Q&A: Wireshark
Gerald Combs works with the developers of WinPcap at CACE Technologies as the Director of Open Source Projects, and is the lead developer of Wireshark. In this interview, he discusses Wireshark in detail, with history details and features to what we can expect in the future.
Give us some background on Wireshark. What was your journey from raw idea to a product with a massive user base?
In the mid to late 90’s I worked at an ISP in the midwestern U.S. We needed a protocol analyzer that had features comparable to commercial analyzers at the time, was affordable, and ran on Solaris and Linux (our primary platforms). Such a product didn’t exist so I ended up writing my own. By that time I had used open source software for a number of years. I released Ethereal (Wireshark’s original name) under the GPL as a way of giving back to the community.
Immediately after the first release in July 1998 I started receiving contributions from developers around the world. Support for other protocols, safer data handling, and a Windows port were added early on. At around the same time Loris Degioanni and Gianluca Varenni were working on WinPcap. This let us capture packets on Windows and made Ethereal usable for a much larger class of users. By 2002 or 2003 it was in wide use on many platforms including Windows, Linux, and Solaris.
In 2006 I got the opportunity to work with Loris and Gianluca at CACE Technologies. Moving to CACE took the project in a much needed direction. We now a clear business model around the project and better sustainability. The move was also literal – my family and I moved from Missouri to California. Trademark issues meant leaving the name “Ethereal” behind. That’s how Wireshark was born.
Due to the great work of the development team Wireshark is now a popular, award-winning application. The user community is active and ethusiastic. CACE provides the infrastructure for the project as well as complementary products and services. We host Sharkfest, a yearly user and developer conference. Partners such as Laura Chappell provide training. All of this together forms a thriving ecosystem that I’m honored to be part of.
What are the features you see Wireshark users most excited about?
I think the primary feature is the visibility that a classic protocol analyzer provides. It’s one thing to have an abstract notion of packets going back and forth on a network. It’s quite another to interactively browse them and see them broken down to the last bit and byte.
The ability to follow a TCP stream and see the messages sent back and forth between the client and server is useful to people who troubleshoot and develop network applications. Likewise the VoIP analysis and playback features are useful for people who work with IP telephony.
The coloring rules and expert information seem to be used a lot. I was initially skeptical about the expert features because I’ve been led down the wrong path by so-called expert systems in other products in the past. In Wireshark it’s worked out surprisingly well.
Are you satisfied with the pace Wireshark is being developed or would you prefer to have updates released more often? How many developers contribute to Wireshark?
On the whole I’m very satisfied. We’ve has always had an excellent team of developers. Releases come out every one to two months, which is a pretty good pace. At any given time there are ten to twenty people actively working on Wireshark. Over the years several hundred people have contributed to the project.
What are the most requested features and fixes for future versions of Wireshark? Are there any requests that will never see the light of day for one reason or another?
The long-time “missing” features have been for things like packet editing, scrubbing, and replay. As OS X has gained popularity a lot of people have asked for a native Mac interface.
Wireshark has one intrinsic “hard” problem. As networks get faster and resources expand people naturally want to open larger and larger capture files. We’ve made improvements in this area over time but Wireshark’s job is to show you every last detail of every packet. If you have millions of packets that’s going to use a lot of processing power and memory. You can alleviate the problem in Wireshark using capture filters and multiple capture files. CACE Pilot is a commercial solution that works with Wireshark and lets you drill down and isolate the traffic you’re looking for.