Wireshark Celebrates 25th Anniversary with a New Foundation
No doubt, countless engineers and hackers remember the first time they used Wireshark, or — if they’re a bit older — Wireshark’s predecessor, Ethereal. The experience of using Wireshark is a bit like what Robert Hooke must have felt in 1665 when using the newly-developed microscope to view cells for the first time ever: What was once just an inscrutable package had opened up to reveal a treasure trove of useful information.
This year, the venerable Wireshark has turned 25, and its creators are taking a step back from this massively successful open source project, to let additional parties to help govern. This month, Sysdig, the current sponsor of Wireshark, launched a new foundation that will serve as the long-term custodian of the project. The Wireshark Foundation will house the Wireshark source code and assets, and manage the SharkFest, Wireshark’s developer and user conference (Singapore April 17-19 and San Diego June 10-15).
The creators call the software the “world’s foremost traffic protocol analyzer” with considerable justification. Just in the past five years, it has been downloaded more than 60 million times and has attracted more than 2,000 contributors. Today, Wireshark is free and available under the GNU General Public License (GPL) version 2.
Wireshark provides a glimpse into the traffic going across your network at a packet level, allowing users to understand the system better and diagnosis problems. A built-in powerful data parsing engine is only half the appeal; an extensible design has allowed others to easily provide plug-ins for an endless array of new protocols and data formats.
There were packet analyzers prior to Ethereal, of course, though, but they were expensive.
When network engineer Gerald Combs released first this code as open source in 1998, he democratized IP packet inspection for everyone. And a few years later, when WiFi was being introduced, Ethereal, was put into action by every system administrator trying to fix a buggy WiFi connection. It also inspired an entire generation of hackers — friendly or otherwise — to sniff out unsecured wireless connections (“wardriving“).
“Wireshark is my favourite ‘I told you so’ tool. You can’t imagine how useful it is for network troubleshooting,” one Hacker News commenter enthused.
Network Observability for All
Combs created Ethereal while working as an engineer for a Kansas City Internet Service Provider, for the purposes of troubleshooting. At the time, the only packet sniffers available were costly, and the ISP didn’t have a budget for one (which could run into tens of thousands of dollars).
This was a few years into the commercial use of the Internet, and so when Combs released Ethereal, he immediately started getting contributions from others.
One of those early contributors was Loris Degioanni, now CTO and Founder of cloud security company Sysdig. He was in school at the time. His computer network professor had said that the best way to understand the network is to observe the network. But since there were no inexpensive packet sniffers for Windows, Degioanni wrote WinPcap, a driver for capturing packets in Windows machines, which many people immediately started using with Ethereal.
One factor for Ethereal’s success was its extensibility. It allowed many developers to work in parallel, creating plug-ins to would run on top of Ethereal’s network analysis capabilities. In this way, it was “really easy for the project to accumulate features and functionality and become more and more useful at a very rapid pace,” Degioanni said.
Contributions came in not just from students and hobbyists, but from engineers at actual companies, which found it more cost-effective to dedicate an engineer to creating and managing some obscure protocol that otherwise would require a more expensive tool to analyze.
The killer use however, came from the emerging use of wireless (WiFi) networks. When it was introduced for home use in 1999, WiFi was still incredibly buggy. Degioanni got with Combs to develop a plug-in for inspecting 802.11 wireless traffic on Windows XP, called AirPCap, which proved to be helpful for many who just wondered why their packets seemingly vanished in the air.
With the wireless, Ethereal also attracted the attention of hackers, who could use network analysis for intercepting wireless packets of data from people and companies, as they sat outside in a car with a laptop and a copy of Ethereal.
“It’s it’s not a community, we specifically cater to, but it’s a committee that finds the tool to be useful,” Combs said. “I don’t know that it was a surprise that the security industry latched on to it. But it has been interesting seeing how that developed.”
The two thought there would be a business for this market, so they set off to start Cacetech (since purchased by Riverbed) to manage Wireshark and related technologies. Combs’ prior employer, held the trademark for Ethereal, so the duo forked the technology, renaming it Wireshark.
Today, the software is being used across a wide range of industries, each with its own set of oddball protocols and network traffic patterns to be grappled with. When Degioanni launched Sysdig in 2013, it immediately put Wireshark to use in helping parse log data in real time from the cloud providers, Degioanni said.
At its heart, Ethereal had a power dissection engine. You could feed it “these blobs of data and it will break them down and tear them apart and show you all the various bits and bytes needed to its best ability,” Combs said. “And this also lets you apply filters and apply all these other powerful features. But the thing is that the engine doesn’t really care if it’s packet data, it can be any sort of data you want.”
Currently, for instance, Combs is looking to extend it to non-IP sources of data such as Bluetooth and USB devices.
Beyond its massive usefulness, Wireshark has also played a role in educating generations of programmers and administrators on how a network works. Just looking at the GUI as it is decodes packets off the wire, you can get the sense of how the Internet actually works.
“I think it’s important to educate people about low-level analysis, whether it’s in packets, system events or system calls, Combs said. “I think that’s very important knowledge to pass on and to educate people on.”
Education will be one of the chief missions of the new Wireshark Foundation, which will provide a formal support structure for the Wireshark, Combs said. Today, the chief income that Wireshark gets is through its conferences; with the foundation, the project will be able to accept contributions directly.
It will also provide some much-needed relief to Combs. To date, Combs has been the chief maintainer, or the “benign dictator,” so to speak. The foundation will shift the structure to something more resembling a benign democracy.
“You can tell that all of us are starting to get a little bit of gray hair. And it’s pretty clear at this point, that Wireshark is big enough, relevant enough for the whole planet, that it is going to survive us,” Degioanni said.