 1.10 was the last release branch to officially support Windows XP. + +See the link:{wireshark-wiki-url}Development/LifeCycle[Wireshark +release lifecycle] page for more details. + +==== macOS + +Wireshark supports macOS 10.14 and later. +Similar to Windows, supported macOS versions depend on third party libraries and on Apple’s requirements. +Apple Silicon hardware is supported natively starting with version 4.0 + +// Wireshark 4.0 ships with Qt 6.2.4, which requires macOS 10.14 and later +// Wireshark 3.6 ships with Qt 5.15, which requires macOS 10.13 and later. +// Wireshark 3.4, 3.2 and 3.0 ship with Qt 5.12, which requires macOS 10.12 and later. +// Wireshark 2.6 ships with Qt 5.3, which was the last release to support 10.6: https://wiki.qt.io/New_Features_in_Qt_5.3 +// "Mac OS 10.6 support is deprecated and scheduled for removal in Qt 5.4" + +* Wireshark 3.6 was the last release branch to support macOS 10.13. +* Wireshark 3.4 was the last release branch to support macOS 10.12. +* Wireshark 2.6 was the last release branch to support Mac OS X 10.6 and 10.7 and OS X 10.8 to 10.11. +* Wireshark 2.0 was the last release branch to support OS X on 32-bit Intel. +* Wireshark 1.8 was the last release branch to support Mac OS X on PowerPC. + +The system requirements should be comparable to the specifications listed above for Windows. + +==== UNIX, Linux, and BSD + +Wireshark runs on most UNIX and UNIX-like platforms including Linux and most BSD variants. +The system requirements should be comparable to the specifications listed above for Windows. + +Binary packages are available for most Unices and Linux distributions +including the following platforms: + +* Alpine Linux + +* Arch Linux + +* Canonical Ubuntu + +* Debian GNU/Linux + +* FreeBSD + +* Gentoo Linux + +* HP-UX + +* NetBSD + +* OpenPKG + +* Oracle Solaris + +* Red Hat Enterprise Linux / CentOS / Fedora + +If a binary package is not available for your platform you can download +the source and try to build it. Please report your experiences to +mailto:{wireshark-dev-list-email}[]. + +[#ChIntroDownload] + +=== Where To Get Wireshark + +You can get the latest copy of the program from the Wireshark website at {wireshark-download-url}. +The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror. +Official Windows and macOS installers are signed using trusted certificates on those platforms. +macOS installers are additionally notarized. + +A new Wireshark version typically becomes available every six weeks. + +If you want to be notified about new Wireshark releases you should subscribe to the wireshark-announce mailing list. +You will find more details in <<ChIntroMailingLists>>. + +Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-_x_._y_._z_.txt. +Announcement messages are archived at https://www.wireshark.org/lists/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/. +Both are GPG-signed and include verification instructions for Windows, Linux, and macOS. +As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems. + +[#ChIntroHistory] + +=== A Brief History Of Wireshark + +In late 1997 Gerald Combs needed a tool for tracking down network problems +and wanted to learn more about networking so he started writing Ethereal (the +original name of the Wireshark project) as a way to solve both problems. + +Ethereal was initially released after several pauses in development in July +1998 as version 0.2.0. Within days patches, bug reports, and words of +encouragement started arriving and Ethereal was on its way to success. + +Not long after that Gilbert Ramirez saw its potential and contributed a +low-level dissector to it. + +In October, 1998 Guy Harris was looking for something better than tcpview so he +started applying patches and contributing dissectors to Ethereal. + +In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential +on such courses and started looking at it to see if it supported the protocols +he needed. While it didn’t at that point new protocols could be easily added. +So he started contributing dissectors and contributing patches. + +The list of people who have contributed to the project has become very long +since then, and almost all of them started with a protocol that they needed that +Wireshark did not already handle. So they copied an existing dissector and +contributed the code back to the team. + +In 2006 the project moved house and re-emerged under a new name: Wireshark. + +In 2008, after ten years of development, Wireshark finally arrived at version +1.0. This release was the first deemed complete, with the minimum features +implemented. Its release coincided with the first Wireshark Developer and User +Conference, called Sharkfest. + +In 2015 Wireshark 2.0 was released, which featured a new user interface. + +In 2023 Wireshark moved to the link:{wireshark-foundation-url}[Wireshark Foundation], a nonprofit corporation that operates under section 501(c)(3) of the U.S. tax code. +The foundation provides the project's infrastructure, hosts link:{sharkfest-url}[SharkFest], our developer and user conference, and promotes low level network education. + +[#ChIntroMaintenance] + +=== Development And Maintenance Of Wireshark + +Wireshark was initially developed by Gerald Combs. Ongoing development and +maintenance of Wireshark is handled by the Wireshark team, a loose group of +individuals who fix bugs and provide new functionality. + +There have also been a large number of people who have contributed +protocol dissectors to Wireshark, and it is expected that this will +continue. You can find a list of the people who have contributed code to +Wireshark by checking the about dialog box of Wireshark, or at the +link:{wireshark-authors-url}[authors] page on the Wireshark web site. + +Wireshark is an open source software project, and is released under the +{gplv2-url}[GNU General Public License] (GPL) version 2. All source code is +freely available under the GPL. You are welcome to modify Wireshark to suit your +own needs, and it would be appreciated if you contribute your improvements back +to the Wireshark team. + +You gain three benefits by contributing your improvements back to the community: + +. Other people who find your contributions useful will appreciate them, and you + will know that you have helped people in the same way that the developers of + Wireshark have helped you. + +. The developers of Wireshark can further improve your changes or implement + additional features on top of your code, which may also benefit you. + +. The maintainers and developers of Wireshark will maintain your code, + fixing it when API changes or other changes are made, and generally keeping it + in tune with what is happening with Wireshark. So when Wireshark is updated + (which is often), you can get a new Wireshark version from the website + and your changes will already be included without any additional effort from you. + +The Wireshark source code and binary kits for some platforms are all +available on the download page of the Wireshark website: +{wireshark-download-url}. + +[#ChIntroHelp] + +=== Reporting Problems And Getting Help + +If you have problems or need help with Wireshark there are several places that +may be of interest (besides this guide, of course). + +[#ChIntroHomepage] + +==== Website + +You will find lots of useful information on the Wireshark homepage at +{wireshark-main-url}. + +[#ChIntroWiki] + +==== Wiki + +The Wireshark Wiki at {wireshark-wiki-url} provides a +wide range of information related to Wireshark and packet capture in general. +You will find a lot of information not part of this user’s guide. For example, +it contains an explanation how to capture on a switched network, an ongoing effort +to build a protocol reference, protocol-specific information, and much more. + +And best of all, if you would like to contribute your knowledge on a specific +topic (maybe a network protocol you know well), you can edit the wiki pages +with your web browser. + +[#ChIntroQA] + +==== Q&A Site + +The Wireshark Q&A site at {wireshark-qa-url} offers a resource where +questions and answers come together. You can search for +questions asked before and see what answers were given by people who +knew about the issue. Answers are ranked, so you can easily pick out the best +ones. If your question hasn’t been discussed before you can post +one yourself. + +[#ChIntroFAQ] + +==== FAQ + +The Frequently Asked Questions lists often asked questions and their +corresponding answers. + +[NOTE] +.Read the FAQ +==== +Before sending any mail to the mailing lists below, be sure to read the FAQ. It +will often answer any questions you might have. This will save yourself and +others a lot of time. Keep in mind that a lot of people are subscribed to the +mailing lists. +==== + +You will find the FAQ inside Wireshark by clicking the menu item Help/Contents +and selecting the FAQ page in the dialog shown. + +An online version is available at the Wireshark website at +{wireshark-faq-url}. You might prefer this online version, as it’s +typically more up to date and the HTML format is easier to use. + +[#ChIntroMailingLists] + +==== Mailing Lists + +There are several mailing lists of specific Wireshark topics available: + +link:{wireshark-mailing-lists-url}wireshark-announce[wireshark-announce]:: + Information about new program releases, which usually appear about every six weeks. + +link:{wireshark-mailing-lists-url}wireshark-users[wireshark-users]:: + Topics of interest to users of Wireshark. + People typically post questions about using Wireshark and others (hopefully) provide answers. + +link:{wireshark-mailing-lists-url}wireshark-dev[wireshark-dev]:: + Topics of interest to developers of Wireshark. + If you want to develop a protocol dissector or update the user interface, join this list. + +You can subscribe to each of these lists from the Wireshark web site: +{wireshark-mailing-lists-url}. From there, you can choose which mailing +list you want to subscribe to by clicking on the +Subscribe/Unsubscribe/Options button under the title of the relevant +list. The links to the archives are included on that page as well. + +[TIP] +.The lists are archived +==== +You can search in the list archives to see if someone asked the same question +some time before and maybe already got an answer. That way you don’t have to +wait until someone answers your question. +==== + +==== Reporting Problems + +[NOTE] +==== +Before reporting any problems, please make sure you have installed the latest +version of Wireshark. +==== + + +When reporting problems with Wireshark please supply the following information: + +. The version number of Wireshark and the dependent libraries linked with it, + such as Qt or GLib. You can obtain this from Wireshark’s about box or the + command _wireshark -v_. + +. Information about the platform you run Wireshark on +(Windows, Linux, etc. and 32-bit, 64-bit, etc.). + +. A detailed description of your problem. + +. If you get an error/warning message, copy the text of that message (and also a + few lines before and after it, if there are some) so others may find the + place where things go wrong. Please don’t give something like: “I get a + warning while doing x” as this won’t give a good idea where to look. + +[WARNING] +.Don’t send confidential information! +==== +If you send capture files to the mailing lists be sure they don’t contain any +sensitive or confidential information like passwords or personally identifiable +information (PII). + +In many cases you can use a tool like link:https://www.tracewrangler.com/[TraceWrangler] to sanitize a capture file before sharing it. +==== + +[NOTE] +.Don’t send large files +==== +Do not send large files (> 1 MB) to the mailing lists. Instead, provide a +download link. For bugs and feature requests, you can create an issue on +link:{wireshark-bugs-url}[GitLab Issues] and upload the file there. +==== + +==== Reporting Crashes on UNIX/Linux platforms + +When reporting crashes with Wireshark it is helpful if you supply the traceback +information along with the information mentioned in “Reporting Problems”. + +You can obtain this traceback information with the following commands on UNIX or +Linux (note the backticks): + +---- +$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt +backtrace +^D +---- + +If you do not have _gdb_ available, you will have to check out your operating system’s debugger. + +Email _backtrace.txt_ to mailto:{wireshark-dev-list-email}[]. + +==== Reporting Crashes on Windows platforms + +The Windows distributions don’t contain the symbol files (.pdb) because they are +very large. You can download them separately at +{wireshark-main-url}download/win64/all-versions/ . + +// End of WSUG Chapter 1 |