Wireshark Turns 20: How the Fundamental Network and Packet Analysis Tool Continues to Serve Open-Source Communities

TL; DR: Wireshark, a widely used network protocol analyzer, has enabled developers and system admins to capture packets and examine their contents for two decades. The open-source software includes a rich feature set thanks to continuous development from a dedicated group of users across the globe. With SharkFest, Wireshark’s ongoing series of annual educational conferences, user communities now have additional opportunities to refine their packet analysis skills while evolving the tool to ensure relevance for generations to come.

Much in the same way that matter is made up of tiny atoms that form molecules, information travels the internet in the small blocks of data we know as network packets.

Like molecules, they’re invisible to the naked eye, which is why network admins and developers turn to the internet version of microscopes — network protocol analyzers — for troubleshooting purposes.

Wireshark, one of the most recognized open source packet analyzing tools around, is celebrating two decades in the industry helping network admins, engineers, and developers capture packets and examine their contents. The software helps them troubleshoot network problems, investigate security issues, verify network applications, debug protocol implementations, and learn network protocol, among other use cases.

“It’s a fundamental tool in that it shows you those packets in great detail,” said Wireshark Founder and Original Author Gerald Combs. “We have a phrase in this industry — ‘The packets never lie’ — and it’s true. They make up your network, and they are the behavior of your applications.”

When it comes to packets, Gerald told us the hardest part is understanding them. That’s why Wireshark community places such great emphasis on teaching, education, and its annual conference, SharkFest.

“You have to speak their language, and that’s one of the goals with SharkFest and all the educators that we work with — to teach people how to analyze these packets,” he said.

The Wireshark community is a diverse niche of users and developers from a wide variety of industries. It’s also the driving force behind much of Wireshark’s success, with a rich feature set created through continuous development from experts across the globe. Now, as annual conferences provide additional opportunities for users to learn and grow the tool, Wireshark is poised to maintain its popularity well into the future.

When Gerald sat down to write Wireshark 20 years ago, he was working at an internet service provider in Kansas City that offered dial-up and web hosting.

“I joke that Wireshark is a weekend project that got way out of hand, but it’s true,” Gerald said. “I needed to be able to troubleshoot the network with a program that would run on our company’s primary platforms, Solaris and Linux, so I released an initial version and immediately got contributions from people around the world.”

The project grew steadily over time, with Gerald initially providing revision control. “For the first couple of months, people would send me patches, and I would integrate them and then send out a release,” he said. “I did 24 releases in the first three months of the project.”

It quickly became apparent that the system was not sustainable, so Gerald turned to Concurrent Versions System, an open-source revision control solution, to expedite the process. “With developers all over the world, we needed to be able to collaborate effectively, and that’s something we’ve continued to do throughout the project,” he said.

Gerald has turned to various revision control solutions, including Gerrit, to meet changing needs across the years. He’s stayed focused on streamlining collaboration through infrastructure, which has served to enhance Wireshark’s feature set as well as facilitate improvement. Today, Wireshark is available for UNIX and Windows and provides the ability to accomplish a number of actions, including capturing live packet data, displaying packets with very detailed protocol information, filtering packets based on various criteria, and creating statistics.

Wireshark, formerly known as Ethereal, has also weathered branding and ownership changes since its inception. In 2006, Gerald and his family relocated to Davis, California, for a job opportunity with CACE Technologies. “Because of that move, we had to change the name because my former employer had the trademark on Ethereal, so we changed the name to Wireshark,” Gerald said.

SharkFest, Wireshark’s series of annual educational conferences, began with an inaugural U.S. event in 2008 before expanding into Europe and Asia. The events are intended to support Wireshark development; educate computer science professionals responsible for managing, troubleshooting, diagnosing, and securing networks; and encourage widespread use of the open-source analysis tool. Attendees sharpen their skills through lecture and lab-based learning sessions presented by industry experts, and code contributors gather to update the tool as needed.

“The goal is, by the end of the conference, to have learned something useful that you can go back and apply to your job or share with your company,” Gerald said. “We usually have classes beforehand to get beginners up to speed, plus different tracks for intermediate and advanced developers.”

Gerald told us SharkFest attendees are split evenly between first-time visitors and veterans. If you’re new to the event, he recommends connecting with other attendees as much as possible. “I believe that everybody who attends these conferences has something valuable to share due to their wide variety of backgrounds and unique networks,” he said.

SharkFest ‘18 Europe wrapped up Nov. 2, 2018, in Vienna, with plans underway for SharkFest ‘19 U.S. in Berkeley, California, next summer. “We’re still lining up interesting speakers, and I have no doubt it’s going to be exciting and packed with all sorts of useful information,” Gerald said.

In 2010, Riverbed Technology bought CACE technologies to help its customers troubleshoot network and application performance issues. Today, Riverbed is a leader in application performance infrastructure, serving more than 24,000 customers, including 97% of the Fortune 100 and 95% of the Forbes Global 100.

The company is known for its Location-Independent Computing technology, which turns location and distance into a competitive advantage by allowing developers the flexibility to host applications and data in optimal locations while ensuring applications perform as expected. Data is always available when needed, and performance issues are detected and fixed before end users notice.

Gerald, who now works for Riverbed, said he’s grateful for all the company does to contribute as Wireshark’s official Project Host.

“They provide such a solid and stable infrastructure for us,” he said. “In the past, I had to track down a way to deliver downloads and to keep a set of web servers up, stable, and configured continuously. Not having to worry about that sort of thing takes a lot of the pressure away.”

In addition, Riverbed has continued the legacy of developing and selling products that complement Wireshark and also helped sponsor the recent SharkFest ‘18 Europe. Other sponsors included Wireshark University, Cubro, Garland, Gigamon, Magellan, PROFITAP, Endance, ntop, SCOS Software, Sysdig, and LoveMyTool.

Aside from the educational opportunities within each SharkFest event, the Wireshark community can turn to Wireshark University to reinforce their packet capture and analysis skills. Gerald, along with Laura Chappell, Founder of Chappell University, started the learning institution in March 2007.

Today, Wireshark University remains dedicated to providing online and instructor-based training for Wireshark software. It also maintains the Wireshark Certified Network Analysts program, which tests students’ competencies in troubleshooting, optimizing, and securing a network based on traffic captured using Wireshark.

In terms of product development, Wireshark has a number of features in store. “We have a couple of cool features coming down the line that are still in their infancy, but one is a feature that’s been overdue for 20 years now — the ability to open multiple capture files within the same instance of the application,” Gerald said.

Generally, though, Gerald said the beauty of an open-source project is that it’s unpredictable in nature. “Any time I talk about possible upcoming features, it’s inevitable that a few weeks later someone pops up and contributes this other awesome but different feature that I was totally not expecting,” he said. “It’s always a pleasant surprise.”